Analysis
-
max time kernel
138s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 19:25
Behavioral task
behavioral1
Sample
58f983d8647b0ea9e6f71bd1736a983d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
58f983d8647b0ea9e6f71bd1736a983d.exe
Resource
win10v2004-20220812-en
General
-
Target
58f983d8647b0ea9e6f71bd1736a983d.exe
-
Size
98KB
-
MD5
58f983d8647b0ea9e6f71bd1736a983d
-
SHA1
6e6285384012ae45de920c7156731f2a1ff63545
-
SHA256
3d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105
-
SHA512
4df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e
-
SSDEEP
1536:5Csejmb+6BQyusX1UjtA0uWRf/eloc/9T1jVEyp:AtD6jSm0uWRfCogTjVEG
Malware Config
Extracted
warzonerat
4.tcp.eu.ngrok.io:18570
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\images.exe warzonerat C:\ProgramData\images.exe warzonerat -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 3672 images.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
58f983d8647b0ea9e6f71bd1736a983d.exeimages.exedescription pid process target process PID 4804 wrote to memory of 3672 4804 58f983d8647b0ea9e6f71bd1736a983d.exe images.exe PID 4804 wrote to memory of 3672 4804 58f983d8647b0ea9e6f71bd1736a983d.exe images.exe PID 4804 wrote to memory of 3672 4804 58f983d8647b0ea9e6f71bd1736a983d.exe images.exe PID 3672 wrote to memory of 3748 3672 images.exe cmd.exe PID 3672 wrote to memory of 3748 3672 images.exe cmd.exe PID 3672 wrote to memory of 3748 3672 images.exe cmd.exe PID 3672 wrote to memory of 3748 3672 images.exe cmd.exe PID 3672 wrote to memory of 3748 3672 images.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58f983d8647b0ea9e6f71bd1736a983d.exe"C:\Users\Admin\AppData\Local\Temp\58f983d8647b0ea9e6f71bd1736a983d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\images.exeFilesize
98KB
MD558f983d8647b0ea9e6f71bd1736a983d
SHA16e6285384012ae45de920c7156731f2a1ff63545
SHA2563d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105
SHA5124df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e
-
C:\ProgramData\images.exeFilesize
98KB
MD558f983d8647b0ea9e6f71bd1736a983d
SHA16e6285384012ae45de920c7156731f2a1ff63545
SHA2563d3d4c7153e535faa3e9933521d5072dfdaf15aef32743961df4d030fcd86105
SHA5124df48ed590ccd10e4b9c188604ccb6d116438fb83cb3abe5a7746ee2e5e97cd8003f2206d48d551cf220336cfe5c72f0451d246560a0079c1216b7deac03669e
-
memory/3672-132-0x0000000000000000-mapping.dmp
-
memory/3748-135-0x0000000000000000-mapping.dmp
-
memory/3748-136-0x0000000001860000-0x0000000001861000-memory.dmpFilesize
4KB