Analysis
-
max time kernel
149s -
max time network
191s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-05-2021 10:52
Static task
static1
Behavioral task
behavioral1
Sample
services.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
services.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
services.exe
-
Size
113KB
-
MD5
4e9f2ab42f55d659b90079a3bb75858c
-
SHA1
b7481079ec7a825f454bea6d7bf2788d7e286523
-
SHA256
ac3ac2c7989618e67564ccfad54facd8f4ec7b0ade1e09f323f1d940f3db8ede
-
SHA512
bba8850ebd6617df9240e4aecd334f81fdb33cf7f3ff2f8973bfee15a45b78c656b96b162660068d558df314ca7b6266cc13f407b8f652d2002512d68e0804f3
Score
10/10
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
services.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe" services.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
services.exedescription pid process target process PID 320 wrote to memory of 1364 320 services.exe cmd.exe PID 320 wrote to memory of 1364 320 services.exe cmd.exe PID 320 wrote to memory of 1364 320 services.exe cmd.exe PID 320 wrote to memory of 1364 320 services.exe cmd.exe PID 320 wrote to memory of 1364 320 services.exe cmd.exe PID 320 wrote to memory of 1364 320 services.exe cmd.exe