Analysis Overview
SHA256
b0f2ea7236eeda828b5063885394cd2898cf8219b2c5d5bcd7b090d1775abdb6
Threat Level: Known bad
The file 7767e9c5fb8802dadc2d3958cdf1e933 was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Warzone RAT payload
Drops startup file
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
NTFS ADS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-26 12:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-26 12:51
Reported
2024-01-26 12:55
Platform
win10v2004-20231215-en
Max time kernel
157s
Max time network
169s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat | C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start | C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" | C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData:ApplicationData | C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4048 wrote to memory of 3928 | N/A | C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe | C:\ProgramData\images.exe |
| PID 4048 wrote to memory of 3928 | N/A | C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe | C:\ProgramData\images.exe |
| PID 4048 wrote to memory of 3928 | N/A | C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe | C:\ProgramData\images.exe |
| PID 3928 wrote to memory of 4164 | N/A | C:\ProgramData\images.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3928 wrote to memory of 4164 | N/A | C:\ProgramData\images.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3928 wrote to memory of 4164 | N/A | C:\ProgramData\images.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3928 wrote to memory of 4164 | N/A | C:\ProgramData\images.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3928 wrote to memory of 4164 | N/A | C:\ProgramData\images.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe
"C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kabillo.linkpc.net | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kabillo.linkpc.net | udp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
Files
memory/4048-0-0x0000000076800000-0x00000000769A0000-memory.dmp
memory/4048-1-0x0000000003990000-0x0000000003AE4000-memory.dmp
memory/4048-3-0x0000000002E90000-0x0000000003990000-memory.dmp
C:\ProgramData\images.exe
| MD5 | 7767e9c5fb8802dadc2d3958cdf1e933 |
| SHA1 | fc3a44ec40782a4875adc6b0f3e37f35fe6a2048 |
| SHA256 | b0f2ea7236eeda828b5063885394cd2898cf8219b2c5d5bcd7b090d1775abdb6 |
| SHA512 | 5c903f2f8eea7b82c5460b540885609bcaca662ad20db45f08c0611e773a95254fc157976172eb3b9e6713d5d29c2188f7d604e914f784506a95d59569e61cee |
memory/4048-15-0x0000000003990000-0x0000000003AE4000-memory.dmp
memory/4048-17-0x0000000076800000-0x00000000769A0000-memory.dmp
memory/3928-18-0x0000000076800000-0x00000000769A0000-memory.dmp
memory/3928-19-0x00000000040D0000-0x0000000004224000-memory.dmp
memory/4164-26-0x00000000008D0000-0x00000000008D1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-26 12:51
Reported
2024-01-26 12:54
Platform
win7-20231215-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat | C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start | C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" | C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData:ApplicationData | C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe
"C:\Users\Admin\AppData\Local\Temp\7767e9c5fb8802dadc2d3958cdf1e933.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kabillo.linkpc.net | udp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
| SG | 139.99.66.103:5200 | kabillo.linkpc.net | tcp |
Files
memory/2208-0-0x00000000757C0000-0x00000000758C0000-memory.dmp
memory/2208-1-0x00000000757C0000-0x00000000758C0000-memory.dmp
memory/2208-2-0x0000000002EA0000-0x0000000002FF4000-memory.dmp
memory/2208-5-0x00000000023A0000-0x0000000002EA0000-memory.dmp
\ProgramData\images.exe
| MD5 | 7767e9c5fb8802dadc2d3958cdf1e933 |
| SHA1 | fc3a44ec40782a4875adc6b0f3e37f35fe6a2048 |
| SHA256 | b0f2ea7236eeda828b5063885394cd2898cf8219b2c5d5bcd7b090d1775abdb6 |
| SHA512 | 5c903f2f8eea7b82c5460b540885609bcaca662ad20db45f08c0611e773a95254fc157976172eb3b9e6713d5d29c2188f7d604e914f784506a95d59569e61cee |
memory/2208-21-0x0000000002EA0000-0x0000000002FF4000-memory.dmp
memory/2208-22-0x00000000757C0000-0x00000000758C0000-memory.dmp
memory/2832-23-0x00000000757C0000-0x00000000758C0000-memory.dmp
memory/2832-24-0x0000000000C30000-0x0000000000D84000-memory.dmp
memory/2832-25-0x00000000757C0000-0x00000000758C0000-memory.dmp
memory/1448-33-0x0000000000160000-0x0000000000161000-memory.dmp
memory/1448-35-0x0000000000160000-0x0000000000161000-memory.dmp