Analysis
-
max time kernel
157s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 17:46
Static task
static1
Behavioral task
behavioral1
Sample
f6b748b16c33e91dd7cdd128ab0917cd.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f6b748b16c33e91dd7cdd128ab0917cd.exe
Resource
win10v2004-20220812-en
General
-
Target
f6b748b16c33e91dd7cdd128ab0917cd.exe
-
Size
171KB
-
MD5
f6b748b16c33e91dd7cdd128ab0917cd
-
SHA1
6b3762c4507f52dff97ec34bae4a16a5d876ab1a
-
SHA256
259fff7281f53b0dcb4ba5b9a1e4323f414e2a43496aff5cb32c1b8b50db773c
-
SHA512
ca04fd9616de8a2253d396e1d70fe2b2c1bd23d98e413bc0f8821f5c75e5b515fb675e62ffb40bf115ae3b06c4c50e36e63ba87818f3c19a781d5753c061f413
-
SSDEEP
3072:QEhKzShSycSMjk/CFpQUWbNUEp0afqf/T9xjj4fAA0/oPQ3A8JHVZ:QBn1j6CFyUONUEp3Ox5cAf/oPQzN
Malware Config
Extracted
warzonerat
revive147.duckdns.org:6513
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4752-139-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
pzzofr.exepzzofr.exepid process 4848 pzzofr.exe 4752 pzzofr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
pzzofr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myfphwhgbt = "C:\\Users\\Admin\\AppData\\Roaming\\ocor\\afam.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\pzzofr.exe\" C:\\Users\\Admin\\AppData\\Local\\Temp\\wgbr" pzzofr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pzzofr.exedescription pid process target process PID 4848 set thread context of 4752 4848 pzzofr.exe pzzofr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pzzofr.exepid process 4848 pzzofr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
pzzofr.exepid process 4752 pzzofr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
f6b748b16c33e91dd7cdd128ab0917cd.exepzzofr.exedescription pid process target process PID 4800 wrote to memory of 4848 4800 f6b748b16c33e91dd7cdd128ab0917cd.exe pzzofr.exe PID 4800 wrote to memory of 4848 4800 f6b748b16c33e91dd7cdd128ab0917cd.exe pzzofr.exe PID 4800 wrote to memory of 4848 4800 f6b748b16c33e91dd7cdd128ab0917cd.exe pzzofr.exe PID 4848 wrote to memory of 4752 4848 pzzofr.exe pzzofr.exe PID 4848 wrote to memory of 4752 4848 pzzofr.exe pzzofr.exe PID 4848 wrote to memory of 4752 4848 pzzofr.exe pzzofr.exe PID 4848 wrote to memory of 4752 4848 pzzofr.exe pzzofr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6b748b16c33e91dd7cdd128ab0917cd.exe"C:\Users\Admin\AppData\Local\Temp\f6b748b16c33e91dd7cdd128ab0917cd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pzzofr.exe"C:\Users\Admin\AppData\Local\Temp\pzzofr.exe" C:\Users\Admin\AppData\Local\Temp\wgbry.jr2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pzzofr.exe"C:\Users\Admin\AppData\Local\Temp\pzzofr.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ebsavjss.kjwFilesize
98KB
MD5027e07ca854e78cece5cfe97887a6107
SHA1f30db8d9abc6d0ed6052cebab449881e96d86ef6
SHA2569fa6eb57f060b02ca19d3ef9a151080b65c7511f5cfa513a1c68bfcdabc120c2
SHA5121bf6ac99ab281cfbdb63849b51ab482f8be9ee78079289461e4c61f70d41e76006db26a4b359f239b4f6e09df1766ce95c2a85864396e302f349adf6aca7aad3
-
C:\Users\Admin\AppData\Local\Temp\pzzofr.exeFilesize
99KB
MD586cd3e0be4b6aa64973055f8def9b834
SHA18dff1a4ee9ff60d6cc185efad3e3782405e06810
SHA256b8cfae9d4f4cd8fc37292bafce7ab336065cbb4b7eecda149d05a00fbfee22ce
SHA512355566ed46b6de149557e513ab579e3e9c17eeb1afc1772f55b94fcb60d194b20dda61a3de13571870c78cbe4cf9942cd70bdb9fcff0d150524a11b35e265e68
-
C:\Users\Admin\AppData\Local\Temp\pzzofr.exeFilesize
99KB
MD586cd3e0be4b6aa64973055f8def9b834
SHA18dff1a4ee9ff60d6cc185efad3e3782405e06810
SHA256b8cfae9d4f4cd8fc37292bafce7ab336065cbb4b7eecda149d05a00fbfee22ce
SHA512355566ed46b6de149557e513ab579e3e9c17eeb1afc1772f55b94fcb60d194b20dda61a3de13571870c78cbe4cf9942cd70bdb9fcff0d150524a11b35e265e68
-
C:\Users\Admin\AppData\Local\Temp\pzzofr.exeFilesize
99KB
MD586cd3e0be4b6aa64973055f8def9b834
SHA18dff1a4ee9ff60d6cc185efad3e3782405e06810
SHA256b8cfae9d4f4cd8fc37292bafce7ab336065cbb4b7eecda149d05a00fbfee22ce
SHA512355566ed46b6de149557e513ab579e3e9c17eeb1afc1772f55b94fcb60d194b20dda61a3de13571870c78cbe4cf9942cd70bdb9fcff0d150524a11b35e265e68
-
C:\Users\Admin\AppData\Local\Temp\wgbry.jrFilesize
7KB
MD5ce8a6241de4696149788ea19e1f2f5eb
SHA11dac7757bdaecaea47eeed9eb5714fab51783c7a
SHA25661bbbf5c16e5542913285060928635d40cbdf3c6615812d4bc10cb0a8f7d8172
SHA51205fa2ee7b19ef463bb9e69cb35dc28bdd98106aa67b2afc4bffcf73129335bb26ff7801beb5875c4936dd4ee2003f2438f9d7a2cd6618661f78cc1f976664a51
-
memory/4752-137-0x0000000000000000-mapping.dmp
-
memory/4752-139-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4848-132-0x0000000000000000-mapping.dmp