Analysis
-
max time kernel
19s -
max time network
183s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 23:02
Static task
static1
Behavioral task
behavioral1
Sample
446a385b78c169ee2cf201419f8451f4.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
446a385b78c169ee2cf201419f8451f4.exe
Resource
win10v2004-20220812-en
General
-
Target
446a385b78c169ee2cf201419f8451f4.exe
-
Size
270KB
-
MD5
446a385b78c169ee2cf201419f8451f4
-
SHA1
faf0863d1742ad2f73708cd57abd1a00bad70efa
-
SHA256
93d8270cf8904624572540c924610458e0eb7984afc5c744eeda2e50ad5024c2
-
SHA512
ff9ab8057c9d76e2b1e12a7a9818258b18d93ed0addc94c93330156b72de21d349de072104915c0a232b4bbf6415afbde7816d06de09978a6c984fe481f9b225
-
SSDEEP
6144:HEa0eDyf/UBrohN9DYNOgcdj+vdIHK+1vZ+o4PI:LdNsgKj8eHKnzPI
Malware Config
Extracted
warzonerat
maulo.duckdns.org:6269
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/688-67-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/688-68-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
cbqgbcfj.execbqgbcfj.exepid process 2036 cbqgbcfj.exe 688 cbqgbcfj.exe -
Loads dropped DLL 3 IoCs
Processes:
446a385b78c169ee2cf201419f8451f4.execbqgbcfj.exepid process 1264 446a385b78c169ee2cf201419f8451f4.exe 1264 446a385b78c169ee2cf201419f8451f4.exe 2036 cbqgbcfj.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cbqgbcfj.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcvqp = "C:\\Users\\Admin\\AppData\\Roaming\\tbbhskuelr\\vhoysalw.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\cbqgbcfj.exe\" C:\\Users\\Admin\\AppData\\Loc" cbqgbcfj.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cbqgbcfj.exedescription pid process target process PID 2036 set thread context of 688 2036 cbqgbcfj.exe cbqgbcfj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
cbqgbcfj.exepid process 2036 cbqgbcfj.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cbqgbcfj.exepid process 688 cbqgbcfj.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
446a385b78c169ee2cf201419f8451f4.execbqgbcfj.exedescription pid process target process PID 1264 wrote to memory of 2036 1264 446a385b78c169ee2cf201419f8451f4.exe cbqgbcfj.exe PID 1264 wrote to memory of 2036 1264 446a385b78c169ee2cf201419f8451f4.exe cbqgbcfj.exe PID 1264 wrote to memory of 2036 1264 446a385b78c169ee2cf201419f8451f4.exe cbqgbcfj.exe PID 1264 wrote to memory of 2036 1264 446a385b78c169ee2cf201419f8451f4.exe cbqgbcfj.exe PID 2036 wrote to memory of 688 2036 cbqgbcfj.exe cbqgbcfj.exe PID 2036 wrote to memory of 688 2036 cbqgbcfj.exe cbqgbcfj.exe PID 2036 wrote to memory of 688 2036 cbqgbcfj.exe cbqgbcfj.exe PID 2036 wrote to memory of 688 2036 cbqgbcfj.exe cbqgbcfj.exe PID 2036 wrote to memory of 688 2036 cbqgbcfj.exe cbqgbcfj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\446a385b78c169ee2cf201419f8451f4.exe"C:\Users\Admin\AppData\Local\Temp\446a385b78c169ee2cf201419f8451f4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\cbqgbcfj.exe"C:\Users\Admin\AppData\Local\Temp\cbqgbcfj.exe" C:\Users\Admin\AppData\Local\Temp\tdqxsiqn.wzt2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\cbqgbcfj.exe"C:\Users\Admin\AppData\Local\Temp\cbqgbcfj.exe" C:\Users\Admin\AppData\Local\Temp\tdqxsiqn.wzt3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:688
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD5eb0e102cf7a45e69b4af1c6592da3eb3
SHA1abf1b153cd94774fe56ae8eaf758ee98aa54fb73
SHA2561a1b9170939f420e2d70cec090d2ff4a3db622bfb00232aa3807c676ac20eac2
SHA51271196d508977bc992a8a26a114b04238c19bae270db84cd6102d46a697796035fd50ae2224f21895f3303e736d8ba7a22206620b0915e15a7e0db501f1afc90a
-
Filesize
91KB
MD5a02c0b7c2e9a984b157f34eac873610e
SHA19973b2502c265bdc4f2462a902ccd2869aa6e4b4
SHA256ee9e77424cd333e8b66cd7e6ce902e0606b5695cee50cbb2b12a1da2155c602b
SHA51200079d13f5ad82e52561fc2d426cbdd5bcc5afdc99a728c74aa7972d75839e51b53d4d25898df0b15da00b05b9bb01c79d832ce5b4367a4d501fb0c6d3320b0c
-
Filesize
91KB
MD5a02c0b7c2e9a984b157f34eac873610e
SHA19973b2502c265bdc4f2462a902ccd2869aa6e4b4
SHA256ee9e77424cd333e8b66cd7e6ce902e0606b5695cee50cbb2b12a1da2155c602b
SHA51200079d13f5ad82e52561fc2d426cbdd5bcc5afdc99a728c74aa7972d75839e51b53d4d25898df0b15da00b05b9bb01c79d832ce5b4367a4d501fb0c6d3320b0c
-
Filesize
91KB
MD5a02c0b7c2e9a984b157f34eac873610e
SHA19973b2502c265bdc4f2462a902ccd2869aa6e4b4
SHA256ee9e77424cd333e8b66cd7e6ce902e0606b5695cee50cbb2b12a1da2155c602b
SHA51200079d13f5ad82e52561fc2d426cbdd5bcc5afdc99a728c74aa7972d75839e51b53d4d25898df0b15da00b05b9bb01c79d832ce5b4367a4d501fb0c6d3320b0c
-
Filesize
7KB
MD586e6b94212b8223ba953d087c58fce45
SHA1c8896f3056e1ec9ca7b3fba5e37a5ddb8af60fb0
SHA256bb96debb44a7cc32c92582a3f455b4413291d89570cb1f29f95af9b6c2e94248
SHA5123d823a7e0d304245c3887a31daaa32aa80dc1efff1d2289f430cb3eef665d81be77bbe7f220c34d33f643969620b51e0f72f98c6645c97357c9799b2b543189a
-
Filesize
91KB
MD5a02c0b7c2e9a984b157f34eac873610e
SHA19973b2502c265bdc4f2462a902ccd2869aa6e4b4
SHA256ee9e77424cd333e8b66cd7e6ce902e0606b5695cee50cbb2b12a1da2155c602b
SHA51200079d13f5ad82e52561fc2d426cbdd5bcc5afdc99a728c74aa7972d75839e51b53d4d25898df0b15da00b05b9bb01c79d832ce5b4367a4d501fb0c6d3320b0c
-
Filesize
91KB
MD5a02c0b7c2e9a984b157f34eac873610e
SHA19973b2502c265bdc4f2462a902ccd2869aa6e4b4
SHA256ee9e77424cd333e8b66cd7e6ce902e0606b5695cee50cbb2b12a1da2155c602b
SHA51200079d13f5ad82e52561fc2d426cbdd5bcc5afdc99a728c74aa7972d75839e51b53d4d25898df0b15da00b05b9bb01c79d832ce5b4367a4d501fb0c6d3320b0c
-
Filesize
91KB
MD5a02c0b7c2e9a984b157f34eac873610e
SHA19973b2502c265bdc4f2462a902ccd2869aa6e4b4
SHA256ee9e77424cd333e8b66cd7e6ce902e0606b5695cee50cbb2b12a1da2155c602b
SHA51200079d13f5ad82e52561fc2d426cbdd5bcc5afdc99a728c74aa7972d75839e51b53d4d25898df0b15da00b05b9bb01c79d832ce5b4367a4d501fb0c6d3320b0c