Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 13:26
Static task
static1
Behavioral task
behavioral1
Sample
92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe
Resource
win10v2004-20230220-en
General
-
Target
92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe
-
Size
203KB
-
MD5
8c8ee58eacb110d5598f723ecd7e948c
-
SHA1
b9be417a07aa65a317001ba2976cdd80fb267174
-
SHA256
92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182
-
SHA512
d474c65d401f18fc2343fd086ed1581df4adf1edbf087f1a0a72e97e7c4fc17bb804e7739eb27b5715614ea9071078cc385e3351375d9a89228865f3a072a4a7
-
SSDEEP
3072:WfY/TU9fE9PEtuNb246i/iIasUc9dWaYU2WfDRuTDP3KlORQ8TsN543G+RWuWCBg:AYa6724zLasU+6UZfDon/8h8e6WqFY
Malware Config
Extracted
warzonerat
omerlan.duckdns.org:6548
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1048-70-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/1048-74-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/1048-75-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
nttjjyrr.exenttjjyrr.exepid process 1960 nttjjyrr.exe 1048 nttjjyrr.exe -
Loads dropped DLL 3 IoCs
Processes:
92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exenttjjyrr.exepid process 2000 92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe 2000 92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe 1960 nttjjyrr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
nttjjyrr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\oxtdmirbwg = "C:\\Users\\Admin\\AppData\\Roaming\\wgpktdyienwsc\\lhqmvfbkt.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nttjjyrr.exe\" C:\\Users\\Admin\\AppData" nttjjyrr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nttjjyrr.exedescription pid process target process PID 1960 set thread context of 1048 1960 nttjjyrr.exe nttjjyrr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
nttjjyrr.exepid process 1960 nttjjyrr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exenttjjyrr.exedescription pid process target process PID 2000 wrote to memory of 1960 2000 92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe nttjjyrr.exe PID 2000 wrote to memory of 1960 2000 92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe nttjjyrr.exe PID 2000 wrote to memory of 1960 2000 92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe nttjjyrr.exe PID 2000 wrote to memory of 1960 2000 92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe nttjjyrr.exe PID 1960 wrote to memory of 1048 1960 nttjjyrr.exe nttjjyrr.exe PID 1960 wrote to memory of 1048 1960 nttjjyrr.exe nttjjyrr.exe PID 1960 wrote to memory of 1048 1960 nttjjyrr.exe nttjjyrr.exe PID 1960 wrote to memory of 1048 1960 nttjjyrr.exe nttjjyrr.exe PID 1960 wrote to memory of 1048 1960 nttjjyrr.exe nttjjyrr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe"C:\Users\Admin\AppData\Local\Temp\92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nttjjyrr.exe"C:\Users\Admin\AppData\Local\Temp\nttjjyrr.exe" C:\Users\Admin\AppData\Local\Temp\kdcmehojesw.kx2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nttjjyrr.exe"C:\Users\Admin\AppData\Local\Temp\nttjjyrr.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kdcmehojesw.kxFilesize
7KB
MD53df01ccac0d4f8bedf06f9bbe8d0b1d0
SHA156dfc98100beefff888f9bd3f6a1b412a4ef0a19
SHA2566e84b4ac8c91dcf78556eec5eb4ca7065135f817adb16ebc31909515d061efc0
SHA512184cf89292435517071bb03ab944ae660beab9189589c5485c508cb994c5171a078bc2a5d8a2245fa48709935850adcd28b1628eeeab60ab17336d8be3d1b4a7
-
C:\Users\Admin\AppData\Local\Temp\nttjjyrr.exeFilesize
58KB
MD5805914c8a9239aeb17b432791a3dca07
SHA1314aa922b74b564b02830f9cb80c3e093bfc71f0
SHA256afdccf27e41d093f9f0b197d600a8b720ddd0faa6f68161a068f2fce30d12cb4
SHA512e10d0f7eef36277c537bf2fb7984f36e32b62dc03be2702b520cfc3b6bfee0c124f3b263560fe8140dd7832c6d993ddc730eedd2366f542dc417d48a46154d87
-
C:\Users\Admin\AppData\Local\Temp\nttjjyrr.exeFilesize
58KB
MD5805914c8a9239aeb17b432791a3dca07
SHA1314aa922b74b564b02830f9cb80c3e093bfc71f0
SHA256afdccf27e41d093f9f0b197d600a8b720ddd0faa6f68161a068f2fce30d12cb4
SHA512e10d0f7eef36277c537bf2fb7984f36e32b62dc03be2702b520cfc3b6bfee0c124f3b263560fe8140dd7832c6d993ddc730eedd2366f542dc417d48a46154d87
-
C:\Users\Admin\AppData\Local\Temp\nttjjyrr.exeFilesize
58KB
MD5805914c8a9239aeb17b432791a3dca07
SHA1314aa922b74b564b02830f9cb80c3e093bfc71f0
SHA256afdccf27e41d093f9f0b197d600a8b720ddd0faa6f68161a068f2fce30d12cb4
SHA512e10d0f7eef36277c537bf2fb7984f36e32b62dc03be2702b520cfc3b6bfee0c124f3b263560fe8140dd7832c6d993ddc730eedd2366f542dc417d48a46154d87
-
C:\Users\Admin\AppData\Local\Temp\nttjjyrr.exeFilesize
58KB
MD5805914c8a9239aeb17b432791a3dca07
SHA1314aa922b74b564b02830f9cb80c3e093bfc71f0
SHA256afdccf27e41d093f9f0b197d600a8b720ddd0faa6f68161a068f2fce30d12cb4
SHA512e10d0f7eef36277c537bf2fb7984f36e32b62dc03be2702b520cfc3b6bfee0c124f3b263560fe8140dd7832c6d993ddc730eedd2366f542dc417d48a46154d87
-
C:\Users\Admin\AppData\Local\Temp\vtxkeah.iwnFilesize
118KB
MD57bdd3e797de8b4d3c96563011d41ae3d
SHA1c9786401dbeb13b7d09e05399aedb20cf7b74083
SHA256a827f35604a2c8b581bb84668798d9eb26b4bc1d0a959eddc081ede0d094ea5b
SHA512b2a8cd0a30df32bde1d2faeeebcdc99067ad5da1880113c3bfe5d7ff2e8396d7124237686779cb19cf71814d52ab08f626dc8be9aa553e3521b0a16a73a4020a
-
\Users\Admin\AppData\Local\Temp\nttjjyrr.exeFilesize
58KB
MD5805914c8a9239aeb17b432791a3dca07
SHA1314aa922b74b564b02830f9cb80c3e093bfc71f0
SHA256afdccf27e41d093f9f0b197d600a8b720ddd0faa6f68161a068f2fce30d12cb4
SHA512e10d0f7eef36277c537bf2fb7984f36e32b62dc03be2702b520cfc3b6bfee0c124f3b263560fe8140dd7832c6d993ddc730eedd2366f542dc417d48a46154d87
-
\Users\Admin\AppData\Local\Temp\nttjjyrr.exeFilesize
58KB
MD5805914c8a9239aeb17b432791a3dca07
SHA1314aa922b74b564b02830f9cb80c3e093bfc71f0
SHA256afdccf27e41d093f9f0b197d600a8b720ddd0faa6f68161a068f2fce30d12cb4
SHA512e10d0f7eef36277c537bf2fb7984f36e32b62dc03be2702b520cfc3b6bfee0c124f3b263560fe8140dd7832c6d993ddc730eedd2366f542dc417d48a46154d87
-
\Users\Admin\AppData\Local\Temp\nttjjyrr.exeFilesize
58KB
MD5805914c8a9239aeb17b432791a3dca07
SHA1314aa922b74b564b02830f9cb80c3e093bfc71f0
SHA256afdccf27e41d093f9f0b197d600a8b720ddd0faa6f68161a068f2fce30d12cb4
SHA512e10d0f7eef36277c537bf2fb7984f36e32b62dc03be2702b520cfc3b6bfee0c124f3b263560fe8140dd7832c6d993ddc730eedd2366f542dc417d48a46154d87
-
memory/1048-70-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1048-74-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1048-75-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB