Analysis Overview
SHA256
bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a
Threat Level: Known bad
The file bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Warzone RAT payload
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-13 05:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-13 05:00
Reported
2024-02-13 05:16
Platform
win7-20231215-en
Max time kernel
122s
Max time network
140s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1252 set thread context of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IDXJRvJUpAIjP.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IDXJRvJUpAIjP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp755F.tmp"
C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | makatti.duckdns.org | udp |
| NL | 94.156.68.226:3787 | makatti.duckdns.org | tcp |
Files
memory/1252-0-0x0000000000950000-0x0000000000A30000-memory.dmp
memory/1252-1-0x0000000074410000-0x0000000074AFE000-memory.dmp
memory/1252-2-0x0000000004410000-0x0000000004450000-memory.dmp
memory/1252-3-0x00000000005D0000-0x00000000005E4000-memory.dmp
memory/1252-4-0x00000000005F0000-0x00000000005FA000-memory.dmp
memory/1252-5-0x0000000000600000-0x000000000060E000-memory.dmp
memory/1252-6-0x0000000004E00000-0x0000000004E66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp755F.tmp
| MD5 | 322e236b9a6e946674aa812b89445c49 |
| SHA1 | 5480cab183ab27489c0a9049fec63fcc7e112738 |
| SHA256 | 54cf91d836de5e2a1f86a2e972818103af8516868dd621808fd2ba1f40a6de2a |
| SHA512 | 16c4997cc8574271916527381bc6cfa683d803f032c24346fba14c94b7686f9fc8cab26deb823ea396bc7c5f66cb25b540bbafa7fe1f3b45b89dc1ef795b62a1 |
memory/2824-12-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2824-14-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2824-16-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2824-18-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2824-20-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2824-22-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2824-24-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2824-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2824-28-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1252-30-0x0000000074410000-0x0000000074AFE000-memory.dmp
memory/2824-31-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2824-32-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2824-35-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2960-36-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/2960-37-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/2960-38-0x0000000000450000-0x0000000000490000-memory.dmp
memory/2960-39-0x0000000000450000-0x0000000000490000-memory.dmp
memory/2960-40-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/2824-41-0x0000000000400000-0x000000000041D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-13 05:00
Reported
2024-02-13 05:18
Platform
win10v2004-20231215-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4372 set thread context of 368 | N/A | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IDXJRvJUpAIjP.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IDXJRvJUpAIjP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE02E.tmp"
C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | makatti.duckdns.org | udp |
| NL | 94.156.68.226:3787 | makatti.duckdns.org | tcp |
| US | 8.8.8.8:53 | 226.68.156.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/4372-0-0x0000000000DF0000-0x0000000000ED0000-memory.dmp
memory/4372-1-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/4372-2-0x0000000005E90000-0x0000000006434000-memory.dmp
memory/4372-3-0x00000000058E0000-0x0000000005972000-memory.dmp
memory/4372-4-0x0000000005860000-0x0000000005870000-memory.dmp
memory/4372-5-0x0000000005A80000-0x0000000005A8A000-memory.dmp
memory/4372-6-0x00000000085B0000-0x00000000085C4000-memory.dmp
memory/4372-7-0x00000000085E0000-0x00000000085EA000-memory.dmp
memory/4372-8-0x00000000085F0000-0x00000000085FE000-memory.dmp
memory/4372-9-0x0000000008600000-0x0000000008666000-memory.dmp
memory/4372-10-0x000000000AE60000-0x000000000AEFC000-memory.dmp
memory/4876-15-0x00000000027A0000-0x00000000027D6000-memory.dmp
memory/4876-16-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/4876-17-0x0000000004C00000-0x0000000004C10000-memory.dmp
memory/4876-18-0x0000000004C00000-0x0000000004C10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE02E.tmp
| MD5 | abec8806ef0d9d9da57ce7eec1d1e297 |
| SHA1 | 54f3cae6c516024f64f566946ee77888f97b27cf |
| SHA256 | 654e0d8fa3b6a73636f20db2e67d5f24668ea6ecc389bd769c814615e0aba20b |
| SHA512 | 4b82d1a6724cbfd2f11cb7bc360eb3c1e6ebeb659f93c80612beea60de2ac0071c4a619c088f4ea3d20742d0257bf5a3482050921bec35eb70a1c5b3def7e29f |
memory/368-20-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4876-23-0x0000000005240000-0x0000000005868000-memory.dmp
memory/4372-24-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/368-25-0x0000000000400000-0x000000000041D000-memory.dmp
memory/368-26-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4876-27-0x0000000005110000-0x0000000005132000-memory.dmp
memory/4876-33-0x00000000059E0000-0x0000000005A46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0efm0qfj.3no.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4876-34-0x0000000005AC0000-0x0000000005B26000-memory.dmp
memory/368-39-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4876-40-0x0000000005C30000-0x0000000005F84000-memory.dmp
memory/4876-41-0x00000000060D0000-0x00000000060EE000-memory.dmp
memory/4876-42-0x0000000006120000-0x000000000616C000-memory.dmp
memory/4876-43-0x0000000004C00000-0x0000000004C10000-memory.dmp
memory/4876-44-0x000000007F550000-0x000000007F560000-memory.dmp
memory/4876-45-0x00000000070B0000-0x00000000070E2000-memory.dmp
memory/4876-46-0x0000000071140000-0x000000007118C000-memory.dmp
memory/4876-56-0x00000000066A0000-0x00000000066BE000-memory.dmp
memory/4876-57-0x00000000072F0000-0x0000000007393000-memory.dmp
memory/4876-58-0x0000000007A30000-0x00000000080AA000-memory.dmp
memory/4876-59-0x00000000073F0000-0x000000000740A000-memory.dmp
memory/4876-60-0x0000000007460000-0x000000000746A000-memory.dmp
memory/4876-61-0x0000000007670000-0x0000000007706000-memory.dmp
memory/4876-62-0x00000000075F0000-0x0000000007601000-memory.dmp
memory/4876-63-0x0000000007620000-0x000000000762E000-memory.dmp
memory/4876-64-0x0000000007630000-0x0000000007644000-memory.dmp
memory/4876-65-0x0000000007730000-0x000000000774A000-memory.dmp
memory/4876-66-0x0000000007710000-0x0000000007718000-memory.dmp
memory/4876-69-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/368-70-0x0000000000400000-0x000000000041D000-memory.dmp