Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

0923b96551...b4.rtf

windows7-x64

10

0923b96551...b4.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    129s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2024, 02:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0923b96551a00cf7c004115637a4e0eb9d80ea8c6ab80c6515b3f3ca28bd5eb4.rtf

  • Size

    3KB

  • MD5

    08e4197b0f47a59e1061a1c30c445daa

  • SHA1

    a3c5eb519045be882bcc057f4df655789f542ee8

  • SHA256

    0923b96551a00cf7c004115637a4e0eb9d80ea8c6ab80c6515b3f3ca28bd5eb4

  • SHA512

    5b7a923f6cc6f1baddb728dce653b5af353cc1a2544348fd857b0ede029470307597e39a151460a79e4bd3963b8438ae55531dbb2d2f26fc55483c9c8ce8f336

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

makatti.duckdns.org:3787

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 9 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0923b96551a00cf7c004115637a4e0eb9d80ea8c6ab80c6515b3f3ca28bd5eb4.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2912
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Users\Admin\AppData\Roaming\word.exe
        C:\Users\Admin\AppData\Roaming\word.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IDXJRvJUpAIjP.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1624
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IDXJRvJUpAIjP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9222.tmp"
          3⤵
          • Creates scheduled task(s)
          PID:2196
        • C:\Users\Admin\AppData\Roaming\word.exe
          "C:\Users\Admin\AppData\Roaming\word.exe"
          3⤵
          • Executes dropped EXE
          PID:1904
        • C:\Users\Admin\AppData\Roaming\word.exe
          "C:\Users\Admin\AppData\Roaming\word.exe"
          3⤵
          • Executes dropped EXE
          PID:1412

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp9222.tmp
      Filesize

      1KB

      MD5

      322e236b9a6e946674aa812b89445c49

      SHA1

      5480cab183ab27489c0a9049fec63fcc7e112738

      SHA256

      54cf91d836de5e2a1f86a2e972818103af8516868dd621808fd2ba1f40a6de2a

      SHA512

      16c4997cc8574271916527381bc6cfa683d803f032c24346fba14c94b7686f9fc8cab26deb823ea396bc7c5f66cb25b540bbafa7fe1f3b45b89dc1ef795b62a1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      9167d09944f09780d1a8abfd889b0da9

      SHA1

      c20503da0f87354ae6b8cd2efd7a1aa257d84045

      SHA256

      ff83b0abeb0492795e30a238ab30a9d514a1f0345be52951dc6afb0521a0e623

      SHA512

      f5d8fd61e7f3505468ff3673b096a6e493c7d063e705de33bb5cb7c21d7a4fd0e71763ef4571a11d97a2523999520958a5c4006e03cc18833bde8c4589b4f66c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\word.exe
      Filesize

      192KB

      MD5

      4ed10aec575281c1ff7a002d99e5effa

      SHA1

      75bfc13677d9b7bd74815756e5a100960bfe1860

      SHA256

      59c3d458dae9d3906801c54ec6979da312af4a1b33ac7358d2950c206b8e7875

      SHA512

      ec59dea28c354d9e8f539e43def33cb4945222083ce920f2aebc5b8147d2ee5cd02610ff8b8b6867599d2aefd95b4e963945ba2feccfeb48e33c181a44fb513b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\word.exe
      Filesize

      256KB

      MD5

      e6e2159809d06910a5a978e086f650f7

      SHA1

      a5157303bff1261882067f0f5a73ab06032fe569

      SHA256

      72d5520a03a9c8b524863d5a1459d087bb2f64a8ff545d919f476335b94a0e11

      SHA512

      7ca0bf3c983ae32fa19f674b4352f493e1ab0cb8bc7da7f5ee4a22daa4a29d7cfcfc77002087a659ee435ad1c54ad6458ee260b9ba359729f007a6e1bb925495

      Download Submit

    • C:\Users\Admin\AppData\Roaming\word.exe
      Filesize

      870KB

      MD5

      0c74bc9529b8d9f96fc7e1b47559abd1

      SHA1

      232bb8f072131d66e317b1f8acb1371e999447cb

      SHA256

      bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a

      SHA512

      0ceb0b9eb1923c748b5d30281a023a0fcb407f68e8e9b3d63b289ea96770215ebd7801bd5744beba234319bef2494bfc211b1cab5bd9ac65a34fa36a6f9d54eb

      Download Submit

    • \Users\Admin\AppData\Roaming\word.exe
      Filesize

      512KB

      MD5

      9fa4871d4d4cb7070f13c7f6aa7789fc

      SHA1

      972f0b02c0f1e74903776f608ff0b161bc58b403

      SHA256

      2ba989153d75d86e7839466d42a39b965430ce66881f5d5ce953808eabe597be

      SHA512

      3a0c4456dfe9512cbfa268f9e6bf72c7f16548735daac929f930e0d5c929046a98f95cf5fcab308d8e722279bf6a6da37ad365740470650c126bef4a78e0d013

      Download Submit

    • memory/1268-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1268-2-0x00000000710AD000-0x00000000710B8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1268-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1268-0-0x000000002F2F1000-0x000000002F2F2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1268-32-0x00000000710AD000-0x00000000710B8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1624-57-0x00000000656C0000-0x0000000065C6B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1624-53-0x00000000656C0000-0x0000000065C6B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1624-54-0x00000000656C0000-0x0000000065C6B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1624-55-0x0000000002700000-0x0000000002740000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1624-56-0x0000000002700000-0x0000000002740000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1904-52-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1904-50-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1904-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1904-41-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1904-40-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1904-39-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1904-45-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1904-38-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1904-36-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1904-42-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1904-58-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1904-34-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/2832-26-0x00000000042F0000-0x0000000004356000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2832-25-0x0000000001F40000-0x0000000001F4E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2832-24-0x0000000001F30000-0x0000000001F3A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2832-18-0x0000000001ED0000-0x0000000001EE4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2832-16-0x0000000004E10000-0x0000000004E50000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2832-51-0x000000006B050000-0x000000006B73E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2832-15-0x0000000000290000-0x0000000000370000-memory.dmp

      Filesize

      896KB

      Download

    • memory/2832-14-0x000000006B050000-0x000000006B73E000-memory.dmp

      Filesize

      6.9MB

      Download