Analysis
-
max time kernel
146s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 03:30
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe
-
Size
60KB
-
MD5
8c4b7521e74a3960a77f70f53179670e
-
SHA1
c775546bdb0e2d4401e391d075cfcc0b863c8774
-
SHA256
cea6d4fbb54e357c9c62deab33a97e5e94b91f7f95a39a6e5daf5dd69133b6d7
-
SHA512
c683bb89b0301f330a22609c4b810c241a63964c53f4c9ae544f89d356009977714e70d8b9481bc89055c760a0a6de45dbe5b9d55ab3b432b71ddad1e643e1a7
-
SSDEEP
1536:/iyl1nZJJMZ4jTjx6WZG/YGcO/R4UMz5Tu:/iybnBGc1u
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4732-139-0x0000000000400000-0x0000000000568000-memory.dmp warzonerat behavioral2/memory/4732-141-0x0000000000400000-0x0000000000568000-memory.dmp warzonerat behavioral2/memory/4732-142-0x0000000000400000-0x0000000000568000-memory.dmp warzonerat -
Drops startup file 2 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.3212.5858.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.3212.5858.exedescription pid process target process PID 720 set thread context of 4732 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.3212.5858.exepid process 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.3212.5858.exedescription pid process Token: SeDebugPrivilege 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.3212.5858.exedescription pid process target process PID 720 wrote to memory of 4732 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe PID 720 wrote to memory of 4732 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe PID 720 wrote to memory of 4732 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe PID 720 wrote to memory of 4732 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe PID 720 wrote to memory of 4732 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe PID 720 wrote to memory of 4732 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe PID 720 wrote to memory of 4732 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe PID 720 wrote to memory of 4732 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe PID 720 wrote to memory of 4732 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe PID 720 wrote to memory of 4732 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe PID 720 wrote to memory of 4732 720 SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.3212.5858.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/720-132-0x0000000000C20000-0x0000000000C36000-memory.dmpFilesize
88KB
-
memory/720-133-0x0000000005C60000-0x0000000006204000-memory.dmpFilesize
5.6MB
-
memory/720-134-0x00000000055C0000-0x0000000005652000-memory.dmpFilesize
584KB
-
memory/720-135-0x0000000005670000-0x000000000567A000-memory.dmpFilesize
40KB
-
memory/720-136-0x0000000006D70000-0x0000000006E0C000-memory.dmpFilesize
624KB
-
memory/720-137-0x0000000006E10000-0x0000000006E76000-memory.dmpFilesize
408KB
-
memory/4732-138-0x0000000000000000-mapping.dmp
-
memory/4732-139-0x0000000000400000-0x0000000000568000-memory.dmpFilesize
1.4MB
-
memory/4732-141-0x0000000000400000-0x0000000000568000-memory.dmpFilesize
1.4MB
-
memory/4732-142-0x0000000000400000-0x0000000000568000-memory.dmpFilesize
1.4MB