Analysis
-
max time kernel
129s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 19:18
Static task
static1
Behavioral task
behavioral1
Sample
scan001.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
scan001.exe
Resource
win10v2004-20220414-en
General
-
Target
scan001.exe
-
Size
1.3MB
-
MD5
dec59124b7990c19313cec352f47414f
-
SHA1
84769168287f5f3c9a9467b129eee606c452f0dc
-
SHA256
2c17ec053eeef1daed652560bd9bd8672fd2bd160595f998f87c017b3c7095c5
-
SHA512
55072103d13191e1e78b491b6e6ec3ab681f14342273158fedef4042d1822e0938bbf86213be8667cf0174c4720a56844e8cbac55bdfa2138e58d459a2d38997
Malware Config
Extracted
warzonerat
79.134.225.34:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2016-55-0x00000000001A0000-0x00000000002A0000-memory.dmp warzonerat behavioral1/memory/2016-56-0x0000000000440000-0x0000000000593000-memory.dmp warzonerat behavioral1/memory/952-70-0x00000000008E0000-0x0000000000A33000-memory.dmp warzonerat -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 952 images.exe -
Drops startup file 2 IoCs
Processes:
scan001.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat scan001.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start scan001.exe -
Loads dropped DLL 1 IoCs
Processes:
scan001.exepid process 2016 scan001.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
scan001.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" scan001.exe -
NTFS ADS 1 IoCs
Processes:
scan001.exedescription ioc process File created C:\ProgramData:ApplicationData scan001.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1292 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1292 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
scan001.exedescription pid process target process PID 2016 wrote to memory of 1292 2016 scan001.exe powershell.exe PID 2016 wrote to memory of 1292 2016 scan001.exe powershell.exe PID 2016 wrote to memory of 1292 2016 scan001.exe powershell.exe PID 2016 wrote to memory of 1292 2016 scan001.exe powershell.exe PID 2016 wrote to memory of 952 2016 scan001.exe images.exe PID 2016 wrote to memory of 952 2016 scan001.exe images.exe PID 2016 wrote to memory of 952 2016 scan001.exe images.exe PID 2016 wrote to memory of 952 2016 scan001.exe images.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\scan001.exe"C:\Users\Admin\AppData\Local\Temp\scan001.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramDataMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\images.exeFilesize
1.3MB
MD5dec59124b7990c19313cec352f47414f
SHA184769168287f5f3c9a9467b129eee606c452f0dc
SHA2562c17ec053eeef1daed652560bd9bd8672fd2bd160595f998f87c017b3c7095c5
SHA51255072103d13191e1e78b491b6e6ec3ab681f14342273158fedef4042d1822e0938bbf86213be8667cf0174c4720a56844e8cbac55bdfa2138e58d459a2d38997
-
\ProgramData\images.exeFilesize
1.3MB
MD5dec59124b7990c19313cec352f47414f
SHA184769168287f5f3c9a9467b129eee606c452f0dc
SHA2562c17ec053eeef1daed652560bd9bd8672fd2bd160595f998f87c017b3c7095c5
SHA51255072103d13191e1e78b491b6e6ec3ab681f14342273158fedef4042d1822e0938bbf86213be8667cf0174c4720a56844e8cbac55bdfa2138e58d459a2d38997
-
memory/952-64-0x0000000000000000-mapping.dmp
-
memory/952-70-0x00000000008E0000-0x0000000000A33000-memory.dmpFilesize
1.3MB
-
memory/1292-62-0x0000000000000000-mapping.dmp
-
memory/1292-68-0x00000000743F0000-0x000000007499B000-memory.dmpFilesize
5.7MB
-
memory/2016-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/2016-55-0x00000000001A0000-0x00000000002A0000-memory.dmpFilesize
1024KB
-
memory/2016-56-0x0000000000440000-0x0000000000593000-memory.dmpFilesize
1.3MB