Analysis Overview
SHA256
0dc43c6b572e28d5744fcf9620589793255a2084069dc447c6c7904bb6f7a005
Threat Level: Known bad
The file New order No 09052622.zip was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Warzone RAT payload
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-24 15:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-24 15:03
Reported
2023-02-24 15:08
Platform
win7-20230220-en
Max time kernel
228s
Max time network
33s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\oxxhddmvqq = "C:\\Users\\Admin\\AppData\\Roaming\\bkkg\\pyyueenjss.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\jwnpsq.exe\" C:\\Users\\Admin\\AppData\\Local\\Tem" | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1764 set thread context of 1072 | N/A | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\images.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe
"C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe"
C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
"C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe" C:\Users\Admin\AppData\Local\Temp\vrsklc.xz
C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
"C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 196
Network
Files
\Users\Admin\AppData\Local\Temp\jwnpsq.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
C:\Users\Admin\AppData\Local\Temp\vrsklc.xz
| MD5 | 7e2edc697812c644fdc4746a640ae897 |
| SHA1 | 5489052b98e2b6e1dd9324197779917476530447 |
| SHA256 | 910d185175a46657ac9c59ae8b9078e1ff161d690c6c5005320a7ca7fd89144a |
| SHA512 | 36f2ea469a7ab3fe0740c4ba329ee2570e3a28f954fddc3d273e1b3253471cabcb5418a356ff82361915792aea17a73aeca6736e9873b1a56d2c09cff04779bd |
C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
C:\Users\Admin\AppData\Local\Temp\jsajvgqriul.w
| MD5 | 2d79043ccde13c76615fef3dbf9f5577 |
| SHA1 | 6b49c16ee46dc298363d68d05112e88b043ce93b |
| SHA256 | 549e8a7b2bd362b55af4e914367ed444fd327a36f6cf7a42ce1e42f066565681 |
| SHA512 | b5756da5331bb08daaa49c87ef4778f0de33e3124b87d0563d156d2f6f2184aa5cb2de3761ce708b285614cd0a2d961a48e275f1e71af335211400ba18725532 |
\Users\Admin\AppData\Local\Temp\jwnpsq.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
memory/1072-66-0x0000000000400000-0x0000000000554000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
memory/1072-70-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1072-71-0x0000000000400000-0x0000000000554000-memory.dmp
C:\ProgramData\images.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
\ProgramData\images.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
C:\ProgramData\images.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
memory/1072-77-0x0000000000400000-0x0000000000554000-memory.dmp
\ProgramData\images.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
\ProgramData\images.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
\ProgramData\images.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
\ProgramData\images.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-24 15:03
Reported
2023-02-24 15:08
Platform
win10v2004-20230220-en
Max time kernel
291s
Max time network
293s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxxhddmvqq = "C:\\Users\\Admin\\AppData\\Roaming\\bkkg\\pyyueenjss.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\jwnpsq.exe\" C:\\Users\\Admin\\AppData\\Local\\Tem" | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4424 set thread context of 4428 | N/A | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\images.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe
"C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe"
C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
"C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe" C:\Users\Admin\AppData\Local\Temp\vrsklc.xz
C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
"C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3792 -ip 3792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 516
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.232.229.192.in-addr.arpa | udp |
| US | 20.189.173.5:443 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| NL | 8.238.177.126:80 | tcp | |
| US | 8.8.8.8:53 | 155.25.221.88.in-addr.arpa | udp |
| NL | 8.238.177.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 8.8.8.8:53 | 192.98.74.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
C:\Users\Admin\AppData\Local\Temp\vrsklc.xz
| MD5 | 7e2edc697812c644fdc4746a640ae897 |
| SHA1 | 5489052b98e2b6e1dd9324197779917476530447 |
| SHA256 | 910d185175a46657ac9c59ae8b9078e1ff161d690c6c5005320a7ca7fd89144a |
| SHA512 | 36f2ea469a7ab3fe0740c4ba329ee2570e3a28f954fddc3d273e1b3253471cabcb5418a356ff82361915792aea17a73aeca6736e9873b1a56d2c09cff04779bd |
C:\Users\Admin\AppData\Local\Temp\jsajvgqriul.w
| MD5 | 2d79043ccde13c76615fef3dbf9f5577 |
| SHA1 | 6b49c16ee46dc298363d68d05112e88b043ce93b |
| SHA256 | 549e8a7b2bd362b55af4e914367ed444fd327a36f6cf7a42ce1e42f066565681 |
| SHA512 | b5756da5331bb08daaa49c87ef4778f0de33e3124b87d0563d156d2f6f2184aa5cb2de3761ce708b285614cd0a2d961a48e275f1e71af335211400ba18725532 |
memory/4428-142-0x0000000000400000-0x0000000000554000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
memory/4428-146-0x0000000000400000-0x0000000000554000-memory.dmp
memory/4428-147-0x0000000000400000-0x0000000000554000-memory.dmp
C:\ProgramData\images.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
C:\ProgramData\images.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |
memory/4428-151-0x0000000000400000-0x0000000000554000-memory.dmp
C:\ProgramData\images.exe
| MD5 | d59554cdd4233718e886bf002a0cef7e |
| SHA1 | 9bbc2034af89d1f506c571778801bc14144c61ba |
| SHA256 | 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71 |
| SHA512 | 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce |