Analysis
-
max time kernel
63s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2023, 01:25
Static task
static1
Behavioral task
behavioral1
Sample
49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7.exe
Resource
win10v2004-20230220-en
General
-
Target
49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7.exe
-
Size
219KB
-
MD5
0269b81f75aa1101e557c3ebb49eb4c5
-
SHA1
67412ee26893ec720e4ae7734026047aafd8f58b
-
SHA256
49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7
-
SHA512
79d957ba94f4bc73202f837894b81288aef3adb45f6d114b3cc1ad85dbd19533e4010ba0f9fefc260e5aeae431cd11d36e1b31f06f837c19f4b1b03b752c39d7
-
SSDEEP
3072:WfY/TU9fE9PEtuTbJd1LgNtkoyj162pk7DdpFiUBnXJPVS9Zhj5h0hDUUCQn5+a6:AYa6F311516fDdhRXpVsNytUlQnDvS
Malware Config
Extracted
warzonerat
blackroots7.duckdns.org:1104
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
resource yara_rule behavioral1/memory/3080-143-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/3080-146-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/3080-148-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/3080-149-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
pid Process 840 vbhbm.exe 3080 vbhbm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foktcx = "C:\\Users\\Admin\\AppData\\Roaming\\gxtmir\\nwgcluqav.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\vbhbm.exe\" C:\\Users\\Admin\\AppData\\Local\\Tem" vbhbm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 840 set thread context of 3080 840 vbhbm.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 840 vbhbm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3080 vbhbm.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1696 wrote to memory of 840 1696 49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7.exe 83 PID 1696 wrote to memory of 840 1696 49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7.exe 83 PID 1696 wrote to memory of 840 1696 49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7.exe 83 PID 840 wrote to memory of 3080 840 vbhbm.exe 85 PID 840 wrote to memory of 3080 840 vbhbm.exe 85 PID 840 wrote to memory of 3080 840 vbhbm.exe 85 PID 840 wrote to memory of 3080 840 vbhbm.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7.exe"C:\Users\Admin\AppData\Local\Temp\49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\vbhbm.exe"C:\Users\Admin\AppData\Local\Temp\vbhbm.exe" C:\Users\Admin\AppData\Local\Temp\gagsrkdsng.c2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\vbhbm.exe"C:\Users\Admin\AppData\Local\Temp\vbhbm.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3080
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD57230a8526dfd97fc0171610a1e8508d3
SHA1860cccd21d7703864155e647c46698893315ec83
SHA256458074b370023aabeaab76f9ff9719a8e4d7eb943345ffa5740befd061814cd4
SHA51235f8c01e51d7ed7a789089737088f45540907d2824107cd77717133dececd0cff2a531e2ee0898d35479e738bcf36da02e6fb684ec919e1e9ce459d1cd243e10
-
Filesize
91KB
MD5e6b5f97b8f2e47169725e611f72c03e5
SHA1dc355e2727ea340dd71e578883ea8857564cacbf
SHA2566626caf5bfc3fb98ee20be19ea79c2d9d246d9f33e9804dc90fe96d762908de5
SHA512b41ed29c7f03dfdd62111206d293d27522020944c0f815823ebabcabdf131924aa3f40e60d6589ddf6dbab6be49f2ada599606a1779d0645c001f066a9b58baa
-
Filesize
91KB
MD5e6b5f97b8f2e47169725e611f72c03e5
SHA1dc355e2727ea340dd71e578883ea8857564cacbf
SHA2566626caf5bfc3fb98ee20be19ea79c2d9d246d9f33e9804dc90fe96d762908de5
SHA512b41ed29c7f03dfdd62111206d293d27522020944c0f815823ebabcabdf131924aa3f40e60d6589ddf6dbab6be49f2ada599606a1779d0645c001f066a9b58baa
-
Filesize
91KB
MD5e6b5f97b8f2e47169725e611f72c03e5
SHA1dc355e2727ea340dd71e578883ea8857564cacbf
SHA2566626caf5bfc3fb98ee20be19ea79c2d9d246d9f33e9804dc90fe96d762908de5
SHA512b41ed29c7f03dfdd62111206d293d27522020944c0f815823ebabcabdf131924aa3f40e60d6589ddf6dbab6be49f2ada599606a1779d0645c001f066a9b58baa
-
Filesize
118KB
MD537bda11fd17a78077fe3810e7019bcc3
SHA14dc3f5a97f3b0702885f9f5443ed54cc16c5dfe5
SHA2568f5ef1f11eb3fbaa3fc2e1557fa88fa72be6a75c4cf750456aa2eaddf05da034
SHA512594ad3042f20cdd73d41998542dd5eac18ed3f7a1acfcf549b0ffba5b0a5796d887fa1aaa5d676ff80b6bd6ec280beaf40171ab6eefa023f705b9e043ab9781b