Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26/02/2023, 07:16
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230220-en
General
-
Target
tmp.exe
-
Size
141KB
-
MD5
b60297a15ff87e458a22b442fcbb4c6c
-
SHA1
5ca5e00692512d7c9af60a7251dc11cea0f2c613
-
SHA256
b2b023679cca197b057144f1f73956271374f1c721f13ec334bec6c694e84816
-
SHA512
6e37e3c6630cd04dcfcd42fed5d49cdb0221b86dbcfb83551de500a91d233545439eca2f9b419fe95ea693ce15e7a729c0f5d0021c20b6a435b8356d36594ded
-
SSDEEP
3072:RARHROub6IiZktM+t4B6IZeAzaZyJ6QYzHHxgGT0Iw:RkxbQktMo4BRiyjYz6GTrw
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Executes dropped EXE 1 IoCs
pid Process 1868 images.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\images.exe" tmp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4272 wrote to memory of 1868 4272 tmp.exe 84 PID 4272 wrote to memory of 1868 4272 tmp.exe 84 PID 4272 wrote to memory of 1868 4272 tmp.exe 84
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD5b60297a15ff87e458a22b442fcbb4c6c
SHA15ca5e00692512d7c9af60a7251dc11cea0f2c613
SHA256b2b023679cca197b057144f1f73956271374f1c721f13ec334bec6c694e84816
SHA5126e37e3c6630cd04dcfcd42fed5d49cdb0221b86dbcfb83551de500a91d233545439eca2f9b419fe95ea693ce15e7a729c0f5d0021c20b6a435b8356d36594ded
-
Filesize
141KB
MD5b60297a15ff87e458a22b442fcbb4c6c
SHA15ca5e00692512d7c9af60a7251dc11cea0f2c613
SHA256b2b023679cca197b057144f1f73956271374f1c721f13ec334bec6c694e84816
SHA5126e37e3c6630cd04dcfcd42fed5d49cdb0221b86dbcfb83551de500a91d233545439eca2f9b419fe95ea693ce15e7a729c0f5d0021c20b6a435b8356d36594ded