Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 02:17
Static task
static1
Behavioral task
behavioral1
Sample
a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e.exe
Resource
win10v2004-20220901-en
General
-
Target
a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e.exe
-
Size
327KB
-
MD5
e16edffaa9687714e5f9ebb9220f44fd
-
SHA1
847f729d7d68bcb6746cc82295878b0cabf33388
-
SHA256
a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e
-
SHA512
f6f74d4975cbfeab7ed269619795b7f46d818fa2409c6f42bb6d3677e0785612bc900a943ede907396289b899e2a39ed18031049bab9636b6873ed350433ba19
-
SSDEEP
6144:PBnxm/hZudIIuLpkyzypTJUwdYO+HDIG4jcE:LzdIZpkplVGfHDIHjf
Malware Config
Extracted
warzonerat
baramac.duckdns.org:6269
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4844-139-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
cqlkm.execqlkm.exepid process 4928 cqlkm.exe 4844 cqlkm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cqlkm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\efrm = "C:\\Users\\Admin\\AppData\\Roaming\\smvvcpumrbjp\\eyhxgrfty.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\cqlkm.exe\" C:\\Users\\Admin\\AppData\\Loc" cqlkm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cqlkm.exedescription pid process target process PID 4928 set thread context of 4844 4928 cqlkm.exe cqlkm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
cqlkm.exepid process 4928 cqlkm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cqlkm.exepid process 4844 cqlkm.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e.execqlkm.exedescription pid process target process PID 5036 wrote to memory of 4928 5036 a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e.exe cqlkm.exe PID 5036 wrote to memory of 4928 5036 a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e.exe cqlkm.exe PID 5036 wrote to memory of 4928 5036 a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e.exe cqlkm.exe PID 4928 wrote to memory of 4844 4928 cqlkm.exe cqlkm.exe PID 4928 wrote to memory of 4844 4928 cqlkm.exe cqlkm.exe PID 4928 wrote to memory of 4844 4928 cqlkm.exe cqlkm.exe PID 4928 wrote to memory of 4844 4928 cqlkm.exe cqlkm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e.exe"C:\Users\Admin\AppData\Local\Temp\a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cqlkm.exe"C:\Users\Admin\AppData\Local\Temp\cqlkm.exe" C:\Users\Admin\AppData\Local\Temp\lfkexjnrqf.tvq2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cqlkm.exe"C:\Users\Admin\AppData\Local\Temp\cqlkm.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cqlkm.exeFilesize
12KB
MD5ef89ea8ef2c335d2d454b49c6ad68b5d
SHA1b46980d64871927d92d3c83ffceda4cc0593ac09
SHA2560854e2fb4d1efae6325720dfe04bf8f71ebbb33fb1038caacdda2612ca9b7573
SHA5125c9c744f5c770a458bebb5904f8445671b692352b72ed39e3c287fa0e581970c418521d82b6b8846958a994a83ff19eaba6f749f0911d14d100a62f4b78eb737
-
C:\Users\Admin\AppData\Local\Temp\cqlkm.exeFilesize
12KB
MD5ef89ea8ef2c335d2d454b49c6ad68b5d
SHA1b46980d64871927d92d3c83ffceda4cc0593ac09
SHA2560854e2fb4d1efae6325720dfe04bf8f71ebbb33fb1038caacdda2612ca9b7573
SHA5125c9c744f5c770a458bebb5904f8445671b692352b72ed39e3c287fa0e581970c418521d82b6b8846958a994a83ff19eaba6f749f0911d14d100a62f4b78eb737
-
C:\Users\Admin\AppData\Local\Temp\cqlkm.exeFilesize
12KB
MD5ef89ea8ef2c335d2d454b49c6ad68b5d
SHA1b46980d64871927d92d3c83ffceda4cc0593ac09
SHA2560854e2fb4d1efae6325720dfe04bf8f71ebbb33fb1038caacdda2612ca9b7573
SHA5125c9c744f5c770a458bebb5904f8445671b692352b72ed39e3c287fa0e581970c418521d82b6b8846958a994a83ff19eaba6f749f0911d14d100a62f4b78eb737
-
C:\Users\Admin\AppData\Local\Temp\lfkexjnrqf.tvqFilesize
7KB
MD58ed0eb2b545ae6045dda88e66aaddbf1
SHA1001e9ab1ef8c1d7973001fd43d10c34dbe5d50d4
SHA2568ae557931095c1bf17bdd537b60d144f7b5e962bd620c1bc1c2379f3ee3f9edd
SHA51217052ca191d32fd018f7626768398b749c0479e861577ebeaae26459cc121561d4fca16a10c3be435f46a74d3042a62e1ed3f6078d4ad61ebb852b521d174f7d
-
C:\Users\Admin\AppData\Local\Temp\wvxvazzyx.veFilesize
98KB
MD5d54eff50aa3ab52ff5e821296479bf81
SHA157a9d8e3527d4ad6f75cb3f6e3b20a96052149e5
SHA256718e6e8861040d2bdf89466958503ab68e86ed9ca296b14031a9fde3a730c64a
SHA512e3bf982075f6151f7b4a798c10bc4bbb904c00ba790219e148fee25ddef0f8f1460c481ae029528c848c4eb45b7938df4addd30f27beeac2559b972f2628ca0d
-
memory/4844-137-0x0000000000000000-mapping.dmp
-
memory/4844-139-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4928-132-0x0000000000000000-mapping.dmp