Analysis
-
max time kernel
136s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
19-04-2021 17:24
Static task
static1
Behavioral task
behavioral1
Sample
6fad4976da2bd04abe815d5d70abcb59.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
6fad4976da2bd04abe815d5d70abcb59.exe
Resource
win10v20210410
General
-
Target
6fad4976da2bd04abe815d5d70abcb59.exe
-
Size
328KB
-
MD5
6fad4976da2bd04abe815d5d70abcb59
-
SHA1
efd9f13ce017f7da924f24c6a101c8e79a2cc01c
-
SHA256
b63510ef1f908a56031aa259b42890edd4fea137cbfcc32cd3855b6f77e4a31f
-
SHA512
e1eba88f62771fdeeac6f7e6b0cbd63ec72bbe294290ccb42bf5ef52d362f1d879ef757e3e95265295101410d51f6c466ec2e213e824d901d3374e9f5d1de430
Malware Config
Extracted
warzonerat
cbngroup.duckdns.org:38050
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/608-65-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Loads dropped DLL 1 IoCs
Processes:
6fad4976da2bd04abe815d5d70abcb59.exepid process 1268 6fad4976da2bd04abe815d5d70abcb59.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6fad4976da2bd04abe815d5d70abcb59.exedescription pid process target process PID 1268 set thread context of 608 1268 6fad4976da2bd04abe815d5d70abcb59.exe 6fad4976da2bd04abe815d5d70abcb59.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
6fad4976da2bd04abe815d5d70abcb59.exepid process 1268 6fad4976da2bd04abe815d5d70abcb59.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
6fad4976da2bd04abe815d5d70abcb59.exedescription pid process target process PID 1268 wrote to memory of 608 1268 6fad4976da2bd04abe815d5d70abcb59.exe 6fad4976da2bd04abe815d5d70abcb59.exe PID 1268 wrote to memory of 608 1268 6fad4976da2bd04abe815d5d70abcb59.exe 6fad4976da2bd04abe815d5d70abcb59.exe PID 1268 wrote to memory of 608 1268 6fad4976da2bd04abe815d5d70abcb59.exe 6fad4976da2bd04abe815d5d70abcb59.exe PID 1268 wrote to memory of 608 1268 6fad4976da2bd04abe815d5d70abcb59.exe 6fad4976da2bd04abe815d5d70abcb59.exe PID 1268 wrote to memory of 608 1268 6fad4976da2bd04abe815d5d70abcb59.exe 6fad4976da2bd04abe815d5d70abcb59.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fad4976da2bd04abe815d5d70abcb59.exe"C:\Users\Admin\AppData\Local\Temp\6fad4976da2bd04abe815d5d70abcb59.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6fad4976da2bd04abe815d5d70abcb59.exe"C:\Users\Admin\AppData\Local\Temp\6fad4976da2bd04abe815d5d70abcb59.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nscF9FA.tmp\pr91qdefohr4.dllMD5
2793a1683214a938db61cde98d8e28d6
SHA18b6c9a97d715e0547eeb3c18879c6245fbb2de94
SHA256f179ff7bbd354c6f934f45281198702cf3e896bc5848766445169685ea3aff33
SHA5126fd635932a0d6e9c647ca63b272990b4fc62b5778598b1518ec734747708ab625f64d84f4361b765ceac21973a548ea13b962f49fbe95421cbfdf74b7ef29b14
-
memory/608-63-0x0000000000405CE2-mapping.dmp
-
memory/608-65-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/1268-59-0x0000000075591000-0x0000000075593000-memory.dmpFilesize
8KB
-
memory/1268-61-0x0000000002480000-0x00000000030CA000-memory.dmpFilesize
12.3MB