Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-01-2021 14:13
Static task
static1
Behavioral task
behavioral1
Sample
iv.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
iv.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
iv.exe
-
Size
1.5MB
-
MD5
0adb632989ec9dcdcde9f532288cbe3d
-
SHA1
acdac4bd2b7f53f1a598e8847f2a61be68664d2d
-
SHA256
e5afa3d0aadbf3c559d41ae3b354e4258230de01d6514de7fd3133c1f3b6306c
-
SHA512
a309898d7df1f037d11c2937b9fe498d0c9a9cecbf3150b36ac2f1ac8ac98d3c71253762b38a7d8ecd0843a55f3672df277e7323b08a18fd1d84a8dec1ee43a1
Score
10/10
Malware Config
Extracted
Family
warzonerat
C2
95.217.251.120:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Drops startup file 2 IoCs
Processes:
iv.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat iv.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start iv.exe -
NTFS ADS 2 IoCs
Processes:
iv.exedescription ioc process File created C:\ProgramData:ApplicationData iv.exe File opened for modification C:\ProgramData:ApplicationData iv.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
iv.exepid process 1080 iv.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
iv.exedescription pid process target process PID 1080 wrote to memory of 1256 1080 iv.exe Explorer.EXE PID 1080 wrote to memory of 1256 1080 iv.exe Explorer.EXE PID 1080 wrote to memory of 1632 1080 iv.exe cmd.exe PID 1080 wrote to memory of 1632 1080 iv.exe cmd.exe PID 1080 wrote to memory of 1632 1080 iv.exe cmd.exe PID 1080 wrote to memory of 1632 1080 iv.exe cmd.exe PID 1080 wrote to memory of 1632 1080 iv.exe cmd.exe PID 1080 wrote to memory of 1632 1080 iv.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\iv.exe"C:\Users\Admin\AppData\Local\Temp\iv.exe"2⤵
- Drops startup file
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1632
-
-