Analysis

  • max time kernel
    31s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    30/03/2023, 01:00

General

  • Target

    5d4ad8679dc296d63c7641cea5ad5948fd33d3b70bfa336771a4f7ba35338a24.exe

  • Size

    479KB

  • MD5

    1554965f5e94f2742a86f080c829e6c6

  • SHA1

    3b31d6f522525cafaccfd4b843d4224a733831c8

  • SHA256

    5d4ad8679dc296d63c7641cea5ad5948fd33d3b70bfa336771a4f7ba35338a24

  • SHA512

    e3151beb8aa7682cfabfb32c161760527f449a18b7b9ef4c6f3a8e337775c5fd64c8ffe5eee0330c832e08fe38b4e7a5aee552660d0ecdede89e3b06e13ec853

  • SSDEEP

    12288:IgkU2UTwmK64YcJkbx8TIFeHMif9po6vAh7BCOIBw8x9d:xRTFqHc8UyMifbNvAhdC/O8t

Malware Config

Extracted

Family

warzonerat

C2

panchak.duckdns.org:5050

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d4ad8679dc296d63c7641cea5ad5948fd33d3b70bfa336771a4f7ba35338a24.exe
    "C:\Users\Admin\AppData\Local\Temp\5d4ad8679dc296d63c7641cea5ad5948fd33d3b70bfa336771a4f7ba35338a24.exe"
    1⤵
    • UAC bypass
    • Sets service image path in registry
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5d4ad8679dc296d63c7641cea5ad5948fd33d3b70bfa336771a4f7ba35338a24.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:268
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
      2⤵
        PID:1828
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
        2⤵
          PID:1004
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
          2⤵
            PID:1780
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
            2⤵
              PID:1308
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
              2⤵
                PID:1444
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1220
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 168
                  3⤵
                  • Program crash
                  PID:544

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/268-62-0x000000001B300000-0x000000001B5E2000-memory.dmp

                    Filesize

                    2.9MB

                  • memory/268-63-0x0000000002310000-0x0000000002318000-memory.dmp

                    Filesize

                    32KB

                  • memory/268-65-0x0000000002440000-0x00000000024C0000-memory.dmp

                    Filesize

                    512KB

                  • memory/268-66-0x0000000002440000-0x00000000024C0000-memory.dmp

                    Filesize

                    512KB

                  • memory/268-67-0x0000000002440000-0x00000000024C0000-memory.dmp

                    Filesize

                    512KB

                  • memory/268-68-0x0000000002440000-0x00000000024C0000-memory.dmp

                    Filesize

                    512KB

                  • memory/932-54-0x0000000000340000-0x00000000003BC000-memory.dmp

                    Filesize

                    496KB

                  • memory/932-55-0x000000001B380000-0x000000001B400000-memory.dmp

                    Filesize

                    512KB

                  • memory/932-56-0x00000000020D0000-0x0000000002132000-memory.dmp

                    Filesize

                    392KB

                  • memory/1220-64-0x0000000000400000-0x0000000000554000-memory.dmp

                    Filesize

                    1.3MB