Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2024, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
Kavipsz.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Kavipsz.exe
Resource
win10v2004-20231215-en
General
-
Target
Kavipsz.exe
-
Size
10KB
-
MD5
c2962aaa2e45754c27cfd561af655a64
-
SHA1
738bd61ccaad6cdba0e0c73241c57e936096fdc1
-
SHA256
29d974ba2b643abaea7868127dcd6cfd068242dda52dd816432448c862649908
-
SHA512
e939b3115bc87c504b15473b1ff667d28b6eed376ad5511dca3ffe27a94b41b750a5b12b06f5df3e437b63bed539c0befcfc28963afb17985601dfe337d42e03
-
SSDEEP
192:xd5UZeTU9CIji4dcgh8V2PnHujraKj9Q:xdyZeUXj35SV2vHuraKj9
Malware Config
Extracted
warzonerat
bossnew.ddns.net:1001
Signatures
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral2/memory/2868-3-0x0000000005A00000-0x0000000005AA6000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-4-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-5-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-7-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-9-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-11-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-13-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-15-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-17-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-19-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-21-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-23-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-25-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-29-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-27-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-31-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-33-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-35-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-37-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-39-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-43-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-45-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-41-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-49-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-47-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-51-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-59-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-67-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-65-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-63-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-61-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-57-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-55-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 behavioral2/memory/2868-53-0x0000000005A00000-0x0000000005A9F000-memory.dmp family_zgrat_v1 -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
resource yara_rule behavioral2/memory/3880-949-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/3880-954-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/4504-1900-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/4504-1901-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bqkmarzra.vbs Kavipsz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bqkmarzra.vbs bab.exe -
Executes dropped EXE 2 IoCs
pid Process 4212 bab.exe 4504 bab.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bab = "C:\\ProgramData\\bab.exe" Kavipsz.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2868 set thread context of 3880 2868 Kavipsz.exe 97 PID 4212 set thread context of 4504 4212 bab.exe 99 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2868 Kavipsz.exe Token: SeDebugPrivilege 4212 bab.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2868 wrote to memory of 3880 2868 Kavipsz.exe 97 PID 2868 wrote to memory of 3880 2868 Kavipsz.exe 97 PID 2868 wrote to memory of 3880 2868 Kavipsz.exe 97 PID 2868 wrote to memory of 3880 2868 Kavipsz.exe 97 PID 2868 wrote to memory of 3880 2868 Kavipsz.exe 97 PID 2868 wrote to memory of 3880 2868 Kavipsz.exe 97 PID 2868 wrote to memory of 3880 2868 Kavipsz.exe 97 PID 2868 wrote to memory of 3880 2868 Kavipsz.exe 97 PID 2868 wrote to memory of 3880 2868 Kavipsz.exe 97 PID 2868 wrote to memory of 3880 2868 Kavipsz.exe 97 PID 2868 wrote to memory of 3880 2868 Kavipsz.exe 97 PID 3880 wrote to memory of 4212 3880 Kavipsz.exe 98 PID 3880 wrote to memory of 4212 3880 Kavipsz.exe 98 PID 3880 wrote to memory of 4212 3880 Kavipsz.exe 98 PID 4212 wrote to memory of 4504 4212 bab.exe 99 PID 4212 wrote to memory of 4504 4212 bab.exe 99 PID 4212 wrote to memory of 4504 4212 bab.exe 99 PID 4212 wrote to memory of 4504 4212 bab.exe 99 PID 4212 wrote to memory of 4504 4212 bab.exe 99 PID 4212 wrote to memory of 4504 4212 bab.exe 99 PID 4212 wrote to memory of 4504 4212 bab.exe 99 PID 4212 wrote to memory of 4504 4212 bab.exe 99 PID 4212 wrote to memory of 4504 4212 bab.exe 99 PID 4212 wrote to memory of 4504 4212 bab.exe 99 PID 4212 wrote to memory of 4504 4212 bab.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kavipsz.exe"C:\Users\Admin\AppData\Local\Temp\Kavipsz.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\Kavipsz.exeC:\Users\Admin\AppData\Local\Temp\Kavipsz.exe2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\ProgramData\bab.exe"C:\ProgramData\bab.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\ProgramData\bab.exeC:\ProgramData\bab.exe4⤵
- Executes dropped EXE
PID:4504
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5c2962aaa2e45754c27cfd561af655a64
SHA1738bd61ccaad6cdba0e0c73241c57e936096fdc1
SHA25629d974ba2b643abaea7868127dcd6cfd068242dda52dd816432448c862649908
SHA512e939b3115bc87c504b15473b1ff667d28b6eed376ad5511dca3ffe27a94b41b750a5b12b06f5df3e437b63bed539c0befcfc28963afb17985601dfe337d42e03
-
Filesize
84B
MD5b5b2159f4db9cb17c5d801aa106174e1
SHA18b01d233e6539b548aeb2122399eea41f3b4d1a9
SHA256540af60ccce7a285c71fecd5c09597a1604abe734731488e00498188a2ab5361
SHA51284346d164bd46fb9efda40cca63c1a31d4799e0ef5ee42e094833eeb3a71596309dfc3585b7626fe7e68cddaa94937b1cfa8ae89ff9858bbbf0cd067b7c9e09d