Analysis
-
max time kernel
76s -
max time network
187s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 15:56
Static task
static1
Behavioral task
behavioral1
Sample
634f090793b9102a76256bc2f57af27d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
634f090793b9102a76256bc2f57af27d.exe
Resource
win10v2004-20221111-en
General
-
Target
634f090793b9102a76256bc2f57af27d.exe
-
Size
392KB
-
MD5
634f090793b9102a76256bc2f57af27d
-
SHA1
7a66e6d175c747ff3423a71dfdeb525ec542f3b8
-
SHA256
561c6e890c23970149d70017c414677c85d99d428cd96378c15f8459596957c6
-
SHA512
1cfe55dde522062b73f33a46edcf0cf5f9b84c1d8c8b6f7f6d1bbf9739d4e6fcf435a7b1965bef390fa73c1fb5506292452c52497171b220606d7a07406466f2
-
SSDEEP
6144:jEa0PXS18jHzrwmFPpNUAvyrXRnAPljWUAJvSbn:Ki18jHP/VvytcMpKL
Malware Config
Extracted
warzonerat
maulo.duckdns.org:6269
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1648-66-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/1648-67-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
karlvjz.exekarlvjz.exepid process 1768 karlvjz.exe 1648 karlvjz.exe -
Loads dropped DLL 2 IoCs
Processes:
634f090793b9102a76256bc2f57af27d.exekarlvjz.exepid process 1668 634f090793b9102a76256bc2f57af27d.exe 1768 karlvjz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
karlvjz.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gsajcile = "C:\\Users\\Admin\\AppData\\Roaming\\sbvia\\rnjxnymvostqfe.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\karlvjz.exe\" C:\\Users\\Admin\\AppData\\Loc" karlvjz.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
karlvjz.exedescription pid process target process PID 1768 set thread context of 1648 1768 karlvjz.exe karlvjz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
karlvjz.exepid process 1768 karlvjz.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
karlvjz.exepid process 1648 karlvjz.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
634f090793b9102a76256bc2f57af27d.exekarlvjz.exedescription pid process target process PID 1668 wrote to memory of 1768 1668 634f090793b9102a76256bc2f57af27d.exe karlvjz.exe PID 1668 wrote to memory of 1768 1668 634f090793b9102a76256bc2f57af27d.exe karlvjz.exe PID 1668 wrote to memory of 1768 1668 634f090793b9102a76256bc2f57af27d.exe karlvjz.exe PID 1668 wrote to memory of 1768 1668 634f090793b9102a76256bc2f57af27d.exe karlvjz.exe PID 1768 wrote to memory of 1648 1768 karlvjz.exe karlvjz.exe PID 1768 wrote to memory of 1648 1768 karlvjz.exe karlvjz.exe PID 1768 wrote to memory of 1648 1768 karlvjz.exe karlvjz.exe PID 1768 wrote to memory of 1648 1768 karlvjz.exe karlvjz.exe PID 1768 wrote to memory of 1648 1768 karlvjz.exe karlvjz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\634f090793b9102a76256bc2f57af27d.exe"C:\Users\Admin\AppData\Local\Temp\634f090793b9102a76256bc2f57af27d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\karlvjz.exe"C:\Users\Admin\AppData\Local\Temp\karlvjz.exe" C:\Users\Admin\AppData\Local\Temp\dimizlwtttb.pv2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\karlvjz.exe"C:\Users\Admin\AppData\Local\Temp\karlvjz.exe" C:\Users\Admin\AppData\Local\Temp\dimizlwtttb.pv3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1648
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD56fabd59339913b60031b9bdfc9b0839e
SHA115bbfc2856acb02b6ec3fbf23bb9d4a0d31dcf74
SHA256a8b1765c99e1ecc8967773915b4df6c47889b0f2b1450d11d2fa84e4cd3c7c9e
SHA512f5802ab909d7388ee8c5bf2527fbe383fa730478d3bd62e23936defec6ef0758468ca5ef43f88da6eac429ef6fdac1e13eb4fa53b771c9ce9e519ecb238386ea
-
Filesize
92KB
MD53bf706e04e64ad6b0df6e229b4b2344b
SHA10361167574be98e55bc4a3d851f76cfc490bdd72
SHA2569ca8b6db5a3613b88c93e218a32b891f18b4cef2aba7a0370d5967408a6e7841
SHA512a7a465214cfd8061004f9192801f75d8cbe9c4b3dd84b13b1721f09dc9a4e18bea3bbee76ebaa6970aa18ab658eefa2c19dd8ba0cbc664d7343e27a6b9e73929
-
Filesize
92KB
MD53bf706e04e64ad6b0df6e229b4b2344b
SHA10361167574be98e55bc4a3d851f76cfc490bdd72
SHA2569ca8b6db5a3613b88c93e218a32b891f18b4cef2aba7a0370d5967408a6e7841
SHA512a7a465214cfd8061004f9192801f75d8cbe9c4b3dd84b13b1721f09dc9a4e18bea3bbee76ebaa6970aa18ab658eefa2c19dd8ba0cbc664d7343e27a6b9e73929
-
Filesize
92KB
MD53bf706e04e64ad6b0df6e229b4b2344b
SHA10361167574be98e55bc4a3d851f76cfc490bdd72
SHA2569ca8b6db5a3613b88c93e218a32b891f18b4cef2aba7a0370d5967408a6e7841
SHA512a7a465214cfd8061004f9192801f75d8cbe9c4b3dd84b13b1721f09dc9a4e18bea3bbee76ebaa6970aa18ab658eefa2c19dd8ba0cbc664d7343e27a6b9e73929
-
Filesize
98KB
MD54b5e60706d1dd3cb13272bfd7ca95058
SHA1e0794982d3a5698344fcf4b1fcb7249bdf19404e
SHA25667d43ebee95833c3663dcb74b5f039e8303d69c5a06acc5bd830978ab9552997
SHA512f457c711003fc35c9e928ba9c7634bb1a1e62ba6e3f6d50ee9d66de8062f43530e2b0797029e4831826afb01f8a6eda3227d258fd266aaae9656da417b55a6c6
-
Filesize
92KB
MD53bf706e04e64ad6b0df6e229b4b2344b
SHA10361167574be98e55bc4a3d851f76cfc490bdd72
SHA2569ca8b6db5a3613b88c93e218a32b891f18b4cef2aba7a0370d5967408a6e7841
SHA512a7a465214cfd8061004f9192801f75d8cbe9c4b3dd84b13b1721f09dc9a4e18bea3bbee76ebaa6970aa18ab658eefa2c19dd8ba0cbc664d7343e27a6b9e73929
-
Filesize
92KB
MD53bf706e04e64ad6b0df6e229b4b2344b
SHA10361167574be98e55bc4a3d851f76cfc490bdd72
SHA2569ca8b6db5a3613b88c93e218a32b891f18b4cef2aba7a0370d5967408a6e7841
SHA512a7a465214cfd8061004f9192801f75d8cbe9c4b3dd84b13b1721f09dc9a4e18bea3bbee76ebaa6970aa18ab658eefa2c19dd8ba0cbc664d7343e27a6b9e73929