Analysis
-
max time kernel
99s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2023, 14:33
Static task
static1
Behavioral task
behavioral1
Sample
28c462381899d5a4f67656944b6025f9.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
28c462381899d5a4f67656944b6025f9.exe
Resource
win10v2004-20230220-en
General
-
Target
28c462381899d5a4f67656944b6025f9.exe
-
Size
202KB
-
MD5
28c462381899d5a4f67656944b6025f9
-
SHA1
97daf057dd9f1d1c7d3ef9ed222b46fbda7a52cb
-
SHA256
da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a
-
SHA512
d6b86feddbc0af9ff7db8d9e4ec718950d38f60a0d96595ef71c386855607db98ca26eee566205a662d07ae0cb6874bd81eccf45f6352eaa9e613a58b9d64283
-
SSDEEP
3072:WfY/TU9fE9PEtuXbgm7CYP740EF4piZjIIuGzDxreu1hDR+xQ/WW:AYa6hxGKQe6C4hF+xWWW
Malware Config
Extracted
warzonerat
blackroots7.duckdns.org:1104
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 3 IoCs
resource yara_rule behavioral2/memory/3916-143-0x0000000000500000-0x000000000051D000-memory.dmp warzonerat behavioral2/memory/3916-150-0x0000000000500000-0x000000000051D000-memory.dmp warzonerat behavioral2/memory/3916-156-0x0000000000500000-0x000000000051D000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
pid Process 3540 avxyq.exe 3916 avxyq.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iqmvfbk = "C:\\Users\\Admin\\AppData\\Roaming\\vfoktpyiemvrb\\wgplueajfoxtdm.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\avxyq.exe\" C:\\Users\\Admin\\AppD視" avxyq.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3540 set thread context of 3916 3540 avxyq.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 312 3916 WerFault.exe 87 -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3540 avxyq.exe 3540 avxyq.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1992 wrote to memory of 3540 1992 28c462381899d5a4f67656944b6025f9.exe 85 PID 1992 wrote to memory of 3540 1992 28c462381899d5a4f67656944b6025f9.exe 85 PID 1992 wrote to memory of 3540 1992 28c462381899d5a4f67656944b6025f9.exe 85 PID 3540 wrote to memory of 3916 3540 avxyq.exe 87 PID 3540 wrote to memory of 3916 3540 avxyq.exe 87 PID 3540 wrote to memory of 3916 3540 avxyq.exe 87 PID 3540 wrote to memory of 3916 3540 avxyq.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\28c462381899d5a4f67656944b6025f9.exe"C:\Users\Admin\AppData\Local\Temp\28c462381899d5a4f67656944b6025f9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\avxyq.exe"C:\Users\Admin\AppData\Local\Temp\avxyq.exe" C:\Users\Admin\AppData\Local\Temp\efkmzemi.oij2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\avxyq.exe"C:\Users\Admin\AppData\Local\Temp\avxyq.exe"3⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 4964⤵
- Program crash
PID:312
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3916 -ip 39161⤵PID:1452
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5156ed6700ef54cfa83a1a220e842a328
SHA13cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b
-
Filesize
60KB
MD5156ed6700ef54cfa83a1a220e842a328
SHA13cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b
-
Filesize
60KB
MD5156ed6700ef54cfa83a1a220e842a328
SHA13cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b
-
Filesize
7KB
MD56bd6d3f8e44429f2be3e2d45bb17f2f2
SHA176e8137a69cb6b15ff0194d67e1fb91aa0e9aed0
SHA25674538cb526634df66399cba1d4fddc07427059fd81842160ee52aee8b33feff8
SHA512f142917a41e9d5de39e6818c660c569a9e3b3db96d22c5af2e273a2d5045976593c805d7266a8d4545eb013461c24159b7f70aa3cf405cb1c8cde44a3e26ae0e
-
Filesize
118KB
MD5bbaa20f28881493009df30cd773b0cc5
SHA1ac779c0fd7e238a79720d29e837755b011770710
SHA2560d3de13a7c6651962965e736e1b44d6fb299b53dc7267cdbbd3170d2fa77b07b
SHA5121d4ef3750936f99778aab04ad81b774cadcb966f08e73a6be935896e81b9ff45e7b3e519391ce54935dae56654b809e8391a9f03d5721956b5d051256cad6242