Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2022 14:07
Static task
static1
Behavioral task
behavioral1
Sample
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe
Resource
win10v2004-20220812-en
General
-
Target
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe
-
Size
383KB
-
MD5
96b5dcad2ade88e0c99e84b4869224e7
-
SHA1
f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5
-
SHA256
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d
-
SHA512
8ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85
-
SSDEEP
6144:9NYLVv8Annhw3I54dDhfZfx6k/ZuCsmK4XShgtf:tIidDBZflr
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Extracted
warzonerat
darkfox.ddns.net:443
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/1168-144-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral2/memory/1168-146-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral2/memory/1168-148-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral2/memory/1168-153-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral2/memory/4936-159-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral2/memory/4936-162-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat -
Executes dropped EXE 4 IoCs
Processes:
conhost.execonhost.exeMSCommonDriver.exeMSCommonDriver.exepid process 4152 conhost.exe 2752 conhost.exe 728 MSCommonDriver.exe 4936 MSCommonDriver.exe -
Drops startup file 2 IoCs
Processes:
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSCommonDriver = "C:\\Users\\Admin\\Documents\\MSCommonDriver.exe" 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
conhost.exe722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exeMSCommonDriver.exedescription pid process target process PID 4152 set thread context of 2752 4152 conhost.exe conhost.exe PID 2628 set thread context of 1168 2628 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 728 set thread context of 4936 728 MSCommonDriver.exe MSCommonDriver.exe -
NTFS ADS 1 IoCs
Processes:
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exedescription ioc process File created C:\Users\Admin\Documents\Documents:ApplicationData 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.execonhost.exe722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exeMSCommonDriver.exeMSCommonDriver.exedescription pid process target process PID 5028 wrote to memory of 4152 5028 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe conhost.exe PID 5028 wrote to memory of 4152 5028 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe conhost.exe PID 5028 wrote to memory of 4152 5028 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe conhost.exe PID 4152 wrote to memory of 2752 4152 conhost.exe conhost.exe PID 4152 wrote to memory of 2752 4152 conhost.exe conhost.exe PID 4152 wrote to memory of 2752 4152 conhost.exe conhost.exe PID 5028 wrote to memory of 1192 5028 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 5028 wrote to memory of 1192 5028 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 5028 wrote to memory of 1192 5028 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 4152 wrote to memory of 2752 4152 conhost.exe conhost.exe PID 4152 wrote to memory of 2752 4152 conhost.exe conhost.exe PID 4152 wrote to memory of 2752 4152 conhost.exe conhost.exe PID 4152 wrote to memory of 2752 4152 conhost.exe conhost.exe PID 1192 wrote to memory of 2628 1192 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 1192 wrote to memory of 2628 1192 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 1192 wrote to memory of 2628 1192 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 2628 wrote to memory of 1168 2628 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 2628 wrote to memory of 1168 2628 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 2628 wrote to memory of 1168 2628 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 2628 wrote to memory of 1168 2628 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 2628 wrote to memory of 1168 2628 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 2628 wrote to memory of 1168 2628 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 2628 wrote to memory of 1168 2628 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 2628 wrote to memory of 1168 2628 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 2628 wrote to memory of 1168 2628 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 2628 wrote to memory of 1168 2628 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 2628 wrote to memory of 1168 2628 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe PID 1168 wrote to memory of 728 1168 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe MSCommonDriver.exe PID 1168 wrote to memory of 728 1168 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe MSCommonDriver.exe PID 1168 wrote to memory of 728 1168 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe MSCommonDriver.exe PID 728 wrote to memory of 4936 728 MSCommonDriver.exe MSCommonDriver.exe PID 728 wrote to memory of 4936 728 MSCommonDriver.exe MSCommonDriver.exe PID 728 wrote to memory of 4936 728 MSCommonDriver.exe MSCommonDriver.exe PID 728 wrote to memory of 4936 728 MSCommonDriver.exe MSCommonDriver.exe PID 728 wrote to memory of 4936 728 MSCommonDriver.exe MSCommonDriver.exe PID 728 wrote to memory of 4936 728 MSCommonDriver.exe MSCommonDriver.exe PID 728 wrote to memory of 4936 728 MSCommonDriver.exe MSCommonDriver.exe PID 728 wrote to memory of 4936 728 MSCommonDriver.exe MSCommonDriver.exe PID 728 wrote to memory of 4936 728 MSCommonDriver.exe MSCommonDriver.exe PID 728 wrote to memory of 4936 728 MSCommonDriver.exe MSCommonDriver.exe PID 728 wrote to memory of 4936 728 MSCommonDriver.exe MSCommonDriver.exe PID 4936 wrote to memory of 1552 4936 MSCommonDriver.exe cmd.exe PID 4936 wrote to memory of 1552 4936 MSCommonDriver.exe cmd.exe PID 4936 wrote to memory of 1552 4936 MSCommonDriver.exe cmd.exe PID 4936 wrote to memory of 1552 4936 MSCommonDriver.exe cmd.exe PID 4936 wrote to memory of 1552 4936 MSCommonDriver.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe"C:\Users\Admin\AppData\Local\Temp\722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\conhost.exe"C:\ProgramData\conhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\conhost.exe"C:\ProgramData\conhost.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe"C:\Users\Admin\AppData\Local\Temp\722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe"C:\Users\Admin\AppData\Local\Temp\722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe"C:\Users\Admin\AppData\Local\Temp\722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe"4⤵
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSCommonDriver.exe"C:\Users\Admin\Documents\MSCommonDriver.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSCommonDriver.exe"C:\Users\Admin\Documents\MSCommonDriver.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"7⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\conhost.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
C:\ProgramData\conhost.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
C:\ProgramData\conhost.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
C:\Users\Admin\Documents\MSCommonDriver.exeFilesize
383KB
MD596b5dcad2ade88e0c99e84b4869224e7
SHA1f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5
SHA256722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d
SHA5128ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85
-
C:\Users\Admin\Documents\MSCommonDriver.exeFilesize
383KB
MD596b5dcad2ade88e0c99e84b4869224e7
SHA1f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5
SHA256722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d
SHA5128ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85
-
C:\Users\Admin\Documents\MSCommonDriver.exeFilesize
383KB
MD596b5dcad2ade88e0c99e84b4869224e7
SHA1f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5
SHA256722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d
SHA5128ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85
-
memory/728-152-0x0000000000886000-0x0000000000894000-memory.dmpFilesize
56KB
-
memory/728-149-0x0000000000000000-mapping.dmp
-
memory/1168-143-0x0000000000000000-mapping.dmp
-
memory/1168-144-0x0000000000400000-0x000000000055A000-memory.dmpFilesize
1.4MB
-
memory/1168-146-0x0000000000400000-0x000000000055A000-memory.dmpFilesize
1.4MB
-
memory/1168-153-0x0000000000400000-0x000000000055A000-memory.dmpFilesize
1.4MB
-
memory/1168-148-0x0000000000400000-0x000000000055A000-memory.dmpFilesize
1.4MB
-
memory/1192-137-0x0000000000000000-mapping.dmp
-
memory/1192-140-0x0000000000827000-0x0000000000835000-memory.dmpFilesize
56KB
-
memory/1552-160-0x0000000000000000-mapping.dmp
-
memory/1552-161-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/2628-141-0x0000000000000000-mapping.dmp
-
memory/2628-142-0x0000000000877000-0x0000000000885000-memory.dmpFilesize
56KB
-
memory/2752-147-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2752-138-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2752-136-0x0000000000000000-mapping.dmp
-
memory/4152-132-0x0000000000000000-mapping.dmp
-
memory/4936-154-0x0000000000000000-mapping.dmp
-
memory/4936-159-0x0000000000400000-0x000000000055A000-memory.dmpFilesize
1.4MB
-
memory/4936-162-0x0000000000400000-0x000000000055A000-memory.dmpFilesize
1.4MB
-
memory/5028-133-0x00000000008A6000-0x00000000008B4000-memory.dmpFilesize
56KB