Analysis

  • max time kernel
    91s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 23:01

General

  • Target

    446a385b78c169ee2cf201419f8451f4.exe

  • Size

    270KB

  • MD5

    446a385b78c169ee2cf201419f8451f4

  • SHA1

    faf0863d1742ad2f73708cd57abd1a00bad70efa

  • SHA256

    93d8270cf8904624572540c924610458e0eb7984afc5c744eeda2e50ad5024c2

  • SHA512

    ff9ab8057c9d76e2b1e12a7a9818258b18d93ed0addc94c93330156b72de21d349de072104915c0a232b4bbf6415afbde7816d06de09978a6c984fe481f9b225

  • SSDEEP

    6144:HEa0eDyf/UBrohN9DYNOgcdj+vdIHK+1vZ+o4PI:LdNsgKj8eHKnzPI

Malware Config

Extracted

Family

warzonerat

C2

maulo.duckdns.org:6269

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\446a385b78c169ee2cf201419f8451f4.exe
    "C:\Users\Admin\AppData\Local\Temp\446a385b78c169ee2cf201419f8451f4.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Users\Admin\AppData\Local\Temp\cbqgbcfj.exe
      "C:\Users\Admin\AppData\Local\Temp\cbqgbcfj.exe" C:\Users\Admin\AppData\Local\Temp\tdqxsiqn.wzt
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Users\Admin\AppData\Local\Temp\cbqgbcfj.exe
        "C:\Users\Admin\AppData\Local\Temp\cbqgbcfj.exe" C:\Users\Admin\AppData\Local\Temp\tdqxsiqn.wzt
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\adhbtojt.sy

    Filesize

    98KB

    MD5

    eb0e102cf7a45e69b4af1c6592da3eb3

    SHA1

    abf1b153cd94774fe56ae8eaf758ee98aa54fb73

    SHA256

    1a1b9170939f420e2d70cec090d2ff4a3db622bfb00232aa3807c676ac20eac2

    SHA512

    71196d508977bc992a8a26a114b04238c19bae270db84cd6102d46a697796035fd50ae2224f21895f3303e736d8ba7a22206620b0915e15a7e0db501f1afc90a

  • C:\Users\Admin\AppData\Local\Temp\cbqgbcfj.exe

    Filesize

    91KB

    MD5

    a02c0b7c2e9a984b157f34eac873610e

    SHA1

    9973b2502c265bdc4f2462a902ccd2869aa6e4b4

    SHA256

    ee9e77424cd333e8b66cd7e6ce902e0606b5695cee50cbb2b12a1da2155c602b

    SHA512

    00079d13f5ad82e52561fc2d426cbdd5bcc5afdc99a728c74aa7972d75839e51b53d4d25898df0b15da00b05b9bb01c79d832ce5b4367a4d501fb0c6d3320b0c

  • C:\Users\Admin\AppData\Local\Temp\cbqgbcfj.exe

    Filesize

    91KB

    MD5

    a02c0b7c2e9a984b157f34eac873610e

    SHA1

    9973b2502c265bdc4f2462a902ccd2869aa6e4b4

    SHA256

    ee9e77424cd333e8b66cd7e6ce902e0606b5695cee50cbb2b12a1da2155c602b

    SHA512

    00079d13f5ad82e52561fc2d426cbdd5bcc5afdc99a728c74aa7972d75839e51b53d4d25898df0b15da00b05b9bb01c79d832ce5b4367a4d501fb0c6d3320b0c

  • C:\Users\Admin\AppData\Local\Temp\cbqgbcfj.exe

    Filesize

    91KB

    MD5

    a02c0b7c2e9a984b157f34eac873610e

    SHA1

    9973b2502c265bdc4f2462a902ccd2869aa6e4b4

    SHA256

    ee9e77424cd333e8b66cd7e6ce902e0606b5695cee50cbb2b12a1da2155c602b

    SHA512

    00079d13f5ad82e52561fc2d426cbdd5bcc5afdc99a728c74aa7972d75839e51b53d4d25898df0b15da00b05b9bb01c79d832ce5b4367a4d501fb0c6d3320b0c

  • C:\Users\Admin\AppData\Local\Temp\tdqxsiqn.wzt

    Filesize

    7KB

    MD5

    86e6b94212b8223ba953d087c58fce45

    SHA1

    c8896f3056e1ec9ca7b3fba5e37a5ddb8af60fb0

    SHA256

    bb96debb44a7cc32c92582a3f455b4413291d89570cb1f29f95af9b6c2e94248

    SHA512

    3d823a7e0d304245c3887a31daaa32aa80dc1efff1d2289f430cb3eef665d81be77bbe7f220c34d33f643969620b51e0f72f98c6645c97357c9799b2b543189a

  • memory/2008-137-0x0000000000000000-mapping.dmp

  • memory/2008-139-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2008-140-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/4888-132-0x0000000000000000-mapping.dmp