Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-07-2021 02:05
Static task
static1
Behavioral task
behavioral1
Sample
NN.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
NN.exe
Resource
win10v20210408
General
-
Target
NN.exe
-
Size
255KB
-
MD5
05682c1439a9ef186645263be47a805d
-
SHA1
462433cb73898afbf7fb414aa5ab6514961a1cfa
-
SHA256
47b42d2ab9e369fdc04623df63b3a2b4630eb2028bad42373d10d30d3e85fd41
-
SHA512
93414bafdcc659e94163e80895241d15341e09b5aef44d83003b68d74c6fdc3940052b4f2cc107340311e9192ffd133487c28f6d68c83fee163910bf99defc88
Malware Config
Extracted
warzonerat
hilipizie.hopto.org:4747
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Loads dropped DLL 2 IoCs
Processes:
NN.exepid process 856 NN.exe 856 NN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NN.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqjag = "C:\\Users\\Admin\\AppData\\Roaming\\skhgjyqtyiyr\\fresbc.exe" NN.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NN.exedescription pid process target process PID 856 set thread context of 3548 856 NN.exe NN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
NN.exepid process 856 NN.exe 856 NN.exe 856 NN.exe 856 NN.exe 856 NN.exe 856 NN.exe 856 NN.exe 856 NN.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
NN.exepid process 856 NN.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NN.exeNN.exedescription pid process target process PID 856 wrote to memory of 3548 856 NN.exe NN.exe PID 856 wrote to memory of 3548 856 NN.exe NN.exe PID 856 wrote to memory of 3548 856 NN.exe NN.exe PID 856 wrote to memory of 3548 856 NN.exe NN.exe PID 3548 wrote to memory of 1256 3548 NN.exe cmd.exe PID 3548 wrote to memory of 1256 3548 NN.exe cmd.exe PID 3548 wrote to memory of 1256 3548 NN.exe cmd.exe PID 3548 wrote to memory of 1256 3548 NN.exe cmd.exe PID 3548 wrote to memory of 1256 3548 NN.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NN.exe"C:\Users\Admin\AppData\Local\Temp\NN.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NN.exe"C:\Users\Admin\AppData\Local\Temp\NN.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsvAD4E.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsvAD4E.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/1256-118-0x0000000000000000-mapping.dmp
-
memory/3548-116-0x0000000000405E28-mapping.dmp
-
memory/3548-117-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB