Analysis
-
max time kernel
147s -
max time network
162s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 02:28
Static task
static1
Behavioral task
behavioral1
Sample
f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe
Resource
win10v20210408
General
-
Target
f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe
-
Size
495KB
-
MD5
3e5de00abc1894db32e6eb3738ca9321
-
SHA1
6416b26038423c0cf2ffd274f3578b52d359ee2d
-
SHA256
f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0
-
SHA512
e1fb5eda0b909563933761d7aa0f21df574e616f9c40bbb08141acae89a04f372709eaf1d85577d5380121ca4cb3ccf7b7bafd23b2cf19f1af156f5df42ab7b6
Malware Config
Extracted
warzonerat
warzonne.publicvm.com:22649
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4176-128-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/4176-129-0x0000000000405CE2-mapping.dmp warzonerat behavioral2/memory/4176-140-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Executes dropped EXE 1 IoCs
Processes:
RegAsm.exepid process 4176 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exedescription pid process target process PID 4648 set thread context of 4176 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exepowershell.exepid process 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe 576 powershell.exe 576 powershell.exe 576 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exepowershell.exedescription pid process Token: SeDebugPrivilege 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe Token: SeDebugPrivilege 576 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exeWScript.exedescription pid process target process PID 4648 wrote to memory of 2660 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe WScript.exe PID 4648 wrote to memory of 2660 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe WScript.exe PID 4648 wrote to memory of 2660 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe WScript.exe PID 4648 wrote to memory of 4176 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe RegAsm.exe PID 4648 wrote to memory of 4176 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe RegAsm.exe PID 4648 wrote to memory of 4176 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe RegAsm.exe PID 4648 wrote to memory of 4176 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe RegAsm.exe PID 4648 wrote to memory of 4176 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe RegAsm.exe PID 4648 wrote to memory of 4176 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe RegAsm.exe PID 4648 wrote to memory of 4176 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe RegAsm.exe PID 4648 wrote to memory of 4176 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe RegAsm.exe PID 4648 wrote to memory of 4176 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe RegAsm.exe PID 4648 wrote to memory of 4176 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe RegAsm.exe PID 4648 wrote to memory of 4176 4648 f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe RegAsm.exe PID 2660 wrote to memory of 576 2660 WScript.exe powershell.exe PID 2660 wrote to memory of 576 2660 WScript.exe powershell.exe PID 2660 wrote to memory of 576 2660 WScript.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe"C:\Users\Admin\AppData\Local\Temp\f390fd6e97ea6bc9529d434d7e196bae271cff79eaec0cf97afcd26556c0c4f0.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Gmbazahvpozveh.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\RegAsm.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\_Gmbazahvpozveh.vbsMD5
dea2f8a74097b28b02ebe1203cda7dd9
SHA1ddff48c4ef021b9938b39e45a75344db9c6e3a21
SHA256a63665a894a0fba12b5771f14e2fa28c49108b0ced2b1c4787d68ebe8651aa73
SHA5122d28d0a6b993210e07d1bf6add080ed17000eac39173cfc41fb22e1d69c0f0031263dff45330b1940931a03c3da8478e5bdcd8d245a90f2fb7cee6a552d55db3
-
memory/576-137-0x0000000007A20000-0x0000000007A21000-memory.dmpFilesize
4KB
-
memory/576-146-0x0000000008AE0000-0x0000000008AE1000-memory.dmpFilesize
4KB
-
memory/576-138-0x0000000008140000-0x0000000008141000-memory.dmpFilesize
4KB
-
memory/576-139-0x0000000008390000-0x0000000008391000-memory.dmpFilesize
4KB
-
memory/576-362-0x0000000009D40000-0x0000000009D41000-memory.dmpFilesize
4KB
-
memory/576-235-0x00000000050C3000-0x00000000050C4000-memory.dmpFilesize
4KB
-
memory/576-168-0x0000000009DE0000-0x0000000009DE1000-memory.dmpFilesize
4KB
-
memory/576-167-0x000000007E7A0000-0x000000007E7A1000-memory.dmpFilesize
4KB
-
memory/576-166-0x0000000009BC0000-0x0000000009BC1000-memory.dmpFilesize
4KB
-
memory/576-161-0x0000000009850000-0x0000000009851000-memory.dmpFilesize
4KB
-
memory/576-132-0x0000000000000000-mapping.dmp
-
memory/576-135-0x0000000004FB0000-0x0000000004FB1000-memory.dmpFilesize
4KB
-
memory/576-136-0x0000000007AA0000-0x0000000007AA1000-memory.dmpFilesize
4KB
-
memory/576-154-0x0000000009870000-0x00000000098A3000-memory.dmpFilesize
204KB
-
memory/576-145-0x0000000008D40000-0x0000000008D41000-memory.dmpFilesize
4KB
-
memory/576-368-0x0000000009D20000-0x0000000009D21000-memory.dmpFilesize
4KB
-
memory/576-144-0x00000000081F0000-0x00000000081F1000-memory.dmpFilesize
4KB
-
memory/576-141-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/576-142-0x00000000050C2000-0x00000000050C3000-memory.dmpFilesize
4KB
-
memory/576-143-0x0000000008400000-0x0000000008401000-memory.dmpFilesize
4KB
-
memory/2660-126-0x0000000000000000-mapping.dmp
-
memory/4176-140-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/4176-129-0x0000000000405CE2-mapping.dmp
-
memory/4176-128-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/4648-119-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/4648-120-0x00000000072E0000-0x0000000007335000-memory.dmpFilesize
340KB
-
memory/4648-114-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/4648-116-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/4648-117-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/4648-118-0x0000000004E80000-0x000000000537E000-memory.dmpFilesize
5.0MB
-
memory/4648-125-0x0000000007600000-0x0000000007682000-memory.dmpFilesize
520KB