Analysis

  • max time kernel
    150s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2023, 08:42

General

  • Target

    RFQ.exe

  • Size

    355KB

  • MD5

    f734c6433f83441b57db89f3c37b21e8

  • SHA1

    d5f26eb382cd9ad2a220a35b2eadfed2b49007f0

  • SHA256

    c353f375242393a8bc42afcfa590ce13ddf30a4b2b881e47ddf9fa621a677ac0

  • SHA512

    d5f464bebab1f08d6ea1a792fccc0f02b00aa8a49c73755128e2eccec3b5e95a9339027e63d5f0b8f98d404dc4e2b8376970e9ea324ef2076e0a78a2f8c6ac1e

  • SSDEEP

    6144:l69Syfirb6DYPrRPANmynocmBWwGorbGLAsND8k6PNofp8aAPwX3MmI:lrGquDYD2Nmyn5mHGorbGLAsQiOaAInv

Malware Config

Extracted

Family

warzonerat

C2

185.29.9.20:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 9 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Users\Admin\AppData\Local\Temp\RFQ.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Users\Admin\Documents\recycling.exe
        "C:\Users\Admin\Documents\recycling.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:568
        • C:\Users\Admin\Documents\recycling.exe
          "C:\Users\Admin\Documents\recycling.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            5⤵
              PID:732

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\Documents\recycling.exe

            Filesize

            355KB

            MD5

            f734c6433f83441b57db89f3c37b21e8

            SHA1

            d5f26eb382cd9ad2a220a35b2eadfed2b49007f0

            SHA256

            c353f375242393a8bc42afcfa590ce13ddf30a4b2b881e47ddf9fa621a677ac0

            SHA512

            d5f464bebab1f08d6ea1a792fccc0f02b00aa8a49c73755128e2eccec3b5e95a9339027e63d5f0b8f98d404dc4e2b8376970e9ea324ef2076e0a78a2f8c6ac1e

          • C:\Users\Admin\Documents\recycling.exe

            Filesize

            355KB

            MD5

            f734c6433f83441b57db89f3c37b21e8

            SHA1

            d5f26eb382cd9ad2a220a35b2eadfed2b49007f0

            SHA256

            c353f375242393a8bc42afcfa590ce13ddf30a4b2b881e47ddf9fa621a677ac0

            SHA512

            d5f464bebab1f08d6ea1a792fccc0f02b00aa8a49c73755128e2eccec3b5e95a9339027e63d5f0b8f98d404dc4e2b8376970e9ea324ef2076e0a78a2f8c6ac1e

          • C:\Users\Admin\Documents\recycling.exe

            Filesize

            355KB

            MD5

            f734c6433f83441b57db89f3c37b21e8

            SHA1

            d5f26eb382cd9ad2a220a35b2eadfed2b49007f0

            SHA256

            c353f375242393a8bc42afcfa590ce13ddf30a4b2b881e47ddf9fa621a677ac0

            SHA512

            d5f464bebab1f08d6ea1a792fccc0f02b00aa8a49c73755128e2eccec3b5e95a9339027e63d5f0b8f98d404dc4e2b8376970e9ea324ef2076e0a78a2f8c6ac1e

          • \Users\Admin\Documents\recycling.exe

            Filesize

            355KB

            MD5

            f734c6433f83441b57db89f3c37b21e8

            SHA1

            d5f26eb382cd9ad2a220a35b2eadfed2b49007f0

            SHA256

            c353f375242393a8bc42afcfa590ce13ddf30a4b2b881e47ddf9fa621a677ac0

            SHA512

            d5f464bebab1f08d6ea1a792fccc0f02b00aa8a49c73755128e2eccec3b5e95a9339027e63d5f0b8f98d404dc4e2b8376970e9ea324ef2076e0a78a2f8c6ac1e

          • memory/568-84-0x0000000004240000-0x0000000004280000-memory.dmp

            Filesize

            256KB

          • memory/568-83-0x00000000003C0000-0x000000000041E000-memory.dmp

            Filesize

            376KB

          • memory/732-106-0x00000000001F0000-0x00000000001F1000-memory.dmp

            Filesize

            4KB

          • memory/732-105-0x00000000001F0000-0x00000000001F1000-memory.dmp

            Filesize

            4KB

          • memory/960-104-0x0000000000230000-0x000000000038C000-memory.dmp

            Filesize

            1.4MB

          • memory/960-99-0x0000000000230000-0x000000000038C000-memory.dmp

            Filesize

            1.4MB

          • memory/960-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/1936-60-0x0000000000080000-0x00000000001DC000-memory.dmp

            Filesize

            1.4MB

          • memory/1936-61-0x0000000000080000-0x00000000001DC000-memory.dmp

            Filesize

            1.4MB

          • memory/1936-76-0x0000000000080000-0x00000000001DC000-memory.dmp

            Filesize

            1.4MB

          • memory/1936-66-0x0000000000080000-0x00000000001DC000-memory.dmp

            Filesize

            1.4MB

          • memory/1936-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/1936-63-0x0000000000080000-0x00000000001DC000-memory.dmp

            Filesize

            1.4MB

          • memory/1936-62-0x0000000000080000-0x00000000001DC000-memory.dmp

            Filesize

            1.4MB

          • memory/1936-71-0x0000000000080000-0x00000000001DC000-memory.dmp

            Filesize

            1.4MB

          • memory/1936-57-0x0000000000080000-0x00000000001DC000-memory.dmp

            Filesize

            1.4MB

          • memory/1936-59-0x0000000000080000-0x00000000001DC000-memory.dmp

            Filesize

            1.4MB

          • memory/1936-58-0x0000000000080000-0x00000000001DC000-memory.dmp

            Filesize

            1.4MB

          • memory/1972-54-0x00000000008C0000-0x000000000091E000-memory.dmp

            Filesize

            376KB

          • memory/1972-56-0x0000000000290000-0x00000000002BE000-memory.dmp

            Filesize

            184KB

          • memory/1972-55-0x0000000004350000-0x0000000004390000-memory.dmp

            Filesize

            256KB