Analysis
-
max time kernel
130s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 14:31
Static task
static1
Behavioral task
behavioral1
Sample
5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe
Resource
win10v2004-20230220-en
General
-
Target
5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe
-
Size
202KB
-
MD5
05ca94d88d462bef2458ec93ed42df23
-
SHA1
bc749bbfef60caac3ae0a3b6324767532c9e43dd
-
SHA256
5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260
-
SHA512
b88729322928ce573c93cfdee9979bea525902fa71c96c5f43ca2370ca3d841b4708e89b5205a4404dc9af36526e5ca8b719d08c1bfc663358b799e492efa923
-
SSDEEP
3072:2fY/TU9fE9PEtu9brXRHwio/QbIFBo93nmpeBTJ1N+Mmc/8CWbqQZU8hbpUVS:gYa6TrFH3kE92pe9Jx/ZWbqunhKVS
Malware Config
Extracted
warzonerat
macking.duckdns.org:1104
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/584-70-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/584-74-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/584-75-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/584-76-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/584-77-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/584-82-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
qihkwiwr.exeqihkwiwr.exepid process 1096 qihkwiwr.exe 584 qihkwiwr.exe -
Loads dropped DLL 3 IoCs
Processes:
5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exeqihkwiwr.exepid process 2040 5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe 2040 5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe 1096 qihkwiwr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
Processes:
qihkwiwr.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 qihkwiwr.exe Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 qihkwiwr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
qihkwiwr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\bktp = "C:\\Users\\Admin\\AppData\\Roaming\\rbwgplueyie\\nwsclhqmvf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\qihkwiwr.exe\" C:\\Users\\Admin\\AppData\\" qihkwiwr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qihkwiwr.exedescription pid process target process PID 1096 set thread context of 584 1096 qihkwiwr.exe qihkwiwr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
qihkwiwr.exepid process 1096 qihkwiwr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
qihkwiwr.exepid process 584 qihkwiwr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exeqihkwiwr.exedescription pid process target process PID 2040 wrote to memory of 1096 2040 5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe qihkwiwr.exe PID 2040 wrote to memory of 1096 2040 5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe qihkwiwr.exe PID 2040 wrote to memory of 1096 2040 5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe qihkwiwr.exe PID 2040 wrote to memory of 1096 2040 5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe qihkwiwr.exe PID 1096 wrote to memory of 584 1096 qihkwiwr.exe qihkwiwr.exe PID 1096 wrote to memory of 584 1096 qihkwiwr.exe qihkwiwr.exe PID 1096 wrote to memory of 584 1096 qihkwiwr.exe qihkwiwr.exe PID 1096 wrote to memory of 584 1096 qihkwiwr.exe qihkwiwr.exe PID 1096 wrote to memory of 584 1096 qihkwiwr.exe qihkwiwr.exe -
outlook_office_path 1 IoCs
Processes:
qihkwiwr.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 qihkwiwr.exe -
outlook_win_path 1 IoCs
Processes:
qihkwiwr.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 qihkwiwr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe"C:\Users\Admin\AppData\Local\Temp\5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qihkwiwr.exe"C:\Users\Admin\AppData\Local\Temp\qihkwiwr.exe" C:\Users\Admin\AppData\Local\Temp\pypxmwx.nj2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qihkwiwr.exe"C:\Users\Admin\AppData\Local\Temp\qihkwiwr.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\imobflh.hgFilesize
118KB
MD52c38407796b326498911dfb187a41121
SHA11c1bbfb16a688c0d9211960cbfe529f6326c352d
SHA256c780fc83c6d4b02b3e4e7bb5617af863c8eb69d50dc87fe10fdd639454c769fe
SHA512144c47b0017533487af1f2ce90c3580bbcbc362764433e871ba3e407bd886e4dae84e9ec49c426cf53effe229109ff1759c26197ecc650bf764f2860f8d9b214
-
C:\Users\Admin\AppData\Local\Temp\pypxmwx.njFilesize
7KB
MD54755e9383156f864c2ed47088aab7cea
SHA124eee9dce490d458e09a2717cec64ad1d44f0356
SHA256925a9b069a5135aa53016c9c1092f08bfa2af799474535ac444125b8f4e6423b
SHA5127ec0b8980f8f671eff4196a10cb95264c013f5364d9d7974d790d5d47bdc50a9d9627219342f5dd81e9f05ecc883d167477deb9d31f18d88f220fb96d3b2dda4
-
C:\Users\Admin\AppData\Local\Temp\qihkwiwr.exeFilesize
58KB
MD55630e3b1e7ea50e4ed9028dd55fcc113
SHA1316c09e692b7ec6c594f2ae2f51ecac454efa88d
SHA25646f74e2f7a05caf7368dfdda25f5199e4c1a14b9e800c8f9e7b54594c009438d
SHA51292f43a1405a2559ccb58b0d089277a3e93d5312143785d11f02f395546cfb005b439ba479d6cd938b33d4560248bcb18f682027bf436d4aba7a701b01a71c8ae
-
C:\Users\Admin\AppData\Local\Temp\qihkwiwr.exeFilesize
58KB
MD55630e3b1e7ea50e4ed9028dd55fcc113
SHA1316c09e692b7ec6c594f2ae2f51ecac454efa88d
SHA25646f74e2f7a05caf7368dfdda25f5199e4c1a14b9e800c8f9e7b54594c009438d
SHA51292f43a1405a2559ccb58b0d089277a3e93d5312143785d11f02f395546cfb005b439ba479d6cd938b33d4560248bcb18f682027bf436d4aba7a701b01a71c8ae
-
C:\Users\Admin\AppData\Local\Temp\qihkwiwr.exeFilesize
58KB
MD55630e3b1e7ea50e4ed9028dd55fcc113
SHA1316c09e692b7ec6c594f2ae2f51ecac454efa88d
SHA25646f74e2f7a05caf7368dfdda25f5199e4c1a14b9e800c8f9e7b54594c009438d
SHA51292f43a1405a2559ccb58b0d089277a3e93d5312143785d11f02f395546cfb005b439ba479d6cd938b33d4560248bcb18f682027bf436d4aba7a701b01a71c8ae
-
C:\Users\Admin\AppData\Local\Temp\qihkwiwr.exeFilesize
58KB
MD55630e3b1e7ea50e4ed9028dd55fcc113
SHA1316c09e692b7ec6c594f2ae2f51ecac454efa88d
SHA25646f74e2f7a05caf7368dfdda25f5199e4c1a14b9e800c8f9e7b54594c009438d
SHA51292f43a1405a2559ccb58b0d089277a3e93d5312143785d11f02f395546cfb005b439ba479d6cd938b33d4560248bcb18f682027bf436d4aba7a701b01a71c8ae
-
\Users\Admin\AppData\Local\Temp\qihkwiwr.exeFilesize
58KB
MD55630e3b1e7ea50e4ed9028dd55fcc113
SHA1316c09e692b7ec6c594f2ae2f51ecac454efa88d
SHA25646f74e2f7a05caf7368dfdda25f5199e4c1a14b9e800c8f9e7b54594c009438d
SHA51292f43a1405a2559ccb58b0d089277a3e93d5312143785d11f02f395546cfb005b439ba479d6cd938b33d4560248bcb18f682027bf436d4aba7a701b01a71c8ae
-
\Users\Admin\AppData\Local\Temp\qihkwiwr.exeFilesize
58KB
MD55630e3b1e7ea50e4ed9028dd55fcc113
SHA1316c09e692b7ec6c594f2ae2f51ecac454efa88d
SHA25646f74e2f7a05caf7368dfdda25f5199e4c1a14b9e800c8f9e7b54594c009438d
SHA51292f43a1405a2559ccb58b0d089277a3e93d5312143785d11f02f395546cfb005b439ba479d6cd938b33d4560248bcb18f682027bf436d4aba7a701b01a71c8ae
-
\Users\Admin\AppData\Local\Temp\qihkwiwr.exeFilesize
58KB
MD55630e3b1e7ea50e4ed9028dd55fcc113
SHA1316c09e692b7ec6c594f2ae2f51ecac454efa88d
SHA25646f74e2f7a05caf7368dfdda25f5199e4c1a14b9e800c8f9e7b54594c009438d
SHA51292f43a1405a2559ccb58b0d089277a3e93d5312143785d11f02f395546cfb005b439ba479d6cd938b33d4560248bcb18f682027bf436d4aba7a701b01a71c8ae
-
memory/584-70-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/584-74-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/584-75-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/584-76-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/584-77-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/584-81-0x00000000028B0000-0x0000000002934000-memory.dmpFilesize
528KB
-
memory/584-82-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB