Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2024, 12:41

General

  • Target

    Kavipsz.exe

  • Size

    10KB

  • MD5

    c2962aaa2e45754c27cfd561af655a64

  • SHA1

    738bd61ccaad6cdba0e0c73241c57e936096fdc1

  • SHA256

    29d974ba2b643abaea7868127dcd6cfd068242dda52dd816432448c862649908

  • SHA512

    e939b3115bc87c504b15473b1ff667d28b6eed376ad5511dca3ffe27a94b41b750a5b12b06f5df3e437b63bed539c0befcfc28963afb17985601dfe337d42e03

  • SSDEEP

    192:xd5UZeTU9CIji4dcgh8V2PnHujraKj9Q:xdyZeUXj35SV2vHuraKj9

Malware Config

Extracted

Family

warzonerat

C2

bossnew.ddns.net:1001

Signatures

  • Detect ZGRat V1 34 IoCs
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Warzone RAT payload 4 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kavipsz.exe
    "C:\Users\Admin\AppData\Local\Temp\Kavipsz.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\Kavipsz.exe
      C:\Users\Admin\AppData\Local\Temp\Kavipsz.exe
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3880
      • C:\ProgramData\bab.exe
        "C:\ProgramData\bab.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4212
        • C:\ProgramData\bab.exe
          C:\ProgramData\bab.exe
          4⤵
          • Executes dropped EXE
          PID:4504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\bab.exe

    Filesize

    10KB

    MD5

    c2962aaa2e45754c27cfd561af655a64

    SHA1

    738bd61ccaad6cdba0e0c73241c57e936096fdc1

    SHA256

    29d974ba2b643abaea7868127dcd6cfd068242dda52dd816432448c862649908

    SHA512

    e939b3115bc87c504b15473b1ff667d28b6eed376ad5511dca3ffe27a94b41b750a5b12b06f5df3e437b63bed539c0befcfc28963afb17985601dfe337d42e03

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bqkmarzra.vbs

    Filesize

    84B

    MD5

    b5b2159f4db9cb17c5d801aa106174e1

    SHA1

    8b01d233e6539b548aeb2122399eea41f3b4d1a9

    SHA256

    540af60ccce7a285c71fecd5c09597a1604abe734731488e00498188a2ab5361

    SHA512

    84346d164bd46fb9efda40cca63c1a31d4799e0ef5ee42e094833eeb3a71596309dfc3585b7626fe7e68cddaa94937b1cfa8ae89ff9858bbbf0cd067b7c9e09d

  • memory/2868-0-0x0000000000590000-0x0000000000598000-memory.dmp

    Filesize

    32KB

  • memory/2868-1-0x0000000074800000-0x0000000074FB0000-memory.dmp

    Filesize

    7.7MB

  • memory/2868-2-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

    Filesize

    64KB

  • memory/2868-3-0x0000000005A00000-0x0000000005AA6000-memory.dmp

    Filesize

    664KB

  • memory/2868-4-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-5-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-7-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-9-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-11-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-13-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-15-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-17-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-19-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-21-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-23-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-25-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-29-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-27-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-31-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-33-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-35-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-37-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-39-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-43-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-45-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-41-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-49-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-47-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-51-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-59-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-67-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-65-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-63-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-61-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-57-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-55-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-53-0x0000000005A00000-0x0000000005A9F000-memory.dmp

    Filesize

    636KB

  • memory/2868-936-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

    Filesize

    4KB

  • memory/2868-937-0x0000000005B10000-0x0000000005B4C000-memory.dmp

    Filesize

    240KB

  • memory/2868-938-0x0000000005D00000-0x0000000005D4C000-memory.dmp

    Filesize

    304KB

  • memory/2868-939-0x0000000074800000-0x0000000074FB0000-memory.dmp

    Filesize

    7.7MB

  • memory/2868-940-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

    Filesize

    64KB

  • memory/2868-941-0x0000000006550000-0x0000000006AF4000-memory.dmp

    Filesize

    5.6MB

  • memory/2868-948-0x0000000074800000-0x0000000074FB0000-memory.dmp

    Filesize

    7.7MB

  • memory/3880-949-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

  • memory/3880-954-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

  • memory/4212-955-0x0000000074060000-0x0000000074810000-memory.dmp

    Filesize

    7.7MB

  • memory/4212-956-0x0000000005180000-0x0000000005190000-memory.dmp

    Filesize

    64KB

  • memory/4212-1889-0x0000000005170000-0x0000000005171000-memory.dmp

    Filesize

    4KB

  • memory/4212-1890-0x0000000074060000-0x0000000074810000-memory.dmp

    Filesize

    7.7MB

  • memory/4212-1891-0x0000000005180000-0x0000000005190000-memory.dmp

    Filesize

    64KB

  • memory/4212-1899-0x0000000074060000-0x0000000074810000-memory.dmp

    Filesize

    7.7MB

  • memory/4504-1900-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

  • memory/4504-1901-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB