Analysis
-
max time kernel
228s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24/02/2023, 15:03
Static task
static1
Behavioral task
behavioral1
Sample
New order No 09052622.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
New order No 09052622.exe
Resource
win10v2004-20230220-en
General
-
Target
New order No 09052622.exe
-
Size
207KB
-
MD5
29d35b6cc964c0fb669083ce180d4210
-
SHA1
18206e7f0677a8b4a15a20db2e6baa0f1bc4e8ee
-
SHA256
36cb5ed800f2c0206233ec5d4d797545da3ab91290c1291347ccae0ca768c369
-
SHA512
c2afe012d397a081e3f790191c79bf4966f28d9882daa51de37e8708e8d4722bfcd2d63bc7346d9960fb753f34c1a229d0ab82e6005af2b5fc12b0e3838d1757
-
SSDEEP
6144:TYa6Re3BwxZeMmyF5Mi73wC6ZFmtZZvvE:TYDyBwtMi7vJtXE
Malware Config
Extracted
warzonerat
telenaxty.ddns.net:7706
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
resource yara_rule behavioral1/memory/1072-66-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/1072-70-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/1072-71-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/1072-77-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Executes dropped EXE 3 IoCs
pid Process 1764 jwnpsq.exe 1072 jwnpsq.exe 1620 images.exe -
Loads dropped DLL 7 IoCs
pid Process 2040 New order No 09052622.exe 1764 jwnpsq.exe 1072 jwnpsq.exe 1656 WerFault.exe 1656 WerFault.exe 1656 WerFault.exe 1656 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\oxxhddmvqq = "C:\\Users\\Admin\\AppData\\Roaming\\bkkg\\pyyueenjss.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\jwnpsq.exe\" C:\\Users\\Admin\\AppData\\Local\\Tem" jwnpsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" jwnpsq.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1764 set thread context of 1072 1764 jwnpsq.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1656 1620 WerFault.exe 31 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1764 jwnpsq.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1764 2040 New order No 09052622.exe 28 PID 2040 wrote to memory of 1764 2040 New order No 09052622.exe 28 PID 2040 wrote to memory of 1764 2040 New order No 09052622.exe 28 PID 2040 wrote to memory of 1764 2040 New order No 09052622.exe 28 PID 1764 wrote to memory of 1072 1764 jwnpsq.exe 30 PID 1764 wrote to memory of 1072 1764 jwnpsq.exe 30 PID 1764 wrote to memory of 1072 1764 jwnpsq.exe 30 PID 1764 wrote to memory of 1072 1764 jwnpsq.exe 30 PID 1764 wrote to memory of 1072 1764 jwnpsq.exe 30 PID 1072 wrote to memory of 1620 1072 jwnpsq.exe 31 PID 1072 wrote to memory of 1620 1072 jwnpsq.exe 31 PID 1072 wrote to memory of 1620 1072 jwnpsq.exe 31 PID 1072 wrote to memory of 1620 1072 jwnpsq.exe 31 PID 1620 wrote to memory of 1656 1620 images.exe 33 PID 1620 wrote to memory of 1656 1620 images.exe 33 PID 1620 wrote to memory of 1656 1620 images.exe 33 PID 1620 wrote to memory of 1656 1620 images.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe"C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe"C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe" C:\Users\Admin\AppData\Local\Temp\vrsklc.xz2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe"C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1965⤵
- Loads dropped DLL
- Program crash
PID:1656
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
133KB
MD52d79043ccde13c76615fef3dbf9f5577
SHA16b49c16ee46dc298363d68d05112e88b043ce93b
SHA256549e8a7b2bd362b55af4e914367ed444fd327a36f6cf7a42ce1e42f066565681
SHA512b5756da5331bb08daaa49c87ef4778f0de33e3124b87d0563d156d2f6f2184aa5cb2de3761ce708b285614cd0a2d961a48e275f1e71af335211400ba18725532
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
7KB
MD57e2edc697812c644fdc4746a640ae897
SHA15489052b98e2b6e1dd9324197779917476530447
SHA256910d185175a46657ac9c59ae8b9078e1ff161d690c6c5005320a7ca7fd89144a
SHA51236f2ea469a7ab3fe0740c4ba329ee2570e3a28f954fddc3d273e1b3253471cabcb5418a356ff82361915792aea17a73aeca6736e9873b1a56d2c09cff04779bd
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce