Analysis
-
max time kernel
13s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-04-2021 10:58
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe
Resource
win10v20210410
General
-
Target
SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe
-
Size
128KB
-
MD5
5c09522de5f3253871d318ba84094b2e
-
SHA1
c783db9c74006be5933fa057f2ff532b60392b94
-
SHA256
872ac5743d339a60af70e0b933a15c4c68f5e40b168c3b5ef444cf280673ee42
-
SHA512
e850c6daaa4809a8204c3f5a346a2ba89477048e0458de040f516d8e4506101ff04f43400e6daf8f7d1fa249f92e1bdd79448232d78b254b1845223413dd4f4c
Malware Config
Extracted
warzonerat
148.251.48.16:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3980-118-0x0000000000740000-0x0000000000894000-memory.dmp warzonerat behavioral2/memory/3980-119-0x0000000000745CE2-mapping.dmp warzonerat behavioral2/memory/3980-121-0x0000000000740000-0x0000000000894000-memory.dmp warzonerat behavioral2/memory/3980-126-0x0000000000740000-0x0000000000894000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
COM Register.exeCOM Register.exepid process 2668 COM Register.exe 3980 COM Register.exe -
Drops startup file 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.vbs SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
COM Register.exedescription pid process target process PID 2668 set thread context of 3980 2668 COM Register.exe COM Register.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
SecuriteInfo.com.Trojan.Packed.24465.17731.23605.execmd.exeCOM Register.exedescription pid process target process PID 4084 wrote to memory of 2088 4084 SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe cmd.exe PID 4084 wrote to memory of 2088 4084 SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe cmd.exe PID 4084 wrote to memory of 2088 4084 SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe cmd.exe PID 2088 wrote to memory of 2668 2088 cmd.exe COM Register.exe PID 2088 wrote to memory of 2668 2088 cmd.exe COM Register.exe PID 2088 wrote to memory of 2668 2088 cmd.exe COM Register.exe PID 2668 wrote to memory of 3980 2668 COM Register.exe COM Register.exe PID 2668 wrote to memory of 3980 2668 COM Register.exe COM Register.exe PID 2668 wrote to memory of 3980 2668 COM Register.exe COM Register.exe PID 2668 wrote to memory of 3980 2668 COM Register.exe COM Register.exe PID 2668 wrote to memory of 3980 2668 COM Register.exe COM Register.exe PID 2668 wrote to memory of 3980 2668 COM Register.exe COM Register.exe PID 2668 wrote to memory of 3980 2668 COM Register.exe COM Register.exe PID 2668 wrote to memory of 3980 2668 COM Register.exe COM Register.exe PID 2668 wrote to memory of 3980 2668 COM Register.exe COM Register.exe PID 2668 wrote to memory of 3980 2668 COM Register.exe COM Register.exe PID 2668 wrote to memory of 3980 2668 COM Register.exe COM Register.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\COM Register.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\COM Register.exe"C:\Users\Admin\AppData\Local\COM Register.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\COM Register.exe"C:\Users\Admin\AppData\Local\COM Register.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\COM Register.exeMD5
5c09522de5f3253871d318ba84094b2e
SHA1c783db9c74006be5933fa057f2ff532b60392b94
SHA256872ac5743d339a60af70e0b933a15c4c68f5e40b168c3b5ef444cf280673ee42
SHA512e850c6daaa4809a8204c3f5a346a2ba89477048e0458de040f516d8e4506101ff04f43400e6daf8f7d1fa249f92e1bdd79448232d78b254b1845223413dd4f4c
-
C:\Users\Admin\AppData\Local\COM Register.exeMD5
5c09522de5f3253871d318ba84094b2e
SHA1c783db9c74006be5933fa057f2ff532b60392b94
SHA256872ac5743d339a60af70e0b933a15c4c68f5e40b168c3b5ef444cf280673ee42
SHA512e850c6daaa4809a8204c3f5a346a2ba89477048e0458de040f516d8e4506101ff04f43400e6daf8f7d1fa249f92e1bdd79448232d78b254b1845223413dd4f4c
-
C:\Users\Admin\AppData\Local\COM Register.exeMD5
5c09522de5f3253871d318ba84094b2e
SHA1c783db9c74006be5933fa057f2ff532b60392b94
SHA256872ac5743d339a60af70e0b933a15c4c68f5e40b168c3b5ef444cf280673ee42
SHA512e850c6daaa4809a8204c3f5a346a2ba89477048e0458de040f516d8e4506101ff04f43400e6daf8f7d1fa249f92e1bdd79448232d78b254b1845223413dd4f4c
-
memory/2088-114-0x0000000000000000-mapping.dmp
-
memory/2668-115-0x0000000000000000-mapping.dmp
-
memory/3980-118-0x0000000000740000-0x0000000000894000-memory.dmpFilesize
1.3MB
-
memory/3980-119-0x0000000000745CE2-mapping.dmp
-
memory/3980-121-0x0000000000740000-0x0000000000894000-memory.dmpFilesize
1.3MB
-
memory/3980-126-0x0000000000740000-0x0000000000894000-memory.dmpFilesize
1.3MB