Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-05-2021 11:58
Static task
static1
Behavioral task
behavioral1
Sample
crat.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
crat.exe
Resource
win10v20210410
General
-
Target
crat.exe
-
Size
526KB
-
MD5
51f96dfcb6d8ea6422b9bba50ccd31ac
-
SHA1
698657bce5870929f55ffd6a8d10e2a4a5be90ae
-
SHA256
f9ca14fcdffeb48b11ea026812ac0a7dc941f27e0c1384dc8e9b83b18de4c2a7
-
SHA512
ecee48b1e55e099c52d4b8e73544260d03f1c749321ff13150068dcebd1a575a93fbc7c5f7ad1a0ab1bffdb566a36757f9810df332110621ed3d5d600641bc18
Malware Config
Extracted
warzonerat
149.28.124.150:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Executes dropped EXE 3 IoCs
Processes:
test.exeph88AcgfPIO.exeimages.exepid process 2328 test.exe 3984 ph88AcgfPIO.exe 1536 images.exe -
Loads dropped DLL 1 IoCs
Processes:
test.exepid process 2328 test.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ph88AcgfPIO.exeimages.exepid process 3984 ph88AcgfPIO.exe 3984 ph88AcgfPIO.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe 1536 images.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
crat.exetest.exeph88AcgfPIO.execmd.exedescription pid process target process PID 3968 wrote to memory of 2328 3968 crat.exe test.exe PID 3968 wrote to memory of 2328 3968 crat.exe test.exe PID 2328 wrote to memory of 3984 2328 test.exe ph88AcgfPIO.exe PID 2328 wrote to memory of 3984 2328 test.exe ph88AcgfPIO.exe PID 2328 wrote to memory of 3984 2328 test.exe ph88AcgfPIO.exe PID 3984 wrote to memory of 2504 3984 ph88AcgfPIO.exe Explorer.EXE PID 3984 wrote to memory of 2504 3984 ph88AcgfPIO.exe Explorer.EXE PID 3984 wrote to memory of 3400 3984 ph88AcgfPIO.exe cmd.exe PID 3984 wrote to memory of 3400 3984 ph88AcgfPIO.exe cmd.exe PID 3984 wrote to memory of 3400 3984 ph88AcgfPIO.exe cmd.exe PID 3984 wrote to memory of 1536 3984 ph88AcgfPIO.exe images.exe PID 3984 wrote to memory of 1536 3984 ph88AcgfPIO.exe images.exe PID 3984 wrote to memory of 1536 3984 ph88AcgfPIO.exe images.exe PID 3400 wrote to memory of 3564 3400 cmd.exe reg.exe PID 3400 wrote to memory of 3564 3400 cmd.exe reg.exe PID 3400 wrote to memory of 3564 3400 cmd.exe reg.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\crat.exe"C:\Users\Admin\AppData\Local\Temp\crat.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\test.exe"C:\Users\Admin\AppData\Roaming\test.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\ph88AcgfPIO.exe"C:\Users\Admin\Documents\ph88AcgfPIO.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"6⤵
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\images.exeMD5
49e8a6ee9c5dd808767d4753639bb045
SHA163739f2feff8d277d53b9af26df46c77d4088cf6
SHA2569cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590
SHA5128dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06
-
C:\ProgramData\images.exeMD5
49e8a6ee9c5dd808767d4753639bb045
SHA163739f2feff8d277d53b9af26df46c77d4088cf6
SHA2569cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590
SHA5128dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06
-
C:\Users\Admin\AppData\Roaming\test.exeMD5
05cb7c989fa115270895dbadf7598a1b
SHA1cfa9ac127090cc5826a6e7b6e2b13cceb82ba751
SHA256dbdfbca2dcc01a530cd7c449500dc0f6b564c11f9ed9dc8d746709a235d6826f
SHA512849c96876d37043a95f828ac3587b2049c0217d826f07724330f6d8d9a613868ff79352da8b74078101796d2ddf62037544db8faa680bf77ebdbd6c034fbdca9
-
C:\Users\Admin\AppData\Roaming\test.exeMD5
05cb7c989fa115270895dbadf7598a1b
SHA1cfa9ac127090cc5826a6e7b6e2b13cceb82ba751
SHA256dbdfbca2dcc01a530cd7c449500dc0f6b564c11f9ed9dc8d746709a235d6826f
SHA512849c96876d37043a95f828ac3587b2049c0217d826f07724330f6d8d9a613868ff79352da8b74078101796d2ddf62037544db8faa680bf77ebdbd6c034fbdca9
-
C:\Users\Admin\Documents\ph88AcgfPIO.exeMD5
49e8a6ee9c5dd808767d4753639bb045
SHA163739f2feff8d277d53b9af26df46c77d4088cf6
SHA2569cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590
SHA5128dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06
-
C:\Users\Admin\Documents\ph88AcgfPIO.exeMD5
49e8a6ee9c5dd808767d4753639bb045
SHA163739f2feff8d277d53b9af26df46c77d4088cf6
SHA2569cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590
SHA5128dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06
-
\Users\Admin\AppData\Local\Temp\6372a841-9f92-4355-be7d-f72f94928f4d\test.dllMD5
e8641f344213ca05d8b5264b5f4e2dee
SHA196729e31f9b805800b2248fd22a4b53e226c8309
SHA25685e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24
SHA5123130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109
-
memory/1536-128-0x0000000000000000-mapping.dmp
-
memory/2328-126-0x000000001B0C0000-0x000000001B0C2000-memory.dmpFilesize
8KB
-
memory/2328-116-0x0000000000000000-mapping.dmp
-
memory/2328-122-0x00007FFF30680000-0x00007FFF307AC000-memory.dmpFilesize
1.2MB
-
memory/2328-119-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/3400-127-0x0000000000000000-mapping.dmp
-
memory/3564-131-0x0000000000000000-mapping.dmp
-
memory/3984-123-0x0000000000000000-mapping.dmp