Analysis
-
max time kernel
179s -
max time network
187s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 14:42
Static task
static1
Behavioral task
behavioral1
Sample
SOA72736467388453latest.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SOA72736467388453latest.exe
Resource
win10v2004-20220901-en
General
-
Target
SOA72736467388453latest.exe
-
Size
261KB
-
MD5
676cf08fb03d8a9ffcf5ab5d36447c15
-
SHA1
d5affa18c7ec3b13bc91f103d08e9b779ccd5560
-
SHA256
5b3b7ebe915f592364c520775e220965c95bdb9dee6160de07993866645c0dea
-
SHA512
05c458b547d715ae0ca5d9d4a7c55b699b35b087a28584deb9f7720f8ed70b464690749c6e60a6f64f4d348f7c5f36837baac29ee7c1c76543972ff155d1e5e1
-
SSDEEP
6144:NBHhJHDyzWdMSHDPUEPFWjlxUTm7LcTbTeEZFH0pviB9jV5QR:NJhNdMS1Ajlaq7LcHT9qsB
Malware Config
Extracted
warzonerat
charlesdnsoh.duckdns.org:77
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SOA72736467388453latest.exedescription pid process target process PID 1456 set thread context of 1224 1456 SOA72736467388453latest.exe vbc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SOA72736467388453latest.exedescription pid process target process PID 1456 wrote to memory of 1224 1456 SOA72736467388453latest.exe vbc.exe PID 1456 wrote to memory of 1224 1456 SOA72736467388453latest.exe vbc.exe PID 1456 wrote to memory of 1224 1456 SOA72736467388453latest.exe vbc.exe PID 1456 wrote to memory of 1224 1456 SOA72736467388453latest.exe vbc.exe PID 1456 wrote to memory of 1224 1456 SOA72736467388453latest.exe vbc.exe PID 1456 wrote to memory of 1224 1456 SOA72736467388453latest.exe vbc.exe PID 1456 wrote to memory of 1224 1456 SOA72736467388453latest.exe vbc.exe PID 1456 wrote to memory of 1224 1456 SOA72736467388453latest.exe vbc.exe PID 1456 wrote to memory of 1224 1456 SOA72736467388453latest.exe vbc.exe PID 1456 wrote to memory of 1224 1456 SOA72736467388453latest.exe vbc.exe PID 1456 wrote to memory of 1224 1456 SOA72736467388453latest.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA72736467388453latest.exe"C:\Users\Admin\AppData\Local\Temp\SOA72736467388453latest.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:1224
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1224-62-0x00000000006C0000-0x000000000081E000-memory.dmpFilesize
1.4MB
-
memory/1224-57-0x00000000006C0000-0x000000000081E000-memory.dmpFilesize
1.4MB
-
memory/1224-60-0x00000000006C0000-0x000000000081E000-memory.dmpFilesize
1.4MB
-
memory/1224-58-0x00000000006C0000-0x000000000081E000-memory.dmpFilesize
1.4MB
-
memory/1224-64-0x00000000006C0000-0x000000000081E000-memory.dmpFilesize
1.4MB
-
memory/1224-66-0x00000000006C0000-0x000000000081E000-memory.dmpFilesize
1.4MB
-
memory/1224-68-0x0000000000405E28-mapping.dmp
-
memory/1224-69-0x00000000006C0000-0x000000000081E000-memory.dmpFilesize
1.4MB
-
memory/1224-73-0x00000000006C0000-0x000000000081E000-memory.dmpFilesize
1.4MB
-
memory/1224-78-0x00000000006C0000-0x000000000081E000-memory.dmpFilesize
1.4MB
-
memory/1456-55-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB
-
memory/1456-56-0x00000000004E0000-0x000000000050C000-memory.dmpFilesize
176KB
-
memory/1456-54-0x0000000000D80000-0x0000000000DC8000-memory.dmpFilesize
288KB