Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 13:11
Static task
static1
Behavioral task
behavioral1
Sample
z63DATASHEET.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
z63DATASHEET.exe
Resource
win10v2004-20230221-en
General
-
Target
z63DATASHEET.exe
-
Size
161KB
-
MD5
63bd8934c91736c0730f84dc84ac65f7
-
SHA1
d44d2435eda49dc2706b7b5219898ef6d86689c3
-
SHA256
85490cf0fc3a4ab7db8b39dae6b341a4f99aec3f84ed12816f85759aea900e74
-
SHA512
a9ee8fb5c2130c0f445e7510c06372d72638087019016a2adb7d9f0619d66bae3c3e36aacbfba21fc1c8841c52c9b6f58ffe337646594c2d8d18f4296795c32d
-
SSDEEP
3072:x8r8NJzhdWVl7nqHHdiFSBFRRwh9J9vZiEPUv6S0:xw81nKl7srF7whVhHUS
Malware Config
Extracted
warzonerat
91.193.75.142:5234
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/4700-136-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/4700-139-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/4700-140-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/4700-145-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/1952-150-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/1952-151-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/1952-154-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
images.exeimages.exepid process 3236 images.exe 1952 images.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
z63DATASHEET.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\images.exe" z63DATASHEET.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
z63DATASHEET.exeimages.exedescription pid process target process PID 1124 set thread context of 4700 1124 z63DATASHEET.exe z63DATASHEET.exe PID 3236 set thread context of 1952 3236 images.exe images.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
z63DATASHEET.exez63DATASHEET.exeimages.exeimages.exedescription pid process target process PID 1124 wrote to memory of 4700 1124 z63DATASHEET.exe z63DATASHEET.exe PID 1124 wrote to memory of 4700 1124 z63DATASHEET.exe z63DATASHEET.exe PID 1124 wrote to memory of 4700 1124 z63DATASHEET.exe z63DATASHEET.exe PID 1124 wrote to memory of 4700 1124 z63DATASHEET.exe z63DATASHEET.exe PID 1124 wrote to memory of 4700 1124 z63DATASHEET.exe z63DATASHEET.exe PID 1124 wrote to memory of 4700 1124 z63DATASHEET.exe z63DATASHEET.exe PID 1124 wrote to memory of 4700 1124 z63DATASHEET.exe z63DATASHEET.exe PID 1124 wrote to memory of 4700 1124 z63DATASHEET.exe z63DATASHEET.exe PID 1124 wrote to memory of 4700 1124 z63DATASHEET.exe z63DATASHEET.exe PID 1124 wrote to memory of 4700 1124 z63DATASHEET.exe z63DATASHEET.exe PID 1124 wrote to memory of 4700 1124 z63DATASHEET.exe z63DATASHEET.exe PID 4700 wrote to memory of 3236 4700 z63DATASHEET.exe images.exe PID 4700 wrote to memory of 3236 4700 z63DATASHEET.exe images.exe PID 4700 wrote to memory of 3236 4700 z63DATASHEET.exe images.exe PID 3236 wrote to memory of 1952 3236 images.exe images.exe PID 3236 wrote to memory of 1952 3236 images.exe images.exe PID 3236 wrote to memory of 1952 3236 images.exe images.exe PID 3236 wrote to memory of 1952 3236 images.exe images.exe PID 3236 wrote to memory of 1952 3236 images.exe images.exe PID 3236 wrote to memory of 1952 3236 images.exe images.exe PID 3236 wrote to memory of 1952 3236 images.exe images.exe PID 3236 wrote to memory of 1952 3236 images.exe images.exe PID 3236 wrote to memory of 1952 3236 images.exe images.exe PID 3236 wrote to memory of 1952 3236 images.exe images.exe PID 3236 wrote to memory of 1952 3236 images.exe images.exe PID 1952 wrote to memory of 2224 1952 images.exe cmd.exe PID 1952 wrote to memory of 2224 1952 images.exe cmd.exe PID 1952 wrote to memory of 2224 1952 images.exe cmd.exe PID 1952 wrote to memory of 2224 1952 images.exe cmd.exe PID 1952 wrote to memory of 2224 1952 images.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\z63DATASHEET.exe"C:\Users\Admin\AppData\Local\Temp\z63DATASHEET.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\z63DATASHEET.exe"C:\Users\Admin\AppData\Local\Temp\z63DATASHEET.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\images.exe"C:\Users\Admin\Documents\images.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\images.exe"C:\Users\Admin\Documents\images.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\images.exeFilesize
161KB
MD563bd8934c91736c0730f84dc84ac65f7
SHA1d44d2435eda49dc2706b7b5219898ef6d86689c3
SHA25685490cf0fc3a4ab7db8b39dae6b341a4f99aec3f84ed12816f85759aea900e74
SHA512a9ee8fb5c2130c0f445e7510c06372d72638087019016a2adb7d9f0619d66bae3c3e36aacbfba21fc1c8841c52c9b6f58ffe337646594c2d8d18f4296795c32d
-
C:\Users\Admin\Documents\images.exeFilesize
161KB
MD563bd8934c91736c0730f84dc84ac65f7
SHA1d44d2435eda49dc2706b7b5219898ef6d86689c3
SHA25685490cf0fc3a4ab7db8b39dae6b341a4f99aec3f84ed12816f85759aea900e74
SHA512a9ee8fb5c2130c0f445e7510c06372d72638087019016a2adb7d9f0619d66bae3c3e36aacbfba21fc1c8841c52c9b6f58ffe337646594c2d8d18f4296795c32d
-
C:\Users\Admin\Documents\images.exeFilesize
161KB
MD563bd8934c91736c0730f84dc84ac65f7
SHA1d44d2435eda49dc2706b7b5219898ef6d86689c3
SHA25685490cf0fc3a4ab7db8b39dae6b341a4f99aec3f84ed12816f85759aea900e74
SHA512a9ee8fb5c2130c0f445e7510c06372d72638087019016a2adb7d9f0619d66bae3c3e36aacbfba21fc1c8841c52c9b6f58ffe337646594c2d8d18f4296795c32d
-
memory/1124-135-0x0000000005030000-0x0000000005096000-memory.dmpFilesize
408KB
-
memory/1124-134-0x0000000005570000-0x0000000005B14000-memory.dmpFilesize
5.6MB
-
memory/1124-133-0x00000000007E0000-0x000000000080E000-memory.dmpFilesize
184KB
-
memory/1952-150-0x0000000000400000-0x000000000055C000-memory.dmpFilesize
1.4MB
-
memory/1952-151-0x0000000000400000-0x000000000055C000-memory.dmpFilesize
1.4MB
-
memory/1952-154-0x0000000000400000-0x000000000055C000-memory.dmpFilesize
1.4MB
-
memory/2224-152-0x0000000001600000-0x0000000001601000-memory.dmpFilesize
4KB
-
memory/4700-136-0x0000000000400000-0x000000000055C000-memory.dmpFilesize
1.4MB
-
memory/4700-139-0x0000000000400000-0x000000000055C000-memory.dmpFilesize
1.4MB
-
memory/4700-140-0x0000000000400000-0x000000000055C000-memory.dmpFilesize
1.4MB
-
memory/4700-145-0x0000000000400000-0x000000000055C000-memory.dmpFilesize
1.4MB