Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/11/2024, 18:54 UTC

General

  • Target

    ec97fe2ca09d875ceab1a42580d4817aad2a6ecfea52586454cbc782fb74d5e4.vbs

  • Size

    804KB

  • MD5

    6a3f1d0a26574f5c1e2d0118ae1ec4aa

  • SHA1

    c2e31c5426f0cb98ab8f8cf2e9f3eec95366476c

  • SHA256

    ec97fe2ca09d875ceab1a42580d4817aad2a6ecfea52586454cbc782fb74d5e4

  • SHA512

    49496b5d797700c638cf750eaa3ff6a8e54ec52e864a074f2bb31fbcf607d18f04169c16e058b18cfe09273a81e33e37112a0735ca1d042d62cfdaa54481f58e

  • SSDEEP

    24576:pLybbSfsKK4LPzHYjtY5eDHex4AH0sTfaKJVmcO/dh5Z2xMsoqUaCSG:a

Malware Config

Extracted

Family

warzonerat

C2

193.161.193.99:43544

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzonerat family
  • Warzone RAT payload 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec97fe2ca09d875ceab1a42580d4817aad2a6ecfea52586454cbc782fb74d5e4.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Users\Admin\AppData\Local\Temp\temp_file_rhjRS.exe
      "C:\Users\Admin\AppData\Local\Temp\temp_file_rhjRS.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3624
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3244

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.190.18.2.in-addr.arpa
    IN PTR
    Response
    73.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 193.161.193.99:43544
    RegAsm.exe
    260 B
    160 B
    5
    4
  • 193.161.193.99:43544
    RegAsm.exe
    260 B
    200 B
    5
    5
  • 193.161.193.99:43544
    RegAsm.exe
    260 B
    200 B
    5
    5
  • 193.161.193.99:43544
    RegAsm.exe
    260 B
    80 B
    5
    2
  • 193.161.193.99:43544
    RegAsm.exe
    260 B
    160 B
    5
    4
  • 193.161.193.99:43544
    RegAsm.exe
    260 B
    120 B
    5
    3
  • 193.161.193.99:43544
    RegAsm.exe
    260 B
    200 B
    5
    5
  • 193.161.193.99:43544
    RegAsm.exe
    260 B
    80 B
    5
    2
  • 193.161.193.99:43544
    RegAsm.exe
    260 B
    200 B
    5
    5
  • 193.161.193.99:43544
    RegAsm.exe
    260 B
    200 B
    5
    5
  • 193.161.193.99:43544
    RegAsm.exe
    260 B
    160 B
    5
    4
  • 193.161.193.99:43544
    RegAsm.exe
    260 B
    200 B
    5
    5
  • 193.161.193.99:43544
    RegAsm.exe
    260 B
    200 B
    5
    5
  • 193.161.193.99:43544
    RegAsm.exe
    260 B
    200 B
    5
    5
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    0.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    0.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    296 B
    160 B
    4
    1

    DNS Request

    200.163.202.172.in-addr.arpa

    DNS Request

    200.163.202.172.in-addr.arpa

    DNS Request

    200.163.202.172.in-addr.arpa

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    73.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\temp_file_rhjRS.exe

    Filesize

    373KB

    MD5

    fecddc53aa8d346ffcd2152f87b39662

    SHA1

    ea706c10d4aab32962cbe6e0b4477456c357ad8a

    SHA256

    d6057ee110b35abbbb7c1869ed8965b3f82d63824c5de79509a737f4a456e212

    SHA512

    f6b1e984bd17c2176ce9b66ba50650a07940a36a40ff6bd27053fa6b07c16d7788feb857a48c7645df1d89d7f85851dea80fdf2fc7fc8374d9473ea9b68faa8f

  • memory/3244-14-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

  • memory/3244-18-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

  • memory/3244-20-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

  • memory/3244-21-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

  • memory/3624-11-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

    Filesize

    4KB

  • memory/3624-12-0x0000000000030000-0x0000000000094000-memory.dmp

    Filesize

    400KB

  • memory/3624-13-0x0000000074FB0000-0x0000000075760000-memory.dmp

    Filesize

    7.7MB

  • memory/3624-17-0x0000000074FB0000-0x0000000075760000-memory.dmp

    Filesize

    7.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.