Analysis
-
max time kernel
27s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26/02/2023, 01:07
Static task
static1
Behavioral task
behavioral1
Sample
da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a.exe
Resource
win10v2004-20230220-en
General
-
Target
da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a.exe
-
Size
202KB
-
MD5
28c462381899d5a4f67656944b6025f9
-
SHA1
97daf057dd9f1d1c7d3ef9ed222b46fbda7a52cb
-
SHA256
da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a
-
SHA512
d6b86feddbc0af9ff7db8d9e4ec718950d38f60a0d96595ef71c386855607db98ca26eee566205a662d07ae0cb6874bd81eccf45f6352eaa9e613a58b9d64283
-
SSDEEP
3072:WfY/TU9fE9PEtuXbgm7CYP740EF4piZjIIuGzDxreu1hDR+xQ/WW:AYa6hxGKQe6C4hF+xWWW
Malware Config
Extracted
warzonerat
blackroots7.duckdns.org:1104
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
resource yara_rule behavioral1/memory/1000-66-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/1000-70-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/1000-71-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/1000-72-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
pid Process 2028 avxyq.exe 1000 avxyq.exe -
Loads dropped DLL 2 IoCs
pid Process 2040 da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a.exe 2028 avxyq.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\iqmvfbk = "C:\\Users\\Admin\\AppData\\Roaming\\vfoktpyiemvrb\\wgplueajfoxtdm.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\avxyq.exe\" C:\\Users\\Admin\\AppDa" avxyq.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2028 set thread context of 1000 2028 avxyq.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2028 avxyq.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1000 avxyq.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2040 wrote to memory of 2028 2040 da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a.exe 26 PID 2040 wrote to memory of 2028 2040 da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a.exe 26 PID 2040 wrote to memory of 2028 2040 da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a.exe 26 PID 2040 wrote to memory of 2028 2040 da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a.exe 26 PID 2028 wrote to memory of 1000 2028 avxyq.exe 28 PID 2028 wrote to memory of 1000 2028 avxyq.exe 28 PID 2028 wrote to memory of 1000 2028 avxyq.exe 28 PID 2028 wrote to memory of 1000 2028 avxyq.exe 28 PID 2028 wrote to memory of 1000 2028 avxyq.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a.exe"C:\Users\Admin\AppData\Local\Temp\da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\avxyq.exe"C:\Users\Admin\AppData\Local\Temp\avxyq.exe" C:\Users\Admin\AppData\Local\Temp\efkmzemi.oij2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\avxyq.exe"C:\Users\Admin\AppData\Local\Temp\avxyq.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1000
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5156ed6700ef54cfa83a1a220e842a328
SHA13cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b
-
Filesize
60KB
MD5156ed6700ef54cfa83a1a220e842a328
SHA13cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b
-
Filesize
60KB
MD5156ed6700ef54cfa83a1a220e842a328
SHA13cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b
-
Filesize
7KB
MD56bd6d3f8e44429f2be3e2d45bb17f2f2
SHA176e8137a69cb6b15ff0194d67e1fb91aa0e9aed0
SHA25674538cb526634df66399cba1d4fddc07427059fd81842160ee52aee8b33feff8
SHA512f142917a41e9d5de39e6818c660c569a9e3b3db96d22c5af2e273a2d5045976593c805d7266a8d4545eb013461c24159b7f70aa3cf405cb1c8cde44a3e26ae0e
-
Filesize
118KB
MD5bbaa20f28881493009df30cd773b0cc5
SHA1ac779c0fd7e238a79720d29e837755b011770710
SHA2560d3de13a7c6651962965e736e1b44d6fb299b53dc7267cdbbd3170d2fa77b07b
SHA5121d4ef3750936f99778aab04ad81b774cadcb966f08e73a6be935896e81b9ff45e7b3e519391ce54935dae56654b809e8391a9f03d5721956b5d051256cad6242
-
Filesize
60KB
MD5156ed6700ef54cfa83a1a220e842a328
SHA13cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b
-
Filesize
60KB
MD5156ed6700ef54cfa83a1a220e842a328
SHA13cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b