Analysis

  • max time kernel
    63s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2023, 01:25

General

  • Target

    49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7.exe

  • Size

    219KB

  • MD5

    0269b81f75aa1101e557c3ebb49eb4c5

  • SHA1

    67412ee26893ec720e4ae7734026047aafd8f58b

  • SHA256

    49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7

  • SHA512

    79d957ba94f4bc73202f837894b81288aef3adb45f6d114b3cc1ad85dbd19533e4010ba0f9fefc260e5aeae431cd11d36e1b31f06f837c19f4b1b03b752c39d7

  • SSDEEP

    3072:WfY/TU9fE9PEtuTbJd1LgNtkoyj162pk7DdpFiUBnXJPVS9Zhj5h0hDUUCQn5+a6:AYa6F311516fDdhRXpVsNytUlQnDvS

Malware Config

Extracted

Family

warzonerat

C2

blackroots7.duckdns.org:1104

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7.exe
    "C:\Users\Admin\AppData\Local\Temp\49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Users\Admin\AppData\Local\Temp\vbhbm.exe
      "C:\Users\Admin\AppData\Local\Temp\vbhbm.exe" C:\Users\Admin\AppData\Local\Temp\gagsrkdsng.c
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Users\Admin\AppData\Local\Temp\vbhbm.exe
        "C:\Users\Admin\AppData\Local\Temp\vbhbm.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3080

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\gagsrkdsng.c

          Filesize

          7KB

          MD5

          7230a8526dfd97fc0171610a1e8508d3

          SHA1

          860cccd21d7703864155e647c46698893315ec83

          SHA256

          458074b370023aabeaab76f9ff9719a8e4d7eb943345ffa5740befd061814cd4

          SHA512

          35f8c01e51d7ed7a789089737088f45540907d2824107cd77717133dececd0cff2a531e2ee0898d35479e738bcf36da02e6fb684ec919e1e9ce459d1cd243e10

        • C:\Users\Admin\AppData\Local\Temp\vbhbm.exe

          Filesize

          91KB

          MD5

          e6b5f97b8f2e47169725e611f72c03e5

          SHA1

          dc355e2727ea340dd71e578883ea8857564cacbf

          SHA256

          6626caf5bfc3fb98ee20be19ea79c2d9d246d9f33e9804dc90fe96d762908de5

          SHA512

          b41ed29c7f03dfdd62111206d293d27522020944c0f815823ebabcabdf131924aa3f40e60d6589ddf6dbab6be49f2ada599606a1779d0645c001f066a9b58baa

        • C:\Users\Admin\AppData\Local\Temp\vbhbm.exe

          Filesize

          91KB

          MD5

          e6b5f97b8f2e47169725e611f72c03e5

          SHA1

          dc355e2727ea340dd71e578883ea8857564cacbf

          SHA256

          6626caf5bfc3fb98ee20be19ea79c2d9d246d9f33e9804dc90fe96d762908de5

          SHA512

          b41ed29c7f03dfdd62111206d293d27522020944c0f815823ebabcabdf131924aa3f40e60d6589ddf6dbab6be49f2ada599606a1779d0645c001f066a9b58baa

        • C:\Users\Admin\AppData\Local\Temp\vbhbm.exe

          Filesize

          91KB

          MD5

          e6b5f97b8f2e47169725e611f72c03e5

          SHA1

          dc355e2727ea340dd71e578883ea8857564cacbf

          SHA256

          6626caf5bfc3fb98ee20be19ea79c2d9d246d9f33e9804dc90fe96d762908de5

          SHA512

          b41ed29c7f03dfdd62111206d293d27522020944c0f815823ebabcabdf131924aa3f40e60d6589ddf6dbab6be49f2ada599606a1779d0645c001f066a9b58baa

        • C:\Users\Admin\AppData\Local\Temp\wbhjv.aj

          Filesize

          118KB

          MD5

          37bda11fd17a78077fe3810e7019bcc3

          SHA1

          4dc3f5a97f3b0702885f9f5443ed54cc16c5dfe5

          SHA256

          8f5ef1f11eb3fbaa3fc2e1557fa88fa72be6a75c4cf750456aa2eaddf05da034

          SHA512

          594ad3042f20cdd73d41998542dd5eac18ed3f7a1acfcf549b0ffba5b0a5796d887fa1aaa5d676ff80b6bd6ec280beaf40171ab6eefa023f705b9e043ab9781b

        • memory/840-140-0x0000000000C20000-0x0000000000C22000-memory.dmp

          Filesize

          8KB

        • memory/3080-143-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

        • memory/3080-146-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

        • memory/3080-148-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

        • memory/3080-149-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB