Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    569s
  • max time network
    485s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27/01/2025, 23:52

General

  • Target

    WARZONE RAT 3.03/WARZONE RAT 3.03 Cracked.exe

  • Size

    7.5MB

  • MD5

    03977a4fc47100f00650d65b1088f391

  • SHA1

    2517557e6bdb3e2268143f4690a4cc44426ac481

  • SHA256

    2325745d8b078385be3a995640b2cee98e85c8ac1c111fde5fcb1c257d9efe7d

  • SHA512

    2ad09d2e14ea3f83a950b76444b49d49b53a5735f1256f6c59f97bf380bd89e59f97f157ba7a75416e154e9142e33a609eb10c4c5f59963487d4d2ec6adb4a3c

  • SSDEEP

    196608:fWjyOLFVG2tUpi7tPRopU2Pa3uAdvCgoYEttoTBoWY/:fR6FVJUpi7tJoDAdvbEttoev/

Malware Config

Extracted

Family

warzonerat

C2

127.0.0.1:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzonerat family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Warzone RAT payload 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 56 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe
    "C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://warzone.ws/customer/index.php?rp=/knowledgebase
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff96bc3cb8,0x7fff96bc3cc8,0x7fff96bc3cd8
        3⤵
          PID:3208
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
          3⤵
            PID:752
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2964
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
            3⤵
              PID:2732
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
              3⤵
                PID:3964
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
                3⤵
                  PID:4088
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
                  3⤵
                    PID:3520
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
                    3⤵
                      PID:2908
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
                      3⤵
                        PID:232
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
                        3⤵
                          PID:2864
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
                          3⤵
                            PID:2300
                          • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1340
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2024
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,15629616590600615537,14756050813849241249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
                            3⤵
                              PID:4232
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:1540
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2696
                            • C:\Users\Admin\Desktop\nw.exe
                              "C:\Users\Admin\Desktop\nw.exe"
                              1⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              PID:4912
                            • C:\Windows\system32\AUDIODG.EXE
                              C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C8
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2456

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              c03d23a8155753f5a936bd7195e475bc

                              SHA1

                              cdf47f410a3ec000e84be83a3216b54331679d63

                              SHA256

                              6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

                              SHA512

                              6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              3d68c7edc2a288ee58e6629398bb9f7c

                              SHA1

                              6c1909dea9321c55cae38b8f16bd9d67822e2e51

                              SHA256

                              dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

                              SHA512

                              0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              564c64b1a75749db42fb4538f470954c

                              SHA1

                              785965c44a71225c6539bb7900a2cf8fca843897

                              SHA256

                              80bfbe691bf240b57a34619ac85412136021433bf34e690e071758c3ec066a69

                              SHA512

                              ad942e084246bf8564609b4e4d016c111c05e6ad1a26754997af1defd344c1213af23d2a3a24e208c8b56fa6f53911355439960c92b6acd54fe050784e1c0934

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              6c66ff6cdd156e9a9f3724ede788badd

                              SHA1

                              c2ac9e32646095fa35c1b0cbaa683b9fb0c137e9

                              SHA256

                              098400cadf197283922a3e30043d4ba4323793a023863c2bfbd1f862213b0e3e

                              SHA512

                              44e673b8f678a2e7a5fe2c544d5fd9f865d68f91577583fc1cd0767e7f0c488e518f2d2d3db166ae0ed3c504919a482a260ca90e213df65d2322cf86dbc8a1f5

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              a03b30022c5983aa577695e6d5e7942e

                              SHA1

                              497ecd06fb4e38744bf6c66d9bfa4425c3b18498

                              SHA256

                              b7baf615a58f854409f0cd077ff3ee6df7bd61d2fc2f15726c91f03120c7291c

                              SHA512

                              1460a0292c42db39f6645ec5c3a4d5cdc463b6dac4dd247d3cf8623f165e44545a88143207b625737c084cdc79ba8743fb21abbb95f90271a70531ac2ab435a6

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              11KB

                              MD5

                              3af2b830034fb2b2ec1333f9b9cb3619

                              SHA1

                              ad12bac3e748f036e456d2f1e2f4b2c4696ac1ae

                              SHA256

                              26335ae2d115092771ac5702f54c8857847d0eb7e2d2587f9abd94a7b5c066e3

                              SHA512

                              55eeb0d7de2bd9291f27da803ece8a07ef3f5ac0066dc5184939127b9157ee6042a9556e126d773eccc577f77d706e9b7a9b821dacda124a3b91fc2888265270

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              10KB

                              MD5

                              f6a6c6876867555e83a97303293e4131

                              SHA1

                              78faaf598718cbf5e3207955a240d91506e2f8f6

                              SHA256

                              d86c8acef996b6e07ff291e5912c98e877669a87cdc45ecce9acbb9b052ff08e

                              SHA512

                              1cc213d09ddb17aac5fe0ae0ce560d770680e1f6090416b35aaa4162bfaa79da372e8cd85e074b05e53c450e98fd8057e651ab33bf7a903626e8e4b07d513419

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

                              Filesize

                              264KB

                              MD5

                              e51b84e6a6ee8596711a443dda503231

                              SHA1

                              4d4bf48b6fde32d659d053c5235064d1de831443

                              SHA256

                              0ecd6b9ead98ad92fe01ddc5861c9fb0d7bb4fa3d592656e8c73442056cee1a2

                              SHA512

                              542d582d4fe8c50859728f0d9254cd15248f0410de4630ea5ce27ddaa7f7a90b4be1b11ad255decabb7f72b481b97a88aabc6806fa9f1f2bdc7e3dda22d3d77d

                            • C:\Users\Admin\Desktop\nw.exe

                              Filesize

                              132KB

                              MD5

                              ca86a4d23a64433903b220ce55ca107f

                              SHA1

                              82be3b2ae402688f79bb06c16e1216836f966409

                              SHA256

                              59343067bb73616915ed1f4032445bda532972d665065fab90e905bcf50a3877

                              SHA512

                              3aabb6f4392a208b60e9e86874c44287e3fcdcead68292824fcce42e083e2abdd6edbf9d1ef2157cd2630ab1f0496bba23a540c3f6289288ebe3ed34d82e671a

                            • memory/2932-13-0x0000000073870000-0x0000000074021000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/2932-15-0x0000000073870000-0x0000000074021000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/2932-18-0x0000000073870000-0x0000000074021000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/2932-19-0x0000000073870000-0x0000000074021000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/2932-20-0x0000000007B90000-0x0000000007BF6000-memory.dmp

                              Filesize

                              408KB

                            • memory/2932-21-0x0000000007DA0000-0x0000000007DAA000-memory.dmp

                              Filesize

                              40KB

                            • memory/2932-22-0x0000000000400000-0x0000000001411000-memory.dmp

                              Filesize

                              16.1MB

                            • memory/2932-23-0x000000007387E000-0x000000007387F000-memory.dmp

                              Filesize

                              4KB

                            • memory/2932-24-0x0000000073870000-0x0000000074021000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/2932-28-0x0000000073870000-0x0000000074021000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/2932-30-0x0000000073870000-0x0000000074021000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/2932-17-0x0000000007AD0000-0x0000000007B62000-memory.dmp

                              Filesize

                              584KB

                            • memory/2932-16-0x00000000073E0000-0x0000000007986000-memory.dmp

                              Filesize

                              5.6MB

                            • memory/2932-14-0x0000000005DE0000-0x0000000005EDE000-memory.dmp

                              Filesize

                              1016KB

                            • memory/2932-0-0x0000000000400000-0x0000000001411000-memory.dmp

                              Filesize

                              16.1MB

                            • memory/2932-12-0x0000000006920000-0x00000000072E0000-memory.dmp

                              Filesize

                              9.8MB

                            • memory/2932-11-0x000000007387E000-0x000000007387F000-memory.dmp

                              Filesize

                              4KB

                            • memory/2932-5-0x0000000000400000-0x0000000001411000-memory.dmp

                              Filesize

                              16.1MB

                            • memory/2932-4-0x0000000000400000-0x0000000001411000-memory.dmp

                              Filesize

                              16.1MB

                            • memory/2932-2-0x0000000000400000-0x0000000001411000-memory.dmp

                              Filesize

                              16.1MB

                            • memory/2932-3-0x0000000000400000-0x0000000001411000-memory.dmp

                              Filesize

                              16.1MB

                            • memory/2932-1-0x00000000771F6000-0x00000000771F8000-memory.dmp

                              Filesize

                              8KB