Analysis
-
max time kernel
94s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 06:21
Static task
static1
Behavioral task
behavioral1
Sample
574e031a4747d5e6315b894f983d3001.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
574e031a4747d5e6315b894f983d3001.exe
Resource
win10v2004-20220812-en
General
-
Target
574e031a4747d5e6315b894f983d3001.exe
-
Size
2.3MB
-
MD5
574e031a4747d5e6315b894f983d3001
-
SHA1
30222efc71057a20e085b757c7eadb75ee50b155
-
SHA256
842fc15b363a849a21ce37a22bd237371576a0a92adc3718adce933dfbb16f83
-
SHA512
7a204e8f508e5e0d0f798f996d53e301d8bc330b86f26dab55ed22495c4ed09c0bc149c2e7857cc1fa68f0e118092b8c9f1ab8d321540c8277fcfd52b76226a1
-
SSDEEP
12288:2YSJAsjzCjawSIIgH8n7XAW76XcpjvV653IDqYheWiYWZaQKjYD:6JAsjvI
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1004-55-0x0000000002000000-0x0000000002A00000-memory.dmp warzonerat behavioral1/memory/1004-56-0x0000000002A00000-0x0000000002B68000-memory.dmp warzonerat -
Drops startup file 2 IoCs
Processes:
574e031a4747d5e6315b894f983d3001.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat 574e031a4747d5e6315b894f983d3001.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start 574e031a4747d5e6315b894f983d3001.exe -
NTFS ADS 2 IoCs
Processes:
574e031a4747d5e6315b894f983d3001.exedescription ioc process File created C:\Users\Admin\Documents\Documents:ApplicationData 574e031a4747d5e6315b894f983d3001.exe File opened for modification C:\Users\Admin\Documents\Documents:ApplicationData 574e031a4747d5e6315b894f983d3001.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1528 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1528 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
574e031a4747d5e6315b894f983d3001.exedescription pid process target process PID 1004 wrote to memory of 1528 1004 574e031a4747d5e6315b894f983d3001.exe powershell.exe PID 1004 wrote to memory of 1528 1004 574e031a4747d5e6315b894f983d3001.exe powershell.exe PID 1004 wrote to memory of 1528 1004 574e031a4747d5e6315b894f983d3001.exe powershell.exe PID 1004 wrote to memory of 1528 1004 574e031a4747d5e6315b894f983d3001.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\574e031a4747d5e6315b894f983d3001.exe"C:\Users\Admin\AppData\Local\Temp\574e031a4747d5e6315b894f983d3001.exe"1⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1004-54-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB
-
memory/1004-55-0x0000000002000000-0x0000000002A00000-memory.dmpFilesize
10.0MB
-
memory/1004-56-0x0000000002A00000-0x0000000002B68000-memory.dmpFilesize
1.4MB
-
memory/1528-62-0x0000000000000000-mapping.dmp
-
memory/1528-64-0x0000000073470000-0x0000000073A1B000-memory.dmpFilesize
5.7MB
-
memory/1528-65-0x0000000073470000-0x0000000073A1B000-memory.dmpFilesize
5.7MB