Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
03-12-2021 04:05
Static task
static1
Behavioral task
behavioral1
Sample
PO data file from project 029452.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
PO data file from project 029452.exe
Resource
win10-en-20211104
General
-
Target
PO data file from project 029452.exe
-
Size
544KB
-
MD5
a977e0f159c0a6574c3274a1db5b7a67
-
SHA1
404e0e4a03baca74ec0ec08543917dcc1ce3a187
-
SHA256
3e52503cc1b664efb9fa89c2bed4adff5d460bffbe0dba536363edb5cda1c603
-
SHA512
7e5b8badab27963316865f92a8ca1ee323f0efcc03035cfa731cf9ed268a074d191004eaff08857ad89a9cee4fbf56fee93417f1f0caac77ea72518c3d55571e
Malware Config
Extracted
warzonerat
engkaa.ddns.net:4545
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1472-57-0x0000000000000000-mapping.dmp warzonerat behavioral1/memory/1472-58-0x00000000001C0000-0x0000000000314000-memory.dmp warzonerat behavioral1/memory/1472-63-0x00000000001C0000-0x0000000000314000-memory.dmp warzonerat behavioral1/memory/1472-69-0x00000000001C0000-0x0000000000314000-memory.dmp warzonerat -
Loads dropped DLL 1 IoCs
Processes:
PO data file from project 029452.exepid process 1092 PO data file from project 029452.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1640 1472 WerFault.exe PO data file from project 029452.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1640 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1640 WerFault.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
PO data file from project 029452.exePO data file from project 029452.exedescription pid process target process PID 1092 wrote to memory of 1472 1092 PO data file from project 029452.exe PO data file from project 029452.exe PID 1092 wrote to memory of 1472 1092 PO data file from project 029452.exe PO data file from project 029452.exe PID 1092 wrote to memory of 1472 1092 PO data file from project 029452.exe PO data file from project 029452.exe PID 1092 wrote to memory of 1472 1092 PO data file from project 029452.exe PO data file from project 029452.exe PID 1092 wrote to memory of 1472 1092 PO data file from project 029452.exe PO data file from project 029452.exe PID 1092 wrote to memory of 1472 1092 PO data file from project 029452.exe PO data file from project 029452.exe PID 1092 wrote to memory of 1472 1092 PO data file from project 029452.exe PO data file from project 029452.exe PID 1092 wrote to memory of 1472 1092 PO data file from project 029452.exe PO data file from project 029452.exe PID 1092 wrote to memory of 1472 1092 PO data file from project 029452.exe PO data file from project 029452.exe PID 1092 wrote to memory of 1472 1092 PO data file from project 029452.exe PO data file from project 029452.exe PID 1092 wrote to memory of 1472 1092 PO data file from project 029452.exe PO data file from project 029452.exe PID 1092 wrote to memory of 1472 1092 PO data file from project 029452.exe PO data file from project 029452.exe PID 1472 wrote to memory of 1640 1472 PO data file from project 029452.exe WerFault.exe PID 1472 wrote to memory of 1640 1472 PO data file from project 029452.exe WerFault.exe PID 1472 wrote to memory of 1640 1472 PO data file from project 029452.exe WerFault.exe PID 1472 wrote to memory of 1640 1472 PO data file from project 029452.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO data file from project 029452.exe"C:\Users\Admin\AppData\Local\Temp\PO data file from project 029452.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO data file from project 029452.exe"C:\Users\Admin\AppData\Local\Temp\PO data file from project 029452.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 2003⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstF02A.tmp\ootkzcxq.dllMD5
ec61597362b2d45bf0c5d98db7d94de3
SHA17c3af6293c30c64bf53d226eb889e12cf4e3ac38
SHA256ce53ff0249b1154d4455c0185b9152817084da64ab43897a774857c2eea6611e
SHA512fa771305e8a293a5ae31198da978c93de2aa5e46fe7ac47fa7cd25930df3e026175d3d91f3ed039040e1a71638b5f7ce26fdc6151d63d45fd4fd29e49034a6b9
-
memory/1092-55-0x00000000768A1000-0x00000000768A3000-memory.dmpFilesize
8KB
-
memory/1472-57-0x0000000000000000-mapping.dmp
-
memory/1472-58-0x00000000001C0000-0x0000000000314000-memory.dmpFilesize
1.3MB
-
memory/1472-63-0x00000000001C0000-0x0000000000314000-memory.dmpFilesize
1.3MB
-
memory/1472-69-0x00000000001C0000-0x0000000000314000-memory.dmpFilesize
1.3MB
-
memory/1640-70-0x0000000000000000-mapping.dmp
-
memory/1640-71-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB