Analysis
-
max time kernel
136s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-07-2021 00:02
Static task
static1
Behavioral task
behavioral1
Sample
5289ee592197e853ca284d082bd0355e.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
5289ee592197e853ca284d082bd0355e.exe
Resource
win10v20210408
General
-
Target
5289ee592197e853ca284d082bd0355e.exe
-
Size
371KB
-
MD5
5289ee592197e853ca284d082bd0355e
-
SHA1
32b33a3e0c77a5bd9a09ac35e9d237db2782609e
-
SHA256
d966b0be571e5da5143ec930b1cf99c053412ecfdb76d46b16ba811c16e9eb8b
-
SHA512
9a7d715e0e9d0a199aa2a40c4c193accdd12105908d62db2a0e46100b9518b4479afe7c3f8b4ba1922e6874fd3041987e6334bc4964546e97684f02e09a0f63a
Malware Config
Extracted
warzonerat
byx.z86.ru:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 796 svchost.exe 1508 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5289ee592197e853ca284d082bd0355e.exesvchost.exedescription pid process target process PID 532 set thread context of 1504 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 796 set thread context of 1508 796 svchost.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
5289ee592197e853ca284d082bd0355e.exesvchost.exepid process 532 5289ee592197e853ca284d082bd0355e.exe 532 5289ee592197e853ca284d082bd0355e.exe 532 5289ee592197e853ca284d082bd0355e.exe 532 5289ee592197e853ca284d082bd0355e.exe 532 5289ee592197e853ca284d082bd0355e.exe 532 5289ee592197e853ca284d082bd0355e.exe 532 5289ee592197e853ca284d082bd0355e.exe 532 5289ee592197e853ca284d082bd0355e.exe 532 5289ee592197e853ca284d082bd0355e.exe 532 5289ee592197e853ca284d082bd0355e.exe 796 svchost.exe 796 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5289ee592197e853ca284d082bd0355e.exesvchost.exedescription pid process Token: SeDebugPrivilege 532 5289ee592197e853ca284d082bd0355e.exe Token: SeDebugPrivilege 796 svchost.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
5289ee592197e853ca284d082bd0355e.exe5289ee592197e853ca284d082bd0355e.execmd.exesvchost.exesvchost.exedescription pid process target process PID 532 wrote to memory of 1592 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 532 wrote to memory of 1592 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 532 wrote to memory of 1592 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 532 wrote to memory of 4044 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 532 wrote to memory of 4044 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 532 wrote to memory of 4044 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 532 wrote to memory of 1504 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 532 wrote to memory of 1504 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 532 wrote to memory of 1504 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 532 wrote to memory of 1504 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 532 wrote to memory of 1504 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 532 wrote to memory of 1504 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 532 wrote to memory of 1504 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 532 wrote to memory of 1504 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 532 wrote to memory of 1504 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 532 wrote to memory of 1504 532 5289ee592197e853ca284d082bd0355e.exe 5289ee592197e853ca284d082bd0355e.exe PID 1504 wrote to memory of 3832 1504 5289ee592197e853ca284d082bd0355e.exe cmd.exe PID 1504 wrote to memory of 3832 1504 5289ee592197e853ca284d082bd0355e.exe cmd.exe PID 1504 wrote to memory of 3832 1504 5289ee592197e853ca284d082bd0355e.exe cmd.exe PID 1504 wrote to memory of 796 1504 5289ee592197e853ca284d082bd0355e.exe svchost.exe PID 1504 wrote to memory of 796 1504 5289ee592197e853ca284d082bd0355e.exe svchost.exe PID 1504 wrote to memory of 796 1504 5289ee592197e853ca284d082bd0355e.exe svchost.exe PID 3832 wrote to memory of 2568 3832 cmd.exe reg.exe PID 3832 wrote to memory of 2568 3832 cmd.exe reg.exe PID 3832 wrote to memory of 2568 3832 cmd.exe reg.exe PID 796 wrote to memory of 1508 796 svchost.exe svchost.exe PID 796 wrote to memory of 1508 796 svchost.exe svchost.exe PID 796 wrote to memory of 1508 796 svchost.exe svchost.exe PID 796 wrote to memory of 1508 796 svchost.exe svchost.exe PID 796 wrote to memory of 1508 796 svchost.exe svchost.exe PID 796 wrote to memory of 1508 796 svchost.exe svchost.exe PID 796 wrote to memory of 1508 796 svchost.exe svchost.exe PID 796 wrote to memory of 1508 796 svchost.exe svchost.exe PID 796 wrote to memory of 1508 796 svchost.exe svchost.exe PID 796 wrote to memory of 1508 796 svchost.exe svchost.exe PID 1508 wrote to memory of 1124 1508 svchost.exe cmd.exe PID 1508 wrote to memory of 1124 1508 svchost.exe cmd.exe PID 1508 wrote to memory of 1124 1508 svchost.exe cmd.exe PID 1508 wrote to memory of 1124 1508 svchost.exe cmd.exe PID 1508 wrote to memory of 1124 1508 svchost.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5289ee592197e853ca284d082bd0355e.exe"C:\Users\Admin\AppData\Local\Temp\5289ee592197e853ca284d082bd0355e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5289ee592197e853ca284d082bd0355e.exeC:\Users\Admin\AppData\Local\Temp\5289ee592197e853ca284d082bd0355e.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\5289ee592197e853ca284d082bd0355e.exeC:\Users\Admin\AppData\Local\Temp\5289ee592197e853ca284d082bd0355e.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\5289ee592197e853ca284d082bd0355e.exeC:\Users\Admin\AppData\Local\Temp\5289ee592197e853ca284d082bd0355e.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"4⤵
-
C:\ProgramData\svchost.exe"C:\ProgramData\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svchost.exeMD5
5289ee592197e853ca284d082bd0355e
SHA132b33a3e0c77a5bd9a09ac35e9d237db2782609e
SHA256d966b0be571e5da5143ec930b1cf99c053412ecfdb76d46b16ba811c16e9eb8b
SHA5129a7d715e0e9d0a199aa2a40c4c193accdd12105908d62db2a0e46100b9518b4479afe7c3f8b4ba1922e6874fd3041987e6334bc4964546e97684f02e09a0f63a
-
C:\ProgramData\svchost.exeMD5
5289ee592197e853ca284d082bd0355e
SHA132b33a3e0c77a5bd9a09ac35e9d237db2782609e
SHA256d966b0be571e5da5143ec930b1cf99c053412ecfdb76d46b16ba811c16e9eb8b
SHA5129a7d715e0e9d0a199aa2a40c4c193accdd12105908d62db2a0e46100b9518b4479afe7c3f8b4ba1922e6874fd3041987e6334bc4964546e97684f02e09a0f63a
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
5289ee592197e853ca284d082bd0355e
SHA132b33a3e0c77a5bd9a09ac35e9d237db2782609e
SHA256d966b0be571e5da5143ec930b1cf99c053412ecfdb76d46b16ba811c16e9eb8b
SHA5129a7d715e0e9d0a199aa2a40c4c193accdd12105908d62db2a0e46100b9518b4479afe7c3f8b4ba1922e6874fd3041987e6334bc4964546e97684f02e09a0f63a
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
5289ee592197e853ca284d082bd0355e
SHA132b33a3e0c77a5bd9a09ac35e9d237db2782609e
SHA256d966b0be571e5da5143ec930b1cf99c053412ecfdb76d46b16ba811c16e9eb8b
SHA5129a7d715e0e9d0a199aa2a40c4c193accdd12105908d62db2a0e46100b9518b4479afe7c3f8b4ba1922e6874fd3041987e6334bc4964546e97684f02e09a0f63a
-
memory/532-121-0x0000000006C60000-0x0000000006CAD000-memory.dmpFilesize
308KB
-
memory/532-120-0x0000000005260000-0x000000000575E000-memory.dmpFilesize
5.0MB
-
memory/532-119-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/532-122-0x0000000006D30000-0x0000000006D31000-memory.dmpFilesize
4KB
-
memory/532-123-0x0000000006CC0000-0x0000000006D26000-memory.dmpFilesize
408KB
-
memory/532-124-0x0000000007670000-0x0000000007671000-memory.dmpFilesize
4KB
-
memory/532-118-0x0000000005260000-0x000000000575E000-memory.dmpFilesize
5.0MB
-
memory/532-117-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/532-114-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/532-116-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/796-139-0x0000000005B00000-0x0000000005FFE000-memory.dmpFilesize
5.0MB
-
memory/796-129-0x0000000000000000-mapping.dmp
-
memory/796-138-0x0000000005B00000-0x0000000005FFE000-memory.dmpFilesize
5.0MB
-
memory/1124-149-0x0000000000000000-mapping.dmp
-
memory/1124-150-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/1504-127-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1504-126-0x0000000000405E28-mapping.dmp
-
memory/1504-125-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1508-145-0x0000000000405E28-mapping.dmp
-
memory/1508-148-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/2568-135-0x0000000000000000-mapping.dmp
-
memory/3832-128-0x0000000000000000-mapping.dmp