Analysis Overview
SHA256
b0055410b3532760da065b33ac487f42f31c90ffc60f88ac3ed8a22e53240d52
Threat Level: Known bad
The file 8233910c5b0fe9b4aa55c4f2263aebb4 was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Warzone RAT payload
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-30 10:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-30 10:28
Reported
2024-01-30 10:31
Platform
win10v2004-20231222-en
Max time kernel
134s
Max time network
150s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" | C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3532 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe | C:\ProgramData\images.exe |
| PID 3532 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe | C:\ProgramData\images.exe |
| PID 3532 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe | C:\ProgramData\images.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe
"C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| NL | 194.5.97.52:11101 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| NL | 194.5.97.52:11101 | tcp | |
| NL | 194.5.97.52:11101 | tcp | |
| NL | 194.5.97.52:11101 | tcp | |
| NL | 194.5.97.52:11101 | tcp |
Files
memory/3532-0-0x0000000076370000-0x0000000076510000-memory.dmp
memory/3532-2-0x0000000003340000-0x0000000003E40000-memory.dmp
memory/3532-1-0x0000000002FB0000-0x0000000003104000-memory.dmp
C:\ProgramData\images.exe
| MD5 | 234145091eea867f33f7db9031f8a510 |
| SHA1 | 7fb9bd6cb751e2c06ebbe6e622661e6de7fd7a3a |
| SHA256 | b002dc6fbdd482d435cec9d62ba52fdb8b9efa0cd3fca7ab05767a8e1972980c |
| SHA512 | ea5971c6bf5a40142a8ca5b634f650cd6b15c22621e73545b95acf5e2fa77c8b981812a27737f426af897b1dfae16efceab13c9ed535412af4351edbddaab9b8 |
memory/3532-13-0x0000000076370000-0x0000000076510000-memory.dmp
memory/3532-12-0x0000000002FB0000-0x0000000003104000-memory.dmp
C:\ProgramData\images.exe
| MD5 | ecbf1c32f7f314682fa1507ca0083ba4 |
| SHA1 | 4cb614454ace8b4d38d34d0357e7b3fb6e22e6dd |
| SHA256 | 9547396b4b934b7d0d1503504c759cc5459071f00a4bfdf77021866a0a6913cf |
| SHA512 | e8609099754fa6179566739e0a8e08dac986312ac984a19875a44ff32669871ecaea698ff3754e6a2f2eddc46d72620b07bce625f44cd564a30dd3c16f2cd6d2 |
memory/2604-15-0x0000000076370000-0x0000000076510000-memory.dmp
memory/2604-16-0x0000000003DB0000-0x0000000003F04000-memory.dmp
memory/2604-23-0x0000000076370000-0x0000000076510000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-30 10:28
Reported
2024-01-30 10:31
Platform
win7-20231215-en
Max time kernel
140s
Max time network
152s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" | C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2176 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe | C:\ProgramData\images.exe |
| PID 2176 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe | C:\ProgramData\images.exe |
| PID 2176 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe | C:\ProgramData\images.exe |
| PID 2176 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe | C:\ProgramData\images.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe
"C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 194.5.97.52:11101 | tcp | |
| NL | 194.5.97.52:11101 | tcp | |
| NL | 194.5.97.52:11101 | tcp | |
| NL | 194.5.97.52:11101 | tcp | |
| NL | 194.5.97.52:11101 | tcp |
Files
memory/2176-0-0x00000000766A0000-0x00000000767A0000-memory.dmp
memory/2176-1-0x00000000020C0000-0x0000000002214000-memory.dmp
memory/2176-3-0x0000000002410000-0x0000000002F10000-memory.dmp
C:\ProgramData\images.exe
| MD5 | c4445fba4d65c598c410aa4237543bd7 |
| SHA1 | 0742ba8c5b8bf22410eee585fb91ec9b780295e4 |
| SHA256 | 19b51c5586c68a6374e1497fe2d1e40b4d655a957891de2520751ff8cc698a06 |
| SHA512 | d6b0813461b0953aef213f1dd9e43892bbc737c77f230ad5f8204070e13423c86eb4b8434f88e0352c4586db3ded656dc441bf6e9b3ef5eb4ef56f28fe8153f3 |
memory/2176-14-0x00000000020C0000-0x0000000002214000-memory.dmp
\ProgramData\images.exe
| MD5 | dda87809f248f484d83d60720d0c0694 |
| SHA1 | a7d3db4aa8498592505da245b0dbdd9216d80124 |
| SHA256 | f5934ace8bab016709a9fa480d6260f30529b0162d77a96ea356cfcea8354048 |
| SHA512 | d900ca3ccff784a0c360c932add8e1d7fa35a0ad2b844192afd81645c22737d82067227ed7f954f05e3e41e69edd05ffda01ea38001d6a0a6f1bf8e514045346 |
memory/2176-15-0x00000000766A0000-0x00000000767A0000-memory.dmp
memory/2856-16-0x0000000002DC0000-0x0000000002F14000-memory.dmp
C:\ProgramData\images.exe
| MD5 | 8233910c5b0fe9b4aa55c4f2263aebb4 |
| SHA1 | d7459b1c29c2db9b0d978b51bd8df0cd7abc3575 |
| SHA256 | b0055410b3532760da065b33ac487f42f31c90ffc60f88ac3ed8a22e53240d52 |
| SHA512 | 5039622534051087f5d5030c76951fc32f7133445571b686555cf2666eb2fa6e91ee741d7df359bc9e803ce99dcf8518cefc7eaf0bc30ceeeb81320015609960 |
memory/2856-24-0x00000000766A0000-0x00000000767A0000-memory.dmp