Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/06/2024, 23:51
Behavioral task
behavioral1
Sample
7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe
Resource
win10v2004-20240226-en
General
-
Target
7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe
-
Size
1.4MB
-
MD5
8fae8304e088d4004d32c1d42eba93e9
-
SHA1
7e7461ffe4b08fc40294b08a16c810fdf3ef8f1d
-
SHA256
7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8
-
SHA512
aa268ae3929c2d56b4b81cac6f6e728bcdcf0e35be437c34cf781f5b2ac1071d2055575e17ea69e7fa04a7e3a0768897c6f1cd15f32a6e95aecba527dde88f8e
-
SSDEEP
24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYk:Fo0c++OCokGs9Fa+rd1f26RNYk
Malware Config
Extracted
netwire
Wealthy2019.com.strangled.net:20190
wealthyme.ddns.net:20190
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
sunshineslisa
-
install_path
%AppData%\Imgburn\Host.exe
-
keylogger_dir
%AppData%\Logs\Imgburn\
-
lock_executable
false
-
offline_keylogger
true
-
password
sucess
-
registry_autorun
false
-
use_mutex
false
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 10 IoCs
resource yara_rule behavioral1/memory/1300-0-0x00000000001F0000-0x000000000035B000-memory.dmp netwire behavioral1/files/0x000b000000014aec-5.dat netwire behavioral1/memory/1724-24-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/1300-41-0x00000000001F0000-0x000000000035B000-memory.dmp netwire behavioral1/memory/944-47-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/944-50-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/files/0x00070000000155e2-51.dat netwire behavioral1/memory/1380-81-0x00000000001F0000-0x000000000035B000-memory.dmp netwire behavioral1/memory/1104-89-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/files/0x000b000000014aec-103.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
resource yara_rule behavioral1/memory/2936-39-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/2936-29-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/2336-80-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/2336-71-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 1724 Blasthost.exe 944 Host.exe 1380 RtDCpl64.exe 1104 Blasthost.exe 2336 RtDCpl64.exe 720 RtDCpl64.exe 880 Blasthost.exe 856 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 1724 Blasthost.exe 1724 Blasthost.exe 1380 RtDCpl64.exe 1380 RtDCpl64.exe 1380 RtDCpl64.exe 1380 RtDCpl64.exe 720 RtDCpl64.exe 720 RtDCpl64.exe 720 RtDCpl64.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1300-0-0x00000000001F0000-0x000000000035B000-memory.dmp autoit_exe behavioral1/memory/1300-41-0x00000000001F0000-0x000000000035B000-memory.dmp autoit_exe behavioral1/files/0x00070000000155e2-51.dat autoit_exe behavioral1/memory/1380-81-0x00000000001F0000-0x000000000035B000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1300 set thread context of 2936 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 30 PID 1380 set thread context of 2336 1380 RtDCpl64.exe 40 PID 720 set thread context of 856 720 RtDCpl64.exe 47 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2600 schtasks.exe 2036 schtasks.exe 992 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1300 wrote to memory of 1724 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 28 PID 1300 wrote to memory of 1724 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 28 PID 1300 wrote to memory of 1724 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 28 PID 1300 wrote to memory of 1724 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 28 PID 1724 wrote to memory of 944 1724 Blasthost.exe 29 PID 1724 wrote to memory of 944 1724 Blasthost.exe 29 PID 1724 wrote to memory of 944 1724 Blasthost.exe 29 PID 1724 wrote to memory of 944 1724 Blasthost.exe 29 PID 1300 wrote to memory of 2936 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 30 PID 1300 wrote to memory of 2936 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 30 PID 1300 wrote to memory of 2936 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 30 PID 1300 wrote to memory of 2936 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 30 PID 1300 wrote to memory of 2936 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 30 PID 1300 wrote to memory of 2936 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 30 PID 2936 wrote to memory of 2516 2936 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 31 PID 2936 wrote to memory of 2516 2936 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 31 PID 2936 wrote to memory of 2516 2936 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 31 PID 2936 wrote to memory of 2516 2936 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 31 PID 1300 wrote to memory of 2600 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 33 PID 1300 wrote to memory of 2600 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 33 PID 1300 wrote to memory of 2600 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 33 PID 1300 wrote to memory of 2600 1300 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 33 PID 2936 wrote to memory of 2516 2936 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 31 PID 2936 wrote to memory of 2516 2936 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe 31 PID 620 wrote to memory of 1380 620 taskeng.exe 38 PID 620 wrote to memory of 1380 620 taskeng.exe 38 PID 620 wrote to memory of 1380 620 taskeng.exe 38 PID 620 wrote to memory of 1380 620 taskeng.exe 38 PID 1380 wrote to memory of 1104 1380 RtDCpl64.exe 39 PID 1380 wrote to memory of 1104 1380 RtDCpl64.exe 39 PID 1380 wrote to memory of 1104 1380 RtDCpl64.exe 39 PID 1380 wrote to memory of 1104 1380 RtDCpl64.exe 39 PID 1380 wrote to memory of 2336 1380 RtDCpl64.exe 40 PID 1380 wrote to memory of 2336 1380 RtDCpl64.exe 40 PID 1380 wrote to memory of 2336 1380 RtDCpl64.exe 40 PID 1380 wrote to memory of 2336 1380 RtDCpl64.exe 40 PID 1380 wrote to memory of 2336 1380 RtDCpl64.exe 40 PID 1380 wrote to memory of 2336 1380 RtDCpl64.exe 40 PID 2336 wrote to memory of 2676 2336 RtDCpl64.exe 41 PID 2336 wrote to memory of 2676 2336 RtDCpl64.exe 41 PID 2336 wrote to memory of 2676 2336 RtDCpl64.exe 41 PID 2336 wrote to memory of 2676 2336 RtDCpl64.exe 41 PID 1380 wrote to memory of 2036 1380 RtDCpl64.exe 43 PID 1380 wrote to memory of 2036 1380 RtDCpl64.exe 43 PID 1380 wrote to memory of 2036 1380 RtDCpl64.exe 43 PID 1380 wrote to memory of 2036 1380 RtDCpl64.exe 43 PID 2336 wrote to memory of 2676 2336 RtDCpl64.exe 41 PID 2336 wrote to memory of 2676 2336 RtDCpl64.exe 41 PID 620 wrote to memory of 720 620 taskeng.exe 45 PID 620 wrote to memory of 720 620 taskeng.exe 45 PID 620 wrote to memory of 720 620 taskeng.exe 45 PID 620 wrote to memory of 720 620 taskeng.exe 45 PID 720 wrote to memory of 880 720 RtDCpl64.exe 46 PID 720 wrote to memory of 880 720 RtDCpl64.exe 46 PID 720 wrote to memory of 880 720 RtDCpl64.exe 46 PID 720 wrote to memory of 880 720 RtDCpl64.exe 46 PID 720 wrote to memory of 856 720 RtDCpl64.exe 47 PID 720 wrote to memory of 856 720 RtDCpl64.exe 47 PID 720 wrote to memory of 856 720 RtDCpl64.exe 47 PID 720 wrote to memory of 856 720 RtDCpl64.exe 47 PID 720 wrote to memory of 856 720 RtDCpl64.exe 47 PID 720 wrote to memory of 856 720 RtDCpl64.exe 47 PID 856 wrote to memory of 2108 856 RtDCpl64.exe 48 PID 856 wrote to memory of 2108 856 RtDCpl64.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe"C:\Users\Admin\AppData\Local\Temp\7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:944
-
-
-
C:\Users\Admin\AppData\Local\Temp\7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe"C:\Users\Admin\AppData\Local\Temp\7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2516
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2600
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A3E14A1E-35C8-4F5A-9071-F7EA42BF3984} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1104
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2676
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2036
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:880
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2108
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:992
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD59334eeca7a29b6c1743a471c02b0c7b1
SHA196cb5e6fd8958810837e4eb2270f5cfe26e12eb6
SHA2566a4456574b80eaded997dd37f639e21dd011d8b42bc911a67c9f09828fffcece
SHA512ac4ad2e2da3d52e1db1308b2fb4f8ab8e9d1fe991e59433d43f5e5da1625e91e3d972b006957913449651aee81491bbb8502684f085e1b75c836c31a63527a1a
-
Filesize
128KB
MD574b60f3f19ba6e4c9e2289966ef5313a
SHA1a653d302aabc0bad6ac54c566e1da75df486a5f8
SHA2567e4474acbae35ee0177935fa76bb233c2d9ebc71c45b85950e70e606d8b8e0cd
SHA512c8fb03970bccbc3f3b4b0d88e7cfc0969419a548729fe93f2fb4061a5d97698743b29b599c4baccc353eaa3c290efcbbb8601f76c5b42b98484a1c5947aafc81
-
Filesize
1.4MB
MD5132627490df1a0dcf13fd8cacf99b811
SHA1c2054439f608fc0a7f1cbdf4c38240f485333bee
SHA256951efba96db22dde61eca32b2c8112eab4e4c1d294e3ef948072a91a9c140650
SHA5129a5edc66282ba45a8dd192bdae52b5621e1c2e5982f560d2564c52393b9ddd898e2c3a4206a7f8481531f58d72f259fde9161351d7c94b15225eb60941b7ecff
-
Filesize
448KB
MD5a152d8b6dcf40c5326797312d0ad6f25
SHA1380567b1a90bf3171b4f305127b4f41f2d4218ba
SHA2569c25156de862fba07bceac17c5482de1226d2ca0d9ac5745e55e0a4ab106b578
SHA51253842d1babbbe99cc3f036d9101fcf8f11e61a9910860abe2cc098859e5956ae5e95588130c4ad310ad80281f9fd6656a887f34590f1d781031f2d71e0c613e2
-
Filesize
132KB
MD56087bf6af59b9c531f2c9bb421d5e902
SHA18bc0f1596c986179b82585c703bacae6d2a00316
SHA2563a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292