Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26/02/2023, 07:16
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230220-en
General
-
Target
tmp.exe
-
Size
141KB
-
MD5
b60297a15ff87e458a22b442fcbb4c6c
-
SHA1
5ca5e00692512d7c9af60a7251dc11cea0f2c613
-
SHA256
b2b023679cca197b057144f1f73956271374f1c721f13ec334bec6c694e84816
-
SHA512
6e37e3c6630cd04dcfcd42fed5d49cdb0221b86dbcfb83551de500a91d233545439eca2f9b419fe95ea693ce15e7a729c0f5d0021c20b6a435b8356d36594ded
-
SSDEEP
3072:RARHROub6IiZktM+t4B6IZeAzaZyJ6QYzHHxgGT0Iw:RkxbQktMo4BRiyjYz6GTrw
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Executes dropped EXE 1 IoCs
pid Process 2020 images.exe -
Loads dropped DLL 2 IoCs
pid Process 1808 tmp.exe 1808 tmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\images.exe" tmp.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1808 wrote to memory of 2020 1808 tmp.exe 28 PID 1808 wrote to memory of 2020 1808 tmp.exe 28 PID 1808 wrote to memory of 2020 1808 tmp.exe 28 PID 1808 wrote to memory of 2020 1808 tmp.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\Documents\images.exe"C:\Users\Admin\Documents\images.exe"2⤵
- Executes dropped EXE
PID:2020
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD5b60297a15ff87e458a22b442fcbb4c6c
SHA15ca5e00692512d7c9af60a7251dc11cea0f2c613
SHA256b2b023679cca197b057144f1f73956271374f1c721f13ec334bec6c694e84816
SHA5126e37e3c6630cd04dcfcd42fed5d49cdb0221b86dbcfb83551de500a91d233545439eca2f9b419fe95ea693ce15e7a729c0f5d0021c20b6a435b8356d36594ded
-
Filesize
141KB
MD5b60297a15ff87e458a22b442fcbb4c6c
SHA15ca5e00692512d7c9af60a7251dc11cea0f2c613
SHA256b2b023679cca197b057144f1f73956271374f1c721f13ec334bec6c694e84816
SHA5126e37e3c6630cd04dcfcd42fed5d49cdb0221b86dbcfb83551de500a91d233545439eca2f9b419fe95ea693ce15e7a729c0f5d0021c20b6a435b8356d36594ded
-
Filesize
141KB
MD5b60297a15ff87e458a22b442fcbb4c6c
SHA15ca5e00692512d7c9af60a7251dc11cea0f2c613
SHA256b2b023679cca197b057144f1f73956271374f1c721f13ec334bec6c694e84816
SHA5126e37e3c6630cd04dcfcd42fed5d49cdb0221b86dbcfb83551de500a91d233545439eca2f9b419fe95ea693ce15e7a729c0f5d0021c20b6a435b8356d36594ded
-
Filesize
141KB
MD5b60297a15ff87e458a22b442fcbb4c6c
SHA15ca5e00692512d7c9af60a7251dc11cea0f2c613
SHA256b2b023679cca197b057144f1f73956271374f1c721f13ec334bec6c694e84816
SHA5126e37e3c6630cd04dcfcd42fed5d49cdb0221b86dbcfb83551de500a91d233545439eca2f9b419fe95ea693ce15e7a729c0f5d0021c20b6a435b8356d36594ded
-
Filesize
141KB
MD5b60297a15ff87e458a22b442fcbb4c6c
SHA15ca5e00692512d7c9af60a7251dc11cea0f2c613
SHA256b2b023679cca197b057144f1f73956271374f1c721f13ec334bec6c694e84816
SHA5126e37e3c6630cd04dcfcd42fed5d49cdb0221b86dbcfb83551de500a91d233545439eca2f9b419fe95ea693ce15e7a729c0f5d0021c20b6a435b8356d36594ded