Analysis
-
max time kernel
187s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 13:11
Static task
static1
Behavioral task
behavioral1
Sample
NAIRA.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
NAIRA.exe
Resource
win10v2004-20221111-en
General
-
Target
NAIRA.exe
-
Size
329KB
-
MD5
a297fc96705a5b9eaab9c2fc2b0812c6
-
SHA1
69c6bc48630c3007210558fdba2b5ebf560dd4e4
-
SHA256
05ed8dd37d7213f8614e973073d4b428cfb6abca1e733726524d927e903e299a
-
SHA512
be08aa229d49bd755878c34405a3a1cc5b0a63ea20b2b124dc5c8da86ec2c2277acdbb5a76f56f17d9772c80c8205c1540ece84dbe7f7396cc3e828e6f87a07d
-
SSDEEP
6144:jGNLZif9wzrPWDSHm0XPsGNLZif9wzrPWDSHm0XPjThu8:jGNdi1wfOgmkPsGNdi1wfOgmkPjh
Malware Config
Extracted
warzonerat
7.tcp.eu.ngrok.io:10200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Side.exe warzonerat C:\Users\Admin\AppData\Local\Temp\Side.exe warzonerat C:\ProgramData\images.exe warzonerat C:\ProgramData\images.exe warzonerat -
Executes dropped EXE 2 IoCs
Processes:
Side.exeimages.exepid process 2116 Side.exe 3088 images.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NAIRA.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation NAIRA.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
Processes:
images.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
images.exepid process 3088 images.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
NAIRA.exeSide.exeimages.exedescription pid process target process PID 4444 wrote to memory of 2116 4444 NAIRA.exe Side.exe PID 4444 wrote to memory of 2116 4444 NAIRA.exe Side.exe PID 4444 wrote to memory of 2116 4444 NAIRA.exe Side.exe PID 2116 wrote to memory of 3088 2116 Side.exe images.exe PID 2116 wrote to memory of 3088 2116 Side.exe images.exe PID 2116 wrote to memory of 3088 2116 Side.exe images.exe PID 3088 wrote to memory of 4348 3088 images.exe cmd.exe PID 3088 wrote to memory of 4348 3088 images.exe cmd.exe PID 3088 wrote to memory of 4348 3088 images.exe cmd.exe PID 3088 wrote to memory of 4348 3088 images.exe cmd.exe PID 3088 wrote to memory of 4348 3088 images.exe cmd.exe -
outlook_office_path 1 IoCs
Processes:
images.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe -
outlook_win_path 1 IoCs
Processes:
images.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NAIRA.exe"C:\Users\Admin\AppData\Local\Temp\NAIRA.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\Side.exe"C:\Users\Admin\AppData\Local\Temp\Side.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3088 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4348
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\images.exeFilesize
98KB
MD54413d2656402a6574e685927de745dce
SHA1722bab9a0653a2f1f8b3079185ff415bacaf5dcb
SHA256bfddc619a25d62d78ea685ac1584e93a7dc0f909893aa491c799bf1ffbfea230
SHA51245f92fac5670f6be7cec6b67df5cc1aa20d1e662c9324c0b193a6d25c9e454f62ffb3859fe46b0d538d746b4692d7dae83cfcf3e0a907c7a901843db3753c104
-
C:\ProgramData\images.exeFilesize
98KB
MD54413d2656402a6574e685927de745dce
SHA1722bab9a0653a2f1f8b3079185ff415bacaf5dcb
SHA256bfddc619a25d62d78ea685ac1584e93a7dc0f909893aa491c799bf1ffbfea230
SHA51245f92fac5670f6be7cec6b67df5cc1aa20d1e662c9324c0b193a6d25c9e454f62ffb3859fe46b0d538d746b4692d7dae83cfcf3e0a907c7a901843db3753c104
-
C:\Users\Admin\AppData\Local\Temp\Side.exeFilesize
98KB
MD54413d2656402a6574e685927de745dce
SHA1722bab9a0653a2f1f8b3079185ff415bacaf5dcb
SHA256bfddc619a25d62d78ea685ac1584e93a7dc0f909893aa491c799bf1ffbfea230
SHA51245f92fac5670f6be7cec6b67df5cc1aa20d1e662c9324c0b193a6d25c9e454f62ffb3859fe46b0d538d746b4692d7dae83cfcf3e0a907c7a901843db3753c104
-
C:\Users\Admin\AppData\Local\Temp\Side.exeFilesize
98KB
MD54413d2656402a6574e685927de745dce
SHA1722bab9a0653a2f1f8b3079185ff415bacaf5dcb
SHA256bfddc619a25d62d78ea685ac1584e93a7dc0f909893aa491c799bf1ffbfea230
SHA51245f92fac5670f6be7cec6b67df5cc1aa20d1e662c9324c0b193a6d25c9e454f62ffb3859fe46b0d538d746b4692d7dae83cfcf3e0a907c7a901843db3753c104
-
memory/2116-134-0x0000000000000000-mapping.dmp
-
memory/3088-137-0x0000000000000000-mapping.dmp
-
memory/3088-143-0x00000000037B0000-0x0000000003834000-memory.dmpFilesize
528KB
-
memory/3088-144-0x00000000037B0000-0x0000000003834000-memory.dmpFilesize
528KB
-
memory/4348-140-0x0000000000000000-mapping.dmp
-
memory/4348-141-0x0000000001200000-0x0000000001201000-memory.dmpFilesize
4KB
-
memory/4444-132-0x0000000000C10000-0x0000000000C68000-memory.dmpFilesize
352KB
-
memory/4444-133-0x00007FF99E650000-0x00007FF99F111000-memory.dmpFilesize
10.8MB
-
memory/4444-142-0x00007FF99E650000-0x00007FF99F111000-memory.dmpFilesize
10.8MB