Analysis
-
max time kernel
291s -
max time network
293s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2023, 15:03
Static task
static1
Behavioral task
behavioral1
Sample
New order No 09052622.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
New order No 09052622.exe
Resource
win10v2004-20230220-en
General
-
Target
New order No 09052622.exe
-
Size
207KB
-
MD5
29d35b6cc964c0fb669083ce180d4210
-
SHA1
18206e7f0677a8b4a15a20db2e6baa0f1bc4e8ee
-
SHA256
36cb5ed800f2c0206233ec5d4d797545da3ab91290c1291347ccae0ca768c369
-
SHA512
c2afe012d397a081e3f790191c79bf4966f28d9882daa51de37e8708e8d4722bfcd2d63bc7346d9960fb753f34c1a229d0ab82e6005af2b5fc12b0e3838d1757
-
SSDEEP
6144:TYa6Re3BwxZeMmyF5Mi73wC6ZFmtZZvvE:TYDyBwtMi7vJtXE
Malware Config
Extracted
warzonerat
telenaxty.ddns.net:7706
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
resource yara_rule behavioral2/memory/4428-142-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/4428-146-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/4428-147-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/4428-151-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Executes dropped EXE 3 IoCs
pid Process 4424 jwnpsq.exe 4428 jwnpsq.exe 3792 images.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxxhddmvqq = "C:\\Users\\Admin\\AppData\\Roaming\\bkkg\\pyyueenjss.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\jwnpsq.exe\" C:\\Users\\Admin\\AppData\\Local\\Tem" jwnpsq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" jwnpsq.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4424 set thread context of 4428 4424 jwnpsq.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4120 3792 WerFault.exe 88 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4424 jwnpsq.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4104 wrote to memory of 4424 4104 New order No 09052622.exe 85 PID 4104 wrote to memory of 4424 4104 New order No 09052622.exe 85 PID 4104 wrote to memory of 4424 4104 New order No 09052622.exe 85 PID 4424 wrote to memory of 4428 4424 jwnpsq.exe 87 PID 4424 wrote to memory of 4428 4424 jwnpsq.exe 87 PID 4424 wrote to memory of 4428 4424 jwnpsq.exe 87 PID 4424 wrote to memory of 4428 4424 jwnpsq.exe 87 PID 4428 wrote to memory of 3792 4428 jwnpsq.exe 88 PID 4428 wrote to memory of 3792 4428 jwnpsq.exe 88 PID 4428 wrote to memory of 3792 4428 jwnpsq.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe"C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe"C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe" C:\Users\Admin\AppData\Local\Temp\vrsklc.xz2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe"C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"4⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 5165⤵
- Program crash
PID:4120
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3792 -ip 37921⤵PID:2212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
133KB
MD52d79043ccde13c76615fef3dbf9f5577
SHA16b49c16ee46dc298363d68d05112e88b043ce93b
SHA256549e8a7b2bd362b55af4e914367ed444fd327a36f6cf7a42ce1e42f066565681
SHA512b5756da5331bb08daaa49c87ef4778f0de33e3124b87d0563d156d2f6f2184aa5cb2de3761ce708b285614cd0a2d961a48e275f1e71af335211400ba18725532
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
91KB
MD5d59554cdd4233718e886bf002a0cef7e
SHA19bbc2034af89d1f506c571778801bc14144c61ba
SHA2562350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA5120f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce
-
Filesize
7KB
MD57e2edc697812c644fdc4746a640ae897
SHA15489052b98e2b6e1dd9324197779917476530447
SHA256910d185175a46657ac9c59ae8b9078e1ff161d690c6c5005320a7ca7fd89144a
SHA51236f2ea469a7ab3fe0740c4ba329ee2570e3a28f954fddc3d273e1b3253471cabcb5418a356ff82361915792aea17a73aeca6736e9873b1a56d2c09cff04779bd