Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 18:18
Behavioral task
behavioral1
Sample
3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe
Resource
win10v2004-20220812-en
General
-
Target
3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe
-
Size
5.8MB
-
MD5
566f5d973c60961ffdf83d358e789504
-
SHA1
6e662febcd653e3af71c6d166c295a2a7c63c472
-
SHA256
3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc
-
SHA512
87dd7cbbd3ed8d9b79dec4275d60051478122aa21e73de8ffa2db4f1aa9073b7c1e1d9f064fa7f22e829c46348ecaffcf15a0651f67590440287b92619441cd1
-
SSDEEP
98304:EdBK5I5RUOjTAj6w/wRAH4QiM3BhZzJ/zbo/FZSCwyd5kmsWEhAoCkXK0VCqgAH3:EdBK5I5RUOjTpwUQXBh/g/j+yjkf5CkL
Malware Config
Extracted
warzonerat
193.109.78.123:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/4364-132-0x0000000000790000-0x00000000010FD000-memory.dmp warzonerat behavioral2/memory/4364-134-0x0000000000790000-0x00000000010FD000-memory.dmp warzonerat behavioral2/memory/4364-138-0x0000000000790000-0x00000000010FD000-memory.dmp warzonerat behavioral2/memory/3112-139-0x0000000000590000-0x0000000000EFD000-memory.dmp warzonerat behavioral2/memory/3112-142-0x0000000000590000-0x0000000000EFD000-memory.dmp warzonerat behavioral2/memory/3112-144-0x0000000000590000-0x0000000000EFD000-memory.dmp warzonerat -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 3112 images.exe -
Processes:
resource yara_rule behavioral2/memory/4364-132-0x0000000000790000-0x00000000010FD000-memory.dmp vmprotect behavioral2/memory/4364-134-0x0000000000790000-0x00000000010FD000-memory.dmp vmprotect C:\ProgramData\images.exe vmprotect C:\ProgramData\images.exe vmprotect behavioral2/memory/4364-138-0x0000000000790000-0x00000000010FD000-memory.dmp vmprotect behavioral2/memory/3112-139-0x0000000000590000-0x0000000000EFD000-memory.dmp vmprotect behavioral2/memory/3112-142-0x0000000000590000-0x0000000000EFD000-memory.dmp vmprotect behavioral2/memory/3112-144-0x0000000000590000-0x0000000000EFD000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Helpeerss = "C:\\ProgramData\\images.exe" 3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exeimages.exepid process 4364 3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe 4364 3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe 4364 3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe 4364 3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe 3112 images.exe 3112 images.exe 3112 images.exe 3112 images.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exeimages.exedescription pid process target process PID 4364 wrote to memory of 3112 4364 3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe images.exe PID 4364 wrote to memory of 3112 4364 3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe images.exe PID 4364 wrote to memory of 3112 4364 3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe images.exe PID 3112 wrote to memory of 712 3112 images.exe cmd.exe PID 3112 wrote to memory of 712 3112 images.exe cmd.exe PID 3112 wrote to memory of 712 3112 images.exe cmd.exe PID 3112 wrote to memory of 712 3112 images.exe cmd.exe PID 3112 wrote to memory of 712 3112 images.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe"C:\Users\Admin\AppData\Local\Temp\3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\images.exeFilesize
5.8MB
MD5566f5d973c60961ffdf83d358e789504
SHA16e662febcd653e3af71c6d166c295a2a7c63c472
SHA2563bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc
SHA51287dd7cbbd3ed8d9b79dec4275d60051478122aa21e73de8ffa2db4f1aa9073b7c1e1d9f064fa7f22e829c46348ecaffcf15a0651f67590440287b92619441cd1
-
C:\ProgramData\images.exeFilesize
5.8MB
MD5566f5d973c60961ffdf83d358e789504
SHA16e662febcd653e3af71c6d166c295a2a7c63c472
SHA2563bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc
SHA51287dd7cbbd3ed8d9b79dec4275d60051478122aa21e73de8ffa2db4f1aa9073b7c1e1d9f064fa7f22e829c46348ecaffcf15a0651f67590440287b92619441cd1
-
memory/712-141-0x0000000000000000-mapping.dmp
-
memory/712-143-0x0000000001720000-0x0000000001721000-memory.dmpFilesize
4KB
-
memory/3112-135-0x0000000000000000-mapping.dmp
-
memory/3112-139-0x0000000000590000-0x0000000000EFD000-memory.dmpFilesize
9.4MB
-
memory/3112-142-0x0000000000590000-0x0000000000EFD000-memory.dmpFilesize
9.4MB
-
memory/3112-144-0x0000000000590000-0x0000000000EFD000-memory.dmpFilesize
9.4MB
-
memory/4364-132-0x0000000000790000-0x00000000010FD000-memory.dmpFilesize
9.4MB
-
memory/4364-134-0x0000000000790000-0x00000000010FD000-memory.dmpFilesize
9.4MB
-
memory/4364-138-0x0000000000790000-0x00000000010FD000-memory.dmpFilesize
9.4MB