Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    110s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2025, 10:36

General

  • Target

    307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467N.exe

  • Size

    152KB

  • MD5

    5d465c4a51b42b6608be8ba53a9715e0

  • SHA1

    c2f2099687ed894f0d4419633a6dc86cfffc9da3

  • SHA256

    307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467

  • SHA512

    66383829110fe6f21657f631869fdd947af3561883a6726a210947d54914edd3f5c72baf0a952ef27e208c46b3af62cdc6a5bafe3de27fb0eb03c2faed76b536

  • SSDEEP

    3072:4NLOpnhTdOw9YAJOzIY9gVl01T2ENipdDg0z5:4NLYdT97JSIFl0QENqF

Malware Config

Extracted

Family

warzonerat

C2

daddy.linkpc.net:1145

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzonerat family
  • Warzone RAT payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467N.exe
    "C:\Users\Admin\AppData\Local\Temp\307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:408
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\images.exe

    Filesize

    152KB

    MD5

    5d465c4a51b42b6608be8ba53a9715e0

    SHA1

    c2f2099687ed894f0d4419633a6dc86cfffc9da3

    SHA256

    307b193d8ff010848bd38e4f964b82581222e52eb64c0fe03d6fb76446c93467

    SHA512

    66383829110fe6f21657f631869fdd947af3561883a6726a210947d54914edd3f5c72baf0a952ef27e208c46b3af62cdc6a5bafe3de27fb0eb03c2faed76b536

  • memory/3912-4-0x00000000009F0000-0x00000000009F1000-memory.dmp

    Filesize

    4KB

  • memory/3912-6-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

    Filesize

    2.0MB