Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 10:36
Behavioral task
behavioral1
Sample
307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467N.exe
Resource
win10v2004-20241007-en
General
-
Target
307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467N.exe
-
Size
152KB
-
MD5
5d465c4a51b42b6608be8ba53a9715e0
-
SHA1
c2f2099687ed894f0d4419633a6dc86cfffc9da3
-
SHA256
307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467
-
SHA512
66383829110fe6f21657f631869fdd947af3561883a6726a210947d54914edd3f5c72baf0a952ef27e208c46b3af62cdc6a5bafe3de27fb0eb03c2faed76b536
-
SSDEEP
3072:4NLOpnhTdOw9YAJOzIY9gVl01T2ENipdDg0z5:4NLYdT97JSIFl0QENqF
Malware Config
Extracted
warzonerat
daddy.linkpc.net:1145
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023c88-2.dat warzonerat -
Executes dropped EXE 1 IoCs
pid Process 408 images.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language images.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467N.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 672 wrote to memory of 408 672 307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467N.exe 83 PID 672 wrote to memory of 408 672 307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467N.exe 83 PID 672 wrote to memory of 408 672 307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467N.exe 83 PID 408 wrote to memory of 3912 408 images.exe 85 PID 408 wrote to memory of 3912 408 images.exe 85 PID 408 wrote to memory of 3912 408 images.exe 85 PID 408 wrote to memory of 3912 408 images.exe 85 PID 408 wrote to memory of 3912 408 images.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467N.exe"C:\Users\Admin\AppData\Local\Temp\307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:672 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3912
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD55d465c4a51b42b6608be8ba53a9715e0
SHA1c2f2099687ed894f0d4419633a6dc86cfffc9da3
SHA256307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467
SHA51266383829110fe6f21657f631869fdd947af3561883a6726a210947d54914edd3f5c72baf0a952ef27e208c46b3af62cdc6a5bafe3de27fb0eb03c2faed76b536