Analysis
-
max time kernel
140s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 14:42
Static task
static1
Behavioral task
behavioral1
Sample
SOA72736467388453latest.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SOA72736467388453latest.exe
Resource
win10v2004-20220901-en
General
-
Target
SOA72736467388453latest.exe
-
Size
261KB
-
MD5
676cf08fb03d8a9ffcf5ab5d36447c15
-
SHA1
d5affa18c7ec3b13bc91f103d08e9b779ccd5560
-
SHA256
5b3b7ebe915f592364c520775e220965c95bdb9dee6160de07993866645c0dea
-
SHA512
05c458b547d715ae0ca5d9d4a7c55b699b35b087a28584deb9f7720f8ed70b464690749c6e60a6f64f4d348f7c5f36837baac29ee7c1c76543972ff155d1e5e1
-
SSDEEP
6144:NBHhJHDyzWdMSHDPUEPFWjlxUTm7LcTbTeEZFH0pviB9jV5QR:NJhNdMS1Ajlaq7LcHT9qsB
Malware Config
Extracted
warzonerat
charlesdnsoh.duckdns.org:77
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SOA72736467388453latest.exedescription pid process target process PID 4972 set thread context of 816 4972 SOA72736467388453latest.exe vbc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
SOA72736467388453latest.exedescription pid process target process PID 4972 wrote to memory of 816 4972 SOA72736467388453latest.exe vbc.exe PID 4972 wrote to memory of 816 4972 SOA72736467388453latest.exe vbc.exe PID 4972 wrote to memory of 816 4972 SOA72736467388453latest.exe vbc.exe PID 4972 wrote to memory of 816 4972 SOA72736467388453latest.exe vbc.exe PID 4972 wrote to memory of 816 4972 SOA72736467388453latest.exe vbc.exe PID 4972 wrote to memory of 816 4972 SOA72736467388453latest.exe vbc.exe PID 4972 wrote to memory of 816 4972 SOA72736467388453latest.exe vbc.exe PID 4972 wrote to memory of 816 4972 SOA72736467388453latest.exe vbc.exe PID 4972 wrote to memory of 816 4972 SOA72736467388453latest.exe vbc.exe PID 4972 wrote to memory of 816 4972 SOA72736467388453latest.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA72736467388453latest.exe"C:\Users\Admin\AppData\Local\Temp\SOA72736467388453latest.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/816-134-0x0000000000000000-mapping.dmp
-
memory/816-135-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/816-137-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/816-138-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/816-139-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/4972-132-0x0000000000560000-0x00000000005A8000-memory.dmpFilesize
288KB
-
memory/4972-133-0x0000000004F10000-0x0000000004F76000-memory.dmpFilesize
408KB