Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 08:08
Static task
static1
Behavioral task
behavioral1
Sample
3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48.exe
Resource
win10v2004-20220812-en
General
-
Target
3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48.exe
-
Size
347KB
-
MD5
6919d85bb10aad2b3078283f8b9108f0
-
SHA1
3a11e7ff6bf51467f197dec068b6abeb2570eb68
-
SHA256
3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48
-
SHA512
8dedcd2a3a684fd5e1078d6b1404479267a0b5fa5a851c5a3de65a02ccdbeef2aa2587fc69172791e125a15be4c8383a622f50abc50a45488ef1aa0ef9bcbead
-
SSDEEP
3072:HEhKzShSycb2OYLwt1LX9kC+Nl6FJT/AaUkMqpN08UKgCj6KJ4w6QonNIZ3cyV/L:HBnAU1X9Tel6FV4aURqpq1CjA/NY3fL
Malware Config
Extracted
warzonerat
baramac.duckdns.org:6269
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3468-139-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
bfctcfvlam.exebfctcfvlam.exepid process 2960 bfctcfvlam.exe 3468 bfctcfvlam.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bfctcfvlam.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\byopasxjub = "C:\\Users\\Admin\\AppData\\Roaming\\gxnomttw\\clfngtotjcn.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\bfctcfvlam.exe\" C:\\Users\\Admin\\AppData\\" bfctcfvlam.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bfctcfvlam.exedescription pid process target process PID 2960 set thread context of 3468 2960 bfctcfvlam.exe bfctcfvlam.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
bfctcfvlam.exepid process 2960 bfctcfvlam.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
bfctcfvlam.exepid process 3468 bfctcfvlam.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48.exebfctcfvlam.exedescription pid process target process PID 4216 wrote to memory of 2960 4216 3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48.exe bfctcfvlam.exe PID 4216 wrote to memory of 2960 4216 3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48.exe bfctcfvlam.exe PID 4216 wrote to memory of 2960 4216 3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48.exe bfctcfvlam.exe PID 2960 wrote to memory of 3468 2960 bfctcfvlam.exe bfctcfvlam.exe PID 2960 wrote to memory of 3468 2960 bfctcfvlam.exe bfctcfvlam.exe PID 2960 wrote to memory of 3468 2960 bfctcfvlam.exe bfctcfvlam.exe PID 2960 wrote to memory of 3468 2960 bfctcfvlam.exe bfctcfvlam.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48.exe"C:\Users\Admin\AppData\Local\Temp\3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe"C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe" C:\Users\Admin\AppData\Local\Temp\vezrmelyb.d2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe"C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exeFilesize
12KB
MD555f6c059b1b9b8937a03a0409218cbf6
SHA1b1d59ab9d2d32c35cccd35bc485b4fe3cfc9dcd4
SHA2563f14b8be08aa1c0f3e6c2c7c58a6c1cbff39647cbb3d430ace8c411d43330476
SHA5125b33cebbd8e45ea26cddb39b1e80f5fd3718dbf1a89e2c8cb740a32b369d848bcd11be0fdb21e5d9392ccb7ce70fe595d6bd72b4d6ccd394bbfaa0acc124eda1
-
C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exeFilesize
12KB
MD555f6c059b1b9b8937a03a0409218cbf6
SHA1b1d59ab9d2d32c35cccd35bc485b4fe3cfc9dcd4
SHA2563f14b8be08aa1c0f3e6c2c7c58a6c1cbff39647cbb3d430ace8c411d43330476
SHA5125b33cebbd8e45ea26cddb39b1e80f5fd3718dbf1a89e2c8cb740a32b369d848bcd11be0fdb21e5d9392ccb7ce70fe595d6bd72b4d6ccd394bbfaa0acc124eda1
-
C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exeFilesize
12KB
MD555f6c059b1b9b8937a03a0409218cbf6
SHA1b1d59ab9d2d32c35cccd35bc485b4fe3cfc9dcd4
SHA2563f14b8be08aa1c0f3e6c2c7c58a6c1cbff39647cbb3d430ace8c411d43330476
SHA5125b33cebbd8e45ea26cddb39b1e80f5fd3718dbf1a89e2c8cb740a32b369d848bcd11be0fdb21e5d9392ccb7ce70fe595d6bd72b4d6ccd394bbfaa0acc124eda1
-
C:\Users\Admin\AppData\Local\Temp\ickztvancv.lezFilesize
98KB
MD516bad3cabe4186c24eaaf1100f795150
SHA1a140ecb2c690ffc44077c2017d819657e75f6818
SHA25686860100715a1aea106bb16d7e855b4652eba52b6f28ebe57e3a929f8e2f5d9a
SHA5121fb27338d4f47dfde7e0752fad4d24e6fe60d8fb56c35f8be55c94a786872f817330b36385f0c98c9b46572d57c423bd22cfd2d7a530fcef568e1a2df838f04a
-
C:\Users\Admin\AppData\Local\Temp\vezrmelyb.dFilesize
7KB
MD55a9896aeebe978e68d2acbec19c4075b
SHA13edd7aa395c7874f96ff9ceabf67e8d170c55041
SHA256c135d60595d1c7d25cb9f4eb899aec4d05ce7f1c149b16b2def80346b69324df
SHA512c847991d0c83a254ebae5a48947ed44f173c86f133945a7b9a669f965cab0c3c3243246d6a19bf4d26e8e8da3b89d422bdc34c74eea9ba627383b1d0010b7e73
-
memory/2960-132-0x0000000000000000-mapping.dmp
-
memory/3468-137-0x0000000000000000-mapping.dmp
-
memory/3468-139-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB