Analysis
-
max time kernel
72s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2022 15:53
Static task
static1
Behavioral task
behavioral1
Sample
ave_maria_rat.exe
Resource
win7-20221111-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ave_maria_rat.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
ave_maria_rat.exe
-
Size
383KB
-
MD5
d414115c947793d91a7d5a110053305c
-
SHA1
3a21e61f797e8abd4aa703f1f0d375d4d4fcc37a
-
SHA256
65eb2d7d35b22b4edfef16c7ff2f36d79b827145bc94644f7fe915a9378bf361
-
SHA512
0ab8a96b06ed9baf4f609faa4935fc6bae7ad1a77d0eb75bad03c41e3291505c7427ad457e1b88ad4fb352c3c549cd286ca5b4d0ffeb4ca1a7314dfb7f343b4e
-
SSDEEP
6144:dN9ydRO4MojT8Nbp2npn5soltfE7k0/PVukfu7Ncgw6cUulYvlJAplDaK0FFvaI:n90E4X8Cniolq/tukG7pw6cllWlJApla
Score
5/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ave_maria_rat.exedescription pid process target process PID 5108 set thread context of 1332 5108 ave_maria_rat.exe ave_maria_rat.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1292 1332 WerFault.exe ave_maria_rat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ave_maria_rat.exedescription pid process Token: SeDebugPrivilege 5108 ave_maria_rat.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
ave_maria_rat.exedescription pid process target process PID 5108 wrote to memory of 1332 5108 ave_maria_rat.exe ave_maria_rat.exe PID 5108 wrote to memory of 1332 5108 ave_maria_rat.exe ave_maria_rat.exe PID 5108 wrote to memory of 1332 5108 ave_maria_rat.exe ave_maria_rat.exe PID 5108 wrote to memory of 1332 5108 ave_maria_rat.exe ave_maria_rat.exe PID 5108 wrote to memory of 1332 5108 ave_maria_rat.exe ave_maria_rat.exe PID 5108 wrote to memory of 1332 5108 ave_maria_rat.exe ave_maria_rat.exe PID 5108 wrote to memory of 1332 5108 ave_maria_rat.exe ave_maria_rat.exe PID 5108 wrote to memory of 1332 5108 ave_maria_rat.exe ave_maria_rat.exe PID 5108 wrote to memory of 1332 5108 ave_maria_rat.exe ave_maria_rat.exe PID 5108 wrote to memory of 1332 5108 ave_maria_rat.exe ave_maria_rat.exe PID 5108 wrote to memory of 1332 5108 ave_maria_rat.exe ave_maria_rat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ave_maria_rat.exe"C:\Users\Admin\AppData\Local\Temp\ave_maria_rat.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\ave_maria_rat.exeC:\Users\Admin\AppData\Local\Temp\ave_maria_rat.exe2⤵PID:1332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 803⤵
- Program crash
PID:1292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1332 -ip 13321⤵PID:372
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1332-136-0x0000000000000000-mapping.dmp
-
memory/5108-132-0x0000000000830000-0x0000000000898000-memory.dmpFilesize
416KB
-
memory/5108-133-0x000000000DF10000-0x000000000DFAC000-memory.dmpFilesize
624KB
-
memory/5108-134-0x000000000E560000-0x000000000EB04000-memory.dmpFilesize
5.6MB
-
memory/5108-135-0x000000000DFB0000-0x000000000E042000-memory.dmpFilesize
584KB