Analysis
-
max time kernel
54s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
05-12-2022 01:56
Static task
static1
Behavioral task
behavioral1
Sample
0d55e06cd828379885488ae1eba557d8e92d146aa3c1186801846a52a3a0af71.exe
Resource
win10-20220812-en
General
-
Target
0d55e06cd828379885488ae1eba557d8e92d146aa3c1186801846a52a3a0af71.exe
-
Size
391KB
-
MD5
0cae9f651145e402f998e3a8a667b031
-
SHA1
e2ec187f426ea2601868916da80e62839e30c99a
-
SHA256
0d55e06cd828379885488ae1eba557d8e92d146aa3c1186801846a52a3a0af71
-
SHA512
928604e9f28b7827ab67209c6ae73aa6f1e2e442ea427cb135870fbba00021df5844be7063bf839507ad3081e068f7b7e36f802849b48145b858f9fcae68827f
-
SSDEEP
6144:HBnAU1X9Tel6FV4aURtm1r0yACZTInUXYbIyn:WU1+6FV490r0yACOIYd
Malware Config
Extracted
warzonerat
revive147.duckdns.org:6513
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2876-251-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/2876-272-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
xrfqtvbjh.exexrfqtvbjh.exepid process 4904 xrfqtvbjh.exe 2876 xrfqtvbjh.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
xrfqtvbjh.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\oivwlrhyk = "C:\\Users\\Admin\\AppData\\Roaming\\hprllbdymxpxuh\\cbsfkgnxd.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xrfqtvbjh.exe\" C:\\Users\\Admin\\AppDa" xrfqtvbjh.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xrfqtvbjh.exedescription pid process target process PID 4904 set thread context of 2876 4904 xrfqtvbjh.exe xrfqtvbjh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
xrfqtvbjh.exepid process 4904 xrfqtvbjh.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
xrfqtvbjh.exepid process 2876 xrfqtvbjh.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
0d55e06cd828379885488ae1eba557d8e92d146aa3c1186801846a52a3a0af71.exexrfqtvbjh.exedescription pid process target process PID 2504 wrote to memory of 4904 2504 0d55e06cd828379885488ae1eba557d8e92d146aa3c1186801846a52a3a0af71.exe xrfqtvbjh.exe PID 2504 wrote to memory of 4904 2504 0d55e06cd828379885488ae1eba557d8e92d146aa3c1186801846a52a3a0af71.exe xrfqtvbjh.exe PID 2504 wrote to memory of 4904 2504 0d55e06cd828379885488ae1eba557d8e92d146aa3c1186801846a52a3a0af71.exe xrfqtvbjh.exe PID 4904 wrote to memory of 2876 4904 xrfqtvbjh.exe xrfqtvbjh.exe PID 4904 wrote to memory of 2876 4904 xrfqtvbjh.exe xrfqtvbjh.exe PID 4904 wrote to memory of 2876 4904 xrfqtvbjh.exe xrfqtvbjh.exe PID 4904 wrote to memory of 2876 4904 xrfqtvbjh.exe xrfqtvbjh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d55e06cd828379885488ae1eba557d8e92d146aa3c1186801846a52a3a0af71.exe"C:\Users\Admin\AppData\Local\Temp\0d55e06cd828379885488ae1eba557d8e92d146aa3c1186801846a52a3a0af71.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xrfqtvbjh.exe"C:\Users\Admin\AppData\Local\Temp\xrfqtvbjh.exe" C:\Users\Admin\AppData\Local\Temp\xkoyijrfu.qub2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xrfqtvbjh.exe"C:\Users\Admin\AppData\Local\Temp\xrfqtvbjh.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\quofhtvqb.dFilesize
98KB
MD50e713c87ed4547714c9358243f222f39
SHA13de5c724fce16a39ab7a98d2c6769a8e961be125
SHA256cb969368031a0125c507b2f3ed87481bc4624ce0d9e5df497fce081a2e43ad2b
SHA512ccd375da7b5c2b1f1f181cb0febaf712af4d6ea6a0a3a0f4cae958115faf988890580dc1042902f694efc890a6641f4005b033a319421f0928bc2bb499ca3aac
-
C:\Users\Admin\AppData\Local\Temp\xkoyijrfu.qubFilesize
7KB
MD54e19c2ca8bf29c504bebb3dd26ecd907
SHA1f5b3f8567f2d6b997888624877eea85247e4f339
SHA2564fa156f18a47cdecaf087d73cea8850c81194e69caf3fe82564b02a08361ec33
SHA5127b83ac621e4fc4df2937b410f60d0927753f0c65dc0127fb76a228efd8bbe9f28bc25dda0e82acb030cf473a16fef10a7d9e8324095faaaa589c0126fc1bd87d
-
C:\Users\Admin\AppData\Local\Temp\xrfqtvbjh.exeFilesize
99KB
MD533e48543b5c1a7e3bc7d46c364b63f1d
SHA13ef75630d52aa8feb7076dad597474d708acf3d1
SHA2562554d8253ea51b778f732ec27ce22e53f378a95608d7c286c0259e1e3b00159d
SHA512c6a0df1a4fc4f5c13465db394f1a817d7b495a0b850d189d158ef9c02ec77d1b299d5b36ec4d8baaf52db21fb5bc6c279fdcd78ca209d8cce41b8ed46df3ef9a
-
C:\Users\Admin\AppData\Local\Temp\xrfqtvbjh.exeFilesize
99KB
MD533e48543b5c1a7e3bc7d46c364b63f1d
SHA13ef75630d52aa8feb7076dad597474d708acf3d1
SHA2562554d8253ea51b778f732ec27ce22e53f378a95608d7c286c0259e1e3b00159d
SHA512c6a0df1a4fc4f5c13465db394f1a817d7b495a0b850d189d158ef9c02ec77d1b299d5b36ec4d8baaf52db21fb5bc6c279fdcd78ca209d8cce41b8ed46df3ef9a
-
C:\Users\Admin\AppData\Local\Temp\xrfqtvbjh.exeFilesize
99KB
MD533e48543b5c1a7e3bc7d46c364b63f1d
SHA13ef75630d52aa8feb7076dad597474d708acf3d1
SHA2562554d8253ea51b778f732ec27ce22e53f378a95608d7c286c0259e1e3b00159d
SHA512c6a0df1a4fc4f5c13465db394f1a817d7b495a0b850d189d158ef9c02ec77d1b299d5b36ec4d8baaf52db21fb5bc6c279fdcd78ca209d8cce41b8ed46df3ef9a
-
memory/2504-152-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-145-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-123-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-124-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-125-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-126-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-127-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-128-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-129-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-130-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-131-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-132-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-133-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-154-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-135-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-136-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-137-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-138-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-140-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-139-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-141-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-142-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-143-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-144-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-155-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-146-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-147-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-148-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-150-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-149-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-151-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-121-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-120-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-134-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-122-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-156-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-157-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-158-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-159-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-160-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2504-153-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/2876-206-0x0000000000405738-mapping.dmp
-
memory/2876-272-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2876-251-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4904-185-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-177-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-167-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-168-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-170-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-171-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-172-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-173-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-181-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-161-0x0000000000000000-mapping.dmp
-
memory/4904-180-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-166-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-179-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-178-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-176-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-182-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-183-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-184-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-165-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-164-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-163-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-175-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-186-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB
-
memory/4904-174-0x0000000077530000-0x00000000776BE000-memory.dmpFilesize
1.6MB