Analysis
-
max time kernel
255s -
max time network
298s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-07-2021 11:22
Static task
static1
Behavioral task
behavioral1
Sample
text.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
text.exe
Resource
win10v20210408
General
-
Target
text.exe
-
Size
1.1MB
-
MD5
08e321e2f7a4fceebed7d9330c7e627b
-
SHA1
2049c1f290d542fba9690958d97c25c0f9d2b39d
-
SHA256
670a52daaf17c5925d5cb33c03e849a863f11f153d438519ec3c71083a90167b
-
SHA512
f3ed6cf7f15f65878d547be2853376602236d4364f6d53566b8169fc05b26454c031f3b7b5630c5dd340054fdca81fe69f569aad9b1cc06cdef751f7eac3d1f1
Malware Config
Extracted
warzonerat
5.226.138.94:6621
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1420-127-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/1420-128-0x0000000000405CE2-mapping.dmp warzonerat behavioral2/memory/1420-129-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
text.exedescription pid process target process PID 672 set thread context of 1420 672 text.exe text.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
text.exepid process 672 text.exe 672 text.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
text.exedescription pid process Token: SeDebugPrivilege 672 text.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
text.exedescription pid process target process PID 672 wrote to memory of 3292 672 text.exe schtasks.exe PID 672 wrote to memory of 3292 672 text.exe schtasks.exe PID 672 wrote to memory of 3292 672 text.exe schtasks.exe PID 672 wrote to memory of 1188 672 text.exe text.exe PID 672 wrote to memory of 1188 672 text.exe text.exe PID 672 wrote to memory of 1188 672 text.exe text.exe PID 672 wrote to memory of 1420 672 text.exe text.exe PID 672 wrote to memory of 1420 672 text.exe text.exe PID 672 wrote to memory of 1420 672 text.exe text.exe PID 672 wrote to memory of 1420 672 text.exe text.exe PID 672 wrote to memory of 1420 672 text.exe text.exe PID 672 wrote to memory of 1420 672 text.exe text.exe PID 672 wrote to memory of 1420 672 text.exe text.exe PID 672 wrote to memory of 1420 672 text.exe text.exe PID 672 wrote to memory of 1420 672 text.exe text.exe PID 672 wrote to memory of 1420 672 text.exe text.exe PID 672 wrote to memory of 1420 672 text.exe text.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\text.exe"C:\Users\Admin\AppData\Local\Temp\text.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZQNDQxDJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC2D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\text.exe"C:\Users\Admin\AppData\Local\Temp\text.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\text.exe"C:\Users\Admin\AppData\Local\Temp\text.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpBC2D.tmpMD5
4417d3d37b843113396224359b72b23e
SHA1f50bc7dd03025025f47b29b951287fa8827c05c6
SHA25634614187f9fc5a1e6c409f063985ea29858d7c1dca8789d42a94a5c7fb469f36
SHA5123cc080b08a7602fa0f5536969a0a737184ff9b75beb60790bbf9c6a0c3364888eee8398138c8e82ab50e9662e7cc8fe093c372a1c540a9b6ec23d8b7e21c9f13
-
memory/672-121-0x00000000050C0000-0x00000000055BE000-memory.dmpFilesize
5.0MB
-
memory/672-123-0x0000000007AC0000-0x0000000007B27000-memory.dmpFilesize
412KB
-
memory/672-118-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/672-119-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/672-120-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/672-114-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/672-122-0x00000000053A0000-0x00000000053CD000-memory.dmpFilesize
180KB
-
memory/672-117-0x00000000055C0000-0x00000000055C1000-memory.dmpFilesize
4KB
-
memory/672-124-0x00000000051C0000-0x00000000051E2000-memory.dmpFilesize
136KB
-
memory/672-116-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/1420-127-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/1420-128-0x0000000000405CE2-mapping.dmp
-
memory/1420-129-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/3292-125-0x0000000000000000-mapping.dmp