Analysis
-
max time kernel
244s -
max time network
333s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 13:06
Static task
static1
Behavioral task
behavioral1
Sample
NAIRA.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
NAIRA.exe
Resource
win10v2004-20221111-en
General
-
Target
NAIRA.exe
-
Size
329KB
-
MD5
a297fc96705a5b9eaab9c2fc2b0812c6
-
SHA1
69c6bc48630c3007210558fdba2b5ebf560dd4e4
-
SHA256
05ed8dd37d7213f8614e973073d4b428cfb6abca1e733726524d927e903e299a
-
SHA512
be08aa229d49bd755878c34405a3a1cc5b0a63ea20b2b124dc5c8da86ec2c2277acdbb5a76f56f17d9772c80c8205c1540ece84dbe7f7396cc3e828e6f87a07d
-
SSDEEP
6144:jGNLZif9wzrPWDSHm0XPsGNLZif9wzrPWDSHm0XPjThu8:jGNdi1wfOgmkPsGNdi1wfOgmkPjh
Malware Config
Extracted
warzonerat
7.tcp.eu.ngrok.io:10200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Side.exe warzonerat C:\Users\Admin\AppData\Local\Temp\Side.exe warzonerat \ProgramData\images.exe warzonerat \ProgramData\images.exe warzonerat C:\ProgramData\images.exe warzonerat C:\ProgramData\images.exe warzonerat -
Executes dropped EXE 2 IoCs
Processes:
Side.exeimages.exepid process 992 Side.exe 1004 images.exe -
Loads dropped DLL 2 IoCs
Processes:
Side.exepid process 992 Side.exe 992 Side.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
Processes:
images.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
images.exepid process 1004 images.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
NAIRA.exeSide.exeimages.exedescription pid process target process PID 1872 wrote to memory of 992 1872 NAIRA.exe Side.exe PID 1872 wrote to memory of 992 1872 NAIRA.exe Side.exe PID 1872 wrote to memory of 992 1872 NAIRA.exe Side.exe PID 1872 wrote to memory of 992 1872 NAIRA.exe Side.exe PID 992 wrote to memory of 1004 992 Side.exe images.exe PID 992 wrote to memory of 1004 992 Side.exe images.exe PID 992 wrote to memory of 1004 992 Side.exe images.exe PID 992 wrote to memory of 1004 992 Side.exe images.exe PID 1004 wrote to memory of 1404 1004 images.exe cmd.exe PID 1004 wrote to memory of 1404 1004 images.exe cmd.exe PID 1004 wrote to memory of 1404 1004 images.exe cmd.exe PID 1004 wrote to memory of 1404 1004 images.exe cmd.exe PID 1004 wrote to memory of 1404 1004 images.exe cmd.exe PID 1004 wrote to memory of 1404 1004 images.exe cmd.exe -
outlook_office_path 1 IoCs
Processes:
images.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe -
outlook_win_path 1 IoCs
Processes:
images.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NAIRA.exe"C:\Users\Admin\AppData\Local\Temp\NAIRA.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\Side.exe"C:\Users\Admin\AppData\Local\Temp\Side.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1404
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\images.exeFilesize
98KB
MD54413d2656402a6574e685927de745dce
SHA1722bab9a0653a2f1f8b3079185ff415bacaf5dcb
SHA256bfddc619a25d62d78ea685ac1584e93a7dc0f909893aa491c799bf1ffbfea230
SHA51245f92fac5670f6be7cec6b67df5cc1aa20d1e662c9324c0b193a6d25c9e454f62ffb3859fe46b0d538d746b4692d7dae83cfcf3e0a907c7a901843db3753c104
-
C:\ProgramData\images.exeFilesize
98KB
MD54413d2656402a6574e685927de745dce
SHA1722bab9a0653a2f1f8b3079185ff415bacaf5dcb
SHA256bfddc619a25d62d78ea685ac1584e93a7dc0f909893aa491c799bf1ffbfea230
SHA51245f92fac5670f6be7cec6b67df5cc1aa20d1e662c9324c0b193a6d25c9e454f62ffb3859fe46b0d538d746b4692d7dae83cfcf3e0a907c7a901843db3753c104
-
C:\Users\Admin\AppData\Local\Temp\Side.exeFilesize
98KB
MD54413d2656402a6574e685927de745dce
SHA1722bab9a0653a2f1f8b3079185ff415bacaf5dcb
SHA256bfddc619a25d62d78ea685ac1584e93a7dc0f909893aa491c799bf1ffbfea230
SHA51245f92fac5670f6be7cec6b67df5cc1aa20d1e662c9324c0b193a6d25c9e454f62ffb3859fe46b0d538d746b4692d7dae83cfcf3e0a907c7a901843db3753c104
-
C:\Users\Admin\AppData\Local\Temp\Side.exeFilesize
98KB
MD54413d2656402a6574e685927de745dce
SHA1722bab9a0653a2f1f8b3079185ff415bacaf5dcb
SHA256bfddc619a25d62d78ea685ac1584e93a7dc0f909893aa491c799bf1ffbfea230
SHA51245f92fac5670f6be7cec6b67df5cc1aa20d1e662c9324c0b193a6d25c9e454f62ffb3859fe46b0d538d746b4692d7dae83cfcf3e0a907c7a901843db3753c104
-
\ProgramData\images.exeFilesize
98KB
MD54413d2656402a6574e685927de745dce
SHA1722bab9a0653a2f1f8b3079185ff415bacaf5dcb
SHA256bfddc619a25d62d78ea685ac1584e93a7dc0f909893aa491c799bf1ffbfea230
SHA51245f92fac5670f6be7cec6b67df5cc1aa20d1e662c9324c0b193a6d25c9e454f62ffb3859fe46b0d538d746b4692d7dae83cfcf3e0a907c7a901843db3753c104
-
\ProgramData\images.exeFilesize
98KB
MD54413d2656402a6574e685927de745dce
SHA1722bab9a0653a2f1f8b3079185ff415bacaf5dcb
SHA256bfddc619a25d62d78ea685ac1584e93a7dc0f909893aa491c799bf1ffbfea230
SHA51245f92fac5670f6be7cec6b67df5cc1aa20d1e662c9324c0b193a6d25c9e454f62ffb3859fe46b0d538d746b4692d7dae83cfcf3e0a907c7a901843db3753c104
-
memory/992-58-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/992-56-0x0000000000000000-mapping.dmp
-
memory/1004-62-0x0000000000000000-mapping.dmp
-
memory/1004-68-0x0000000003240000-0x00000000032C4000-memory.dmpFilesize
528KB
-
memory/1004-69-0x0000000003240000-0x00000000032C4000-memory.dmpFilesize
528KB
-
memory/1404-65-0x0000000000000000-mapping.dmp
-
memory/1404-66-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1872-54-0x0000000000ED0000-0x0000000000F28000-memory.dmpFilesize
352KB
-
memory/1872-55-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmpFilesize
8KB