Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
46d5190fd7f6dc29f452951eeeacfff33677d3b620da637b2cba73514b7f1d3c.xll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
46d5190fd7f6dc29f452951eeeacfff33677d3b620da637b2cba73514b7f1d3c.xll
Resource
win10v2004-20241007-en
General
-
Target
46d5190fd7f6dc29f452951eeeacfff33677d3b620da637b2cba73514b7f1d3c.xll
-
Size
1.0MB
-
MD5
fda6f5316adb00c79ae1eb52f51a92a1
-
SHA1
a6333318d5b16abaa1c87da084a7175503e35485
-
SHA256
46d5190fd7f6dc29f452951eeeacfff33677d3b620da637b2cba73514b7f1d3c
-
SHA512
f415a108bcb5d1541ecf897c5c53570f70bd01598c3e4e926d43b75f9b9edea6b096c1354286f522201dc50feacf43a3143e095e6630e0896cc07957edee8625
-
SSDEEP
24576:qoOOMX1P+QHT+dOVV/kV+IdxriUJ/Qaaep:qoOOq+QHsOVV/kVbTNRfR
Malware Config
Extracted
warzonerat
qoldwold.zanity.net:5208
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 3 IoCs
resource yara_rule behavioral2/memory/5104-63-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/1144-68-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/4280-78-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Executes dropped EXE 6 IoCs
pid Process 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 5104 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 1144 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 4376 cmages.exe 4280 cmages.exe 3216 cmages.exe -
Loads dropped DLL 2 IoCs
pid Process 4144 EXCEL.EXE 4144 EXCEL.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cmages = "C:\\ProgramData\\cmages.exe" 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2036 set thread context of 5104 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 91 PID 2036 set thread context of 1144 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 92 PID 4376 set thread context of 4280 4376 cmages.exe 97 PID 4376 set thread context of 3216 4376 cmages.exe 98 -
Program crash 1 IoCs
pid pid_target Process procid_target 3808 3216 WerFault.exe 98 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmages.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmages.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4144 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4144 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4144 EXCEL.EXE Token: SeDebugPrivilege 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe Token: SeDebugPrivilege 4376 cmages.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4144 EXCEL.EXE 4144 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4144 EXCEL.EXE 4144 EXCEL.EXE 4144 EXCEL.EXE 4144 EXCEL.EXE 4144 EXCEL.EXE 4144 EXCEL.EXE 4144 EXCEL.EXE 4144 EXCEL.EXE 4144 EXCEL.EXE 4144 EXCEL.EXE -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 4144 wrote to memory of 2036 4144 EXCEL.EXE 88 PID 4144 wrote to memory of 2036 4144 EXCEL.EXE 88 PID 4144 wrote to memory of 2036 4144 EXCEL.EXE 88 PID 2036 wrote to memory of 5104 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 91 PID 2036 wrote to memory of 5104 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 91 PID 2036 wrote to memory of 5104 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 91 PID 2036 wrote to memory of 5104 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 91 PID 2036 wrote to memory of 5104 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 91 PID 2036 wrote to memory of 5104 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 91 PID 2036 wrote to memory of 5104 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 91 PID 2036 wrote to memory of 5104 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 91 PID 2036 wrote to memory of 5104 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 91 PID 2036 wrote to memory of 5104 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 91 PID 2036 wrote to memory of 5104 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 91 PID 2036 wrote to memory of 1144 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 92 PID 2036 wrote to memory of 1144 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 92 PID 2036 wrote to memory of 1144 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 92 PID 2036 wrote to memory of 1144 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 92 PID 2036 wrote to memory of 1144 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 92 PID 2036 wrote to memory of 1144 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 92 PID 2036 wrote to memory of 1144 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 92 PID 2036 wrote to memory of 1144 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 92 PID 2036 wrote to memory of 1144 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 92 PID 2036 wrote to memory of 1144 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 92 PID 2036 wrote to memory of 1144 2036 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 92 PID 5104 wrote to memory of 4376 5104 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 96 PID 5104 wrote to memory of 4376 5104 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 96 PID 5104 wrote to memory of 4376 5104 523cf743-1d5c-4053-9cc4-028dfaadbea6.exe 96 PID 4376 wrote to memory of 4280 4376 cmages.exe 97 PID 4376 wrote to memory of 4280 4376 cmages.exe 97 PID 4376 wrote to memory of 4280 4376 cmages.exe 97 PID 4376 wrote to memory of 4280 4376 cmages.exe 97 PID 4376 wrote to memory of 4280 4376 cmages.exe 97 PID 4376 wrote to memory of 4280 4376 cmages.exe 97 PID 4376 wrote to memory of 4280 4376 cmages.exe 97 PID 4376 wrote to memory of 4280 4376 cmages.exe 97 PID 4376 wrote to memory of 4280 4376 cmages.exe 97 PID 4376 wrote to memory of 4280 4376 cmages.exe 97 PID 4376 wrote to memory of 4280 4376 cmages.exe 97 PID 4376 wrote to memory of 3216 4376 cmages.exe 98 PID 4376 wrote to memory of 3216 4376 cmages.exe 98 PID 4376 wrote to memory of 3216 4376 cmages.exe 98 PID 4376 wrote to memory of 3216 4376 cmages.exe 98 PID 4376 wrote to memory of 3216 4376 cmages.exe 98 PID 4376 wrote to memory of 3216 4376 cmages.exe 98 PID 4376 wrote to memory of 3216 4376 cmages.exe 98 PID 4376 wrote to memory of 3216 4376 cmages.exe 98 PID 4376 wrote to memory of 3216 4376 cmages.exe 98 PID 4376 wrote to memory of 3216 4376 cmages.exe 98 PID 4376 wrote to memory of 3216 4376 cmages.exe 98
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\46d5190fd7f6dc29f452951eeeacfff33677d3b620da637b2cba73514b7f1d3c.xll"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\523cf743-1d5c-4053-9cc4-028dfaadbea6.exe"C:\Users\Admin\AppData\Local\Temp\523cf743-1d5c-4053-9cc4-028dfaadbea6.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\523cf743-1d5c-4053-9cc4-028dfaadbea6.exeC:\Users\Admin\AppData\Local\Temp\523cf743-1d5c-4053-9cc4-028dfaadbea6.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\ProgramData\cmages.exe"C:\ProgramData\cmages.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\ProgramData\cmages.exeC:\ProgramData\cmages.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4280
-
-
C:\ProgramData\cmages.exeC:\ProgramData\cmages.exe5⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 806⤵
- Program crash
PID:3808
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\523cf743-1d5c-4053-9cc4-028dfaadbea6.exeC:\Users\Admin\AppData\Local\Temp\523cf743-1d5c-4053-9cc4-028dfaadbea6.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1144
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3216 -ip 32161⤵PID:4788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\46d5190fd7f6dc29f452951eeeacfff33677d3b620da637b2cba73514b7f1d3c.xll
Filesize1.0MB
MD5fda6f5316adb00c79ae1eb52f51a92a1
SHA1a6333318d5b16abaa1c87da084a7175503e35485
SHA25646d5190fd7f6dc29f452951eeeacfff33677d3b620da637b2cba73514b7f1d3c
SHA512f415a108bcb5d1541ecf897c5c53570f70bd01598c3e4e926d43b75f9b9edea6b096c1354286f522201dc50feacf43a3143e095e6630e0896cc07957edee8625
-
Filesize
488KB
MD54be82778811dcb6fe8637808dedeefbb
SHA12c4ea159d73c849f9d1912110170842343188a2e
SHA256cd50bd011e077a8fb6003945c35bb75a32ef16b6a99bfb0d5c7a2e3fabf25f68
SHA512ad047aba2bf6e7c6b8f31d5754b21266c81c994f7a926239f46120fc5b57e8cff84f671b20022f3e7866ae0b9a3ed119de3342856fc05747a09f1790498b6854
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize2KB
MD5b3785ef580ec8a2e5afb375bd67a7418
SHA17d6a3b437d63f1ccb8d5f34a0a0508b2207fb62f
SHA256923860e2baa25186284697f8c5dc0df8bc5236ebbbde2fab0e1194212729ba61
SHA512efb97e6d4e3efa0f2bebe5500728bf165b0fd0f5cdbb3a091dd86efda44a3e4d979bcdd06be116e775eb92922bd0456490da2c090c8dc6d2922ab2ee7ffef733