Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 13:26
Static task
static1
Behavioral task
behavioral1
Sample
84cc7b5b7b1cd8448cf5529f493a6882016e75c85da54baa30e95fe32452f780.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
84cc7b5b7b1cd8448cf5529f493a6882016e75c85da54baa30e95fe32452f780.exe
Resource
win10v2004-20230221-en
General
-
Target
84cc7b5b7b1cd8448cf5529f493a6882016e75c85da54baa30e95fe32452f780.exe
-
Size
176KB
-
MD5
f2e4e0ba9fc3fe9d2229c31c4a5a40d0
-
SHA1
835ddaa41c2111632f4564f200dbceb969851f1e
-
SHA256
84cc7b5b7b1cd8448cf5529f493a6882016e75c85da54baa30e95fe32452f780
-
SHA512
39abfa17838eb52e393041a8f2f1f8e47a88a26fb644ceeb4322d93d3fe82ab016a023b42569a3d58e079f837b606877a42c05e0855f7b2936fe3ab4d28612a5
-
SSDEEP
3072:WfY/TU9fE9PEtuRbrDbPTMuOqCw5NQhDd3+4/qxvVHY0MLtTtQS0W1KHdqML:AYa6XrDbP6vw5ipvgvVHY0UTSJ9l
Malware Config
Extracted
warzonerat
omerlan.duckdns.org:6548
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1744-143-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/1744-146-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/1744-148-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
pcspikx.exepcspikx.exepid process 1140 pcspikx.exe 1744 pcspikx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
pcspikx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sowsclhqavf = "C:\\Users\\Admin\\AppData\\Roaming\\vfokscxhdmvrb\\kgplueaj.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\pcspikx.exe\" C:\\Users\\Admin\\AppData\\L" pcspikx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pcspikx.exedescription pid process target process PID 1140 set thread context of 1744 1140 pcspikx.exe pcspikx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pcspikx.exepid process 1140 pcspikx.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
84cc7b5b7b1cd8448cf5529f493a6882016e75c85da54baa30e95fe32452f780.exepcspikx.exedescription pid process target process PID 4796 wrote to memory of 1140 4796 84cc7b5b7b1cd8448cf5529f493a6882016e75c85da54baa30e95fe32452f780.exe pcspikx.exe PID 4796 wrote to memory of 1140 4796 84cc7b5b7b1cd8448cf5529f493a6882016e75c85da54baa30e95fe32452f780.exe pcspikx.exe PID 4796 wrote to memory of 1140 4796 84cc7b5b7b1cd8448cf5529f493a6882016e75c85da54baa30e95fe32452f780.exe pcspikx.exe PID 1140 wrote to memory of 1744 1140 pcspikx.exe pcspikx.exe PID 1140 wrote to memory of 1744 1140 pcspikx.exe pcspikx.exe PID 1140 wrote to memory of 1744 1140 pcspikx.exe pcspikx.exe PID 1140 wrote to memory of 1744 1140 pcspikx.exe pcspikx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84cc7b5b7b1cd8448cf5529f493a6882016e75c85da54baa30e95fe32452f780.exe"C:\Users\Admin\AppData\Local\Temp\84cc7b5b7b1cd8448cf5529f493a6882016e75c85da54baa30e95fe32452f780.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcspikx.exe"C:\Users\Admin\AppData\Local\Temp\pcspikx.exe" C:\Users\Admin\AppData\Local\Temp\oiusxmgnt.njd2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcspikx.exe"C:\Users\Admin\AppData\Local\Temp\pcspikx.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\oiusxmgnt.njdFilesize
8KB
MD526278b38925678153585aac1eec3e0aa
SHA17a302d829d850afaefd2ad89b647450f590dcef6
SHA256d1595b7e593d44cb831badbafceceeec19e51917b7388d7ffeac2e5ea40f9745
SHA51220d198ab0d39689d27020cbfea6be0ad892c5dee5011a27a161fd107131a30501d8134f39e6657cb77068c604ef213fa2fbd313a236f9af8a35f6e60c53cfb4a
-
C:\Users\Admin\AppData\Local\Temp\pcspikx.exeFilesize
5KB
MD5f2ff3f9e75d7598ccf2e5033f27e6cec
SHA125180713e0c191de163f0279f0b49c6b4d7b9d31
SHA25600f6c3c5970760b8f93b56119286d30b483a2ec5c0011c0716d4811398371594
SHA5125471363503ac2e80da00eac5ced73a9e480209c601d638492c20f9947746d130df87a194526a24f5eef5030fcf46ac3ccaf19d8d2c9dded48cd3028f82c3b23a
-
C:\Users\Admin\AppData\Local\Temp\pcspikx.exeFilesize
5KB
MD5f2ff3f9e75d7598ccf2e5033f27e6cec
SHA125180713e0c191de163f0279f0b49c6b4d7b9d31
SHA25600f6c3c5970760b8f93b56119286d30b483a2ec5c0011c0716d4811398371594
SHA5125471363503ac2e80da00eac5ced73a9e480209c601d638492c20f9947746d130df87a194526a24f5eef5030fcf46ac3ccaf19d8d2c9dded48cd3028f82c3b23a
-
C:\Users\Admin\AppData\Local\Temp\pcspikx.exeFilesize
5KB
MD5f2ff3f9e75d7598ccf2e5033f27e6cec
SHA125180713e0c191de163f0279f0b49c6b4d7b9d31
SHA25600f6c3c5970760b8f93b56119286d30b483a2ec5c0011c0716d4811398371594
SHA5125471363503ac2e80da00eac5ced73a9e480209c601d638492c20f9947746d130df87a194526a24f5eef5030fcf46ac3ccaf19d8d2c9dded48cd3028f82c3b23a
-
C:\Users\Admin\AppData\Local\Temp\rylhmvfqh.sFilesize
118KB
MD5a7504e8404f8dad99b77d99cf5adf7b8
SHA1bb8cf3ccaed5dc577eff22bbc1131183ab0af1fe
SHA256704fcac5f6867f62af282555fd8186c822107fbdbc40db2d60f4f808e8aa55d9
SHA5120cc001ee2f1d70c61403896a2f50510212079abe5be7378af6eb603e3cc51c5ece265a0587641a5741c3aa66071e72dc1cd2b0ab64c91e67aba10db45f23c53a
-
memory/1744-143-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1744-146-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1744-148-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB