Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-05-2021 11:57
Static task
static1
Behavioral task
behavioral1
Sample
nope-1.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
nope-1.exe
Resource
win10v20210410
General
-
Target
nope-1.exe
-
Size
152KB
-
MD5
49e8a6ee9c5dd808767d4753639bb045
-
SHA1
63739f2feff8d277d53b9af26df46c77d4088cf6
-
SHA256
9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590
-
SHA512
8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06
Malware Config
Extracted
warzonerat
149.28.124.150:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 1236 images.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
nope-1.exeimages.exepid process 3380 nope-1.exe 3380 nope-1.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe 1236 images.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
nope-1.execmd.exedescription pid process target process PID 3380 wrote to memory of 388 3380 nope-1.exe Explorer.EXE PID 3380 wrote to memory of 388 3380 nope-1.exe Explorer.EXE PID 3380 wrote to memory of 1216 3380 nope-1.exe cmd.exe PID 3380 wrote to memory of 1216 3380 nope-1.exe cmd.exe PID 3380 wrote to memory of 1216 3380 nope-1.exe cmd.exe PID 3380 wrote to memory of 1236 3380 nope-1.exe images.exe PID 3380 wrote to memory of 1236 3380 nope-1.exe images.exe PID 3380 wrote to memory of 1236 3380 nope-1.exe images.exe PID 1216 wrote to memory of 1772 1216 cmd.exe reg.exe PID 1216 wrote to memory of 1772 1216 cmd.exe reg.exe PID 1216 wrote to memory of 1772 1216 cmd.exe reg.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\nope-1.exe"C:\Users\Admin\AppData\Local\Temp\nope-1.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"4⤵
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\images.exeMD5
49e8a6ee9c5dd808767d4753639bb045
SHA163739f2feff8d277d53b9af26df46c77d4088cf6
SHA2569cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590
SHA5128dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06
-
C:\ProgramData\images.exeMD5
49e8a6ee9c5dd808767d4753639bb045
SHA163739f2feff8d277d53b9af26df46c77d4088cf6
SHA2569cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590
SHA5128dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06
-
memory/1216-114-0x0000000000000000-mapping.dmp
-
memory/1236-115-0x0000000000000000-mapping.dmp
-
memory/1772-118-0x0000000000000000-mapping.dmp