Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
30-09-2022 13:34
General
-
Target
Request For RFQ-Quote - Purchase order-#04973579329.exe
-
Size
332KB
-
MD5
2fa872c29baefef24bd046b7813a049d
-
SHA1
a1222c09bde48a4949a66df1b10d96eacbc83a37
-
SHA256
c10a9477615e2070cd7bdfb136a14837607a48538a6301473809ed8cd83fd7c8
-
SHA512
377a7b74d1e7dcb59cd571c6bd3ed24ee654215d719d20a96fb61a32c27e967f042b9a3b149100c87872dc0ae8923b3d4ebdb11418207ce8153daf1f9daf4ba1
-
SSDEEP
6144:NfimM71dJOEqCEINXeHCm2WRMCVdKrLPefCoJ8L77:gx32IReT2WRMCi/xh7
Malware Config
Extracted
warzonerat
81.161.229.75:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 9 IoCs
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request For RFQ-Quote - Purchase order-#04973579329.exe"C:\Users\Admin\AppData\Local\Temp\Request For RFQ-Quote - Purchase order-#04973579329.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Request For RFQ-Quote - Purchase order-#04973579329.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyDGDSGSDGDGSstem.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\127.exe"C:\Users\Admin\AppData\Local\Temp\127.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=33895⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
336KB
-
Filesize
8KB
-
Filesize
112KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
192KB
-
Filesize
1.4MB
-
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
180KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
180KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
-
Filesize
5.7MB
-
-
Filesize
5.7MB
-
-
Filesize
180KB
-
Filesize
180KB