Analysis
-
max time kernel
104s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24/02/2023, 10:47
Static task
static1
Behavioral task
behavioral1
Sample
WO-00277679 part order 00020251.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
WO-00277679 part order 00020251.exe
Resource
win10v2004-20230220-en
General
-
Target
WO-00277679 part order 00020251.exe
-
Size
872KB
-
MD5
36acedbe7fb2df05f48085b27c6b8291
-
SHA1
dce7c0288ce81973146e8b6c05711d6bac7e44d0
-
SHA256
d31660eade4be3674a127905a7766076d672dc90f3914daf753e338ad1fd4d8e
-
SHA512
264dace4540ec593dafa755702edb867ec1030f3a50afbec772b9f5767c99d39b2a5a09811e03aa36093baabd2441b7c4059b670e443056a9885ee81a4c6ee2d
-
SSDEEP
24576:x5f333kTsIBMNjnNNOhAe/S0s5XBAO04YOvB/YNUx4J:xcS3ANTJ
Malware Config
Extracted
warzonerat
telenaxty.ddns.net:7706
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 8 IoCs
resource yara_rule behavioral1/memory/648-69-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/648-70-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/648-71-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/648-72-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/648-74-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/648-76-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/648-77-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/648-84-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Executes dropped EXE 6 IoCs
pid Process 900 images.exe 1244 images.exe 1620 images.exe 1876 images.exe 1036 images.exe 820 images.exe -
Loads dropped DLL 1 IoCs
pid Process 648 WO-00277679 part order 00020251.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" WO-00277679 part order 00020251.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1304 set thread context of 648 1304 WO-00277679 part order 00020251.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 996 schtasks.exe 2020 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 900 images.exe 900 images.exe 900 images.exe 900 images.exe 900 images.exe 900 images.exe 900 images.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 900 images.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1304 wrote to memory of 996 1304 WO-00277679 part order 00020251.exe 29 PID 1304 wrote to memory of 996 1304 WO-00277679 part order 00020251.exe 29 PID 1304 wrote to memory of 996 1304 WO-00277679 part order 00020251.exe 29 PID 1304 wrote to memory of 996 1304 WO-00277679 part order 00020251.exe 29 PID 1304 wrote to memory of 648 1304 WO-00277679 part order 00020251.exe 31 PID 1304 wrote to memory of 648 1304 WO-00277679 part order 00020251.exe 31 PID 1304 wrote to memory of 648 1304 WO-00277679 part order 00020251.exe 31 PID 1304 wrote to memory of 648 1304 WO-00277679 part order 00020251.exe 31 PID 1304 wrote to memory of 648 1304 WO-00277679 part order 00020251.exe 31 PID 1304 wrote to memory of 648 1304 WO-00277679 part order 00020251.exe 31 PID 1304 wrote to memory of 648 1304 WO-00277679 part order 00020251.exe 31 PID 1304 wrote to memory of 648 1304 WO-00277679 part order 00020251.exe 31 PID 1304 wrote to memory of 648 1304 WO-00277679 part order 00020251.exe 31 PID 1304 wrote to memory of 648 1304 WO-00277679 part order 00020251.exe 31 PID 1304 wrote to memory of 648 1304 WO-00277679 part order 00020251.exe 31 PID 1304 wrote to memory of 648 1304 WO-00277679 part order 00020251.exe 31 PID 648 wrote to memory of 900 648 WO-00277679 part order 00020251.exe 32 PID 648 wrote to memory of 900 648 WO-00277679 part order 00020251.exe 32 PID 648 wrote to memory of 900 648 WO-00277679 part order 00020251.exe 32 PID 648 wrote to memory of 900 648 WO-00277679 part order 00020251.exe 32 PID 900 wrote to memory of 2020 900 images.exe 34 PID 900 wrote to memory of 2020 900 images.exe 34 PID 900 wrote to memory of 2020 900 images.exe 34 PID 900 wrote to memory of 2020 900 images.exe 34 PID 900 wrote to memory of 1244 900 images.exe 36 PID 900 wrote to memory of 1244 900 images.exe 36 PID 900 wrote to memory of 1244 900 images.exe 36 PID 900 wrote to memory of 1244 900 images.exe 36 PID 900 wrote to memory of 1620 900 images.exe 37 PID 900 wrote to memory of 1620 900 images.exe 37 PID 900 wrote to memory of 1620 900 images.exe 37 PID 900 wrote to memory of 1620 900 images.exe 37 PID 900 wrote to memory of 1876 900 images.exe 39 PID 900 wrote to memory of 1876 900 images.exe 39 PID 900 wrote to memory of 1876 900 images.exe 39 PID 900 wrote to memory of 1876 900 images.exe 39 PID 900 wrote to memory of 1036 900 images.exe 38 PID 900 wrote to memory of 1036 900 images.exe 38 PID 900 wrote to memory of 1036 900 images.exe 38 PID 900 wrote to memory of 1036 900 images.exe 38 PID 900 wrote to memory of 820 900 images.exe 40 PID 900 wrote to memory of 820 900 images.exe 40 PID 900 wrote to memory of 820 900 images.exe 40 PID 900 wrote to memory of 820 900 images.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\WO-00277679 part order 00020251.exe"C:\Users\Admin\AppData\Local\Temp\WO-00277679 part order 00020251.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FdrWafawN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp781D.tmp"2⤵
- Creates scheduled task(s)
PID:996
-
-
C:\Users\Admin\AppData\Local\Temp\WO-00277679 part order 00020251.exe"{path}"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:648 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FdrWafawN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7BE5.tmp"4⤵
- Creates scheduled task(s)
PID:2020
-
-
C:\ProgramData\images.exe"{path}"4⤵
- Executes dropped EXE
PID:1244
-
-
C:\ProgramData\images.exe"{path}"4⤵
- Executes dropped EXE
PID:1620
-
-
C:\ProgramData\images.exe"{path}"4⤵
- Executes dropped EXE
PID:1036
-
-
C:\ProgramData\images.exe"{path}"4⤵
- Executes dropped EXE
PID:1876
-
-
C:\ProgramData\images.exe"{path}"4⤵
- Executes dropped EXE
PID:820
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:1164
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:1552
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD536acedbe7fb2df05f48085b27c6b8291
SHA1dce7c0288ce81973146e8b6c05711d6bac7e44d0
SHA256d31660eade4be3674a127905a7766076d672dc90f3914daf753e338ad1fd4d8e
SHA512264dace4540ec593dafa755702edb867ec1030f3a50afbec772b9f5767c99d39b2a5a09811e03aa36093baabd2441b7c4059b670e443056a9885ee81a4c6ee2d
-
Filesize
872KB
MD536acedbe7fb2df05f48085b27c6b8291
SHA1dce7c0288ce81973146e8b6c05711d6bac7e44d0
SHA256d31660eade4be3674a127905a7766076d672dc90f3914daf753e338ad1fd4d8e
SHA512264dace4540ec593dafa755702edb867ec1030f3a50afbec772b9f5767c99d39b2a5a09811e03aa36093baabd2441b7c4059b670e443056a9885ee81a4c6ee2d
-
Filesize
872KB
MD536acedbe7fb2df05f48085b27c6b8291
SHA1dce7c0288ce81973146e8b6c05711d6bac7e44d0
SHA256d31660eade4be3674a127905a7766076d672dc90f3914daf753e338ad1fd4d8e
SHA512264dace4540ec593dafa755702edb867ec1030f3a50afbec772b9f5767c99d39b2a5a09811e03aa36093baabd2441b7c4059b670e443056a9885ee81a4c6ee2d
-
Filesize
872KB
MD536acedbe7fb2df05f48085b27c6b8291
SHA1dce7c0288ce81973146e8b6c05711d6bac7e44d0
SHA256d31660eade4be3674a127905a7766076d672dc90f3914daf753e338ad1fd4d8e
SHA512264dace4540ec593dafa755702edb867ec1030f3a50afbec772b9f5767c99d39b2a5a09811e03aa36093baabd2441b7c4059b670e443056a9885ee81a4c6ee2d
-
Filesize
872KB
MD536acedbe7fb2df05f48085b27c6b8291
SHA1dce7c0288ce81973146e8b6c05711d6bac7e44d0
SHA256d31660eade4be3674a127905a7766076d672dc90f3914daf753e338ad1fd4d8e
SHA512264dace4540ec593dafa755702edb867ec1030f3a50afbec772b9f5767c99d39b2a5a09811e03aa36093baabd2441b7c4059b670e443056a9885ee81a4c6ee2d
-
Filesize
872KB
MD536acedbe7fb2df05f48085b27c6b8291
SHA1dce7c0288ce81973146e8b6c05711d6bac7e44d0
SHA256d31660eade4be3674a127905a7766076d672dc90f3914daf753e338ad1fd4d8e
SHA512264dace4540ec593dafa755702edb867ec1030f3a50afbec772b9f5767c99d39b2a5a09811e03aa36093baabd2441b7c4059b670e443056a9885ee81a4c6ee2d
-
Filesize
872KB
MD536acedbe7fb2df05f48085b27c6b8291
SHA1dce7c0288ce81973146e8b6c05711d6bac7e44d0
SHA256d31660eade4be3674a127905a7766076d672dc90f3914daf753e338ad1fd4d8e
SHA512264dace4540ec593dafa755702edb867ec1030f3a50afbec772b9f5767c99d39b2a5a09811e03aa36093baabd2441b7c4059b670e443056a9885ee81a4c6ee2d
-
Filesize
1KB
MD5ea660137dbe3928fd852c5ae3a4bbdcf
SHA19abab3cdc4cbb1c883c3236f19926c2653353c3f
SHA256531d65bafe66cb8b3fcc8434fafdb7a45dd90286cb8ab6f896d20ee617ef6da3
SHA51279da40d471938ffce55de76d74af34c8fcdd90d269f4f4e64fa1270db47005ae9613a0bf8d76231504c72517e3e8429b33580e837478e4dc42b82281cfdf189f
-
Filesize
1KB
MD5ea660137dbe3928fd852c5ae3a4bbdcf
SHA19abab3cdc4cbb1c883c3236f19926c2653353c3f
SHA256531d65bafe66cb8b3fcc8434fafdb7a45dd90286cb8ab6f896d20ee617ef6da3
SHA51279da40d471938ffce55de76d74af34c8fcdd90d269f4f4e64fa1270db47005ae9613a0bf8d76231504c72517e3e8429b33580e837478e4dc42b82281cfdf189f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_228B80BA3CB248188EB2453959CE0AB5.dat
Filesize940B
MD524106620dbeb33ce01fe07a3e6dce94e
SHA155fd5a110be8273b922f91ed33af222daf02c6d3
SHA256afbb6d61c33680e16e44c86787afaeab1b65f0e52889ad7e61ea1662d9659c00
SHA5128e7c36ee5e20b23d9175791f55c43beea699a304c38b75d6192128220c357ad5b17d5556f9c29e888c5d965239d9bdf70b85c32532ca615286c1af7a13cea02d
-
Filesize
872KB
MD536acedbe7fb2df05f48085b27c6b8291
SHA1dce7c0288ce81973146e8b6c05711d6bac7e44d0
SHA256d31660eade4be3674a127905a7766076d672dc90f3914daf753e338ad1fd4d8e
SHA512264dace4540ec593dafa755702edb867ec1030f3a50afbec772b9f5767c99d39b2a5a09811e03aa36093baabd2441b7c4059b670e443056a9885ee81a4c6ee2d