Analysis Overview
SHA256
ea2ddf396c797d8883fe1c7af0a0bcd76d9b3d5e3b18e257c48ca1e639e945c9
Threat Level: Known bad
The file 0c74bc9529b8d9f96fc7e1b47559abd1.bin was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Warzone RAT payload
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-14 01:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-14 01:01
Reported
2024-02-14 01:03
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IDXJRvJUpAIjP.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IDXJRvJUpAIjP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B0D.tmp"
C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"
C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"
C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"
C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"
C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"
Network
Files
memory/2888-0-0x0000000000390000-0x0000000000470000-memory.dmp
memory/2888-1-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2888-2-0x0000000004BB0000-0x0000000004BF0000-memory.dmp
memory/2888-3-0x0000000001E90000-0x0000000001EA4000-memory.dmp
memory/2888-4-0x0000000001FB0000-0x0000000001FBA000-memory.dmp
memory/2888-5-0x0000000002080000-0x000000000208E000-memory.dmp
memory/2888-6-0x0000000004CF0000-0x0000000004D56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3B0D.tmp
| MD5 | 3aab1e5f5395f7f981c94f83bbbdff97 |
| SHA1 | fbdc8218c2c37e20402c5e35b8a631c8a9916963 |
| SHA256 | 916efa7cfe85a366308dcca38f25ee5cd4058dc94b4120fe33746f13cef527a5 |
| SHA512 | 10d3bdc51b7cb6899e261bd8ed2ec8e57fe7cf4ac267741c37c43f3b8d54fda00ba8f887f40e2cd363088f751e276ce472e29a1ac8d430ba302179aff6d8c965 |
memory/2888-15-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2996-14-0x000000006EEE0000-0x000000006F48B000-memory.dmp
memory/2996-16-0x0000000002A00000-0x0000000002A40000-memory.dmp
memory/2996-17-0x000000006EEE0000-0x000000006F48B000-memory.dmp
memory/2996-19-0x0000000002A00000-0x0000000002A40000-memory.dmp
memory/2996-18-0x0000000002A00000-0x0000000002A40000-memory.dmp
memory/2996-20-0x000000006EEE0000-0x000000006F48B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-14 01:01
Reported
2024-02-14 01:03
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4752 set thread context of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IDXJRvJUpAIjP.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IDXJRvJUpAIjP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp"
C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"
C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | makatti.duckdns.org | udp |
| NL | 94.156.68.226:3787 | makatti.duckdns.org | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| NL | 94.156.68.226:3787 | makatti.duckdns.org | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| NL | 94.156.68.226:3787 | makatti.duckdns.org | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | makatti.duckdns.org | udp |
| NL | 94.156.68.226:3787 | makatti.duckdns.org | tcp |
| NL | 94.156.68.226:3787 | makatti.duckdns.org | tcp |
| NL | 94.156.68.226:3787 | makatti.duckdns.org | tcp |
Files
memory/4752-1-0x0000000074FE0000-0x0000000075790000-memory.dmp
memory/4752-0-0x0000000000090000-0x0000000000170000-memory.dmp
memory/4752-2-0x0000000005060000-0x0000000005604000-memory.dmp
memory/4752-3-0x0000000004B50000-0x0000000004BE2000-memory.dmp
memory/4752-4-0x0000000004D90000-0x0000000004DA0000-memory.dmp
memory/4752-5-0x0000000004D10000-0x0000000004D1A000-memory.dmp
memory/4752-6-0x0000000007850000-0x0000000007864000-memory.dmp
memory/4752-7-0x0000000007880000-0x000000000788A000-memory.dmp
memory/4752-8-0x0000000007890000-0x000000000789E000-memory.dmp
memory/4752-9-0x00000000078A0000-0x0000000007906000-memory.dmp
memory/4752-10-0x000000000A0F0000-0x000000000A18C000-memory.dmp
memory/1188-15-0x0000000002940000-0x0000000002976000-memory.dmp
memory/1188-16-0x0000000074FE0000-0x0000000075790000-memory.dmp
memory/1188-18-0x00000000053C0000-0x00000000059E8000-memory.dmp
memory/1188-17-0x00000000029C0000-0x00000000029D0000-memory.dmp
memory/1188-19-0x00000000029C0000-0x00000000029D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp
| MD5 | 6c8df7c5c3859eb7b86633b1e72c03ff |
| SHA1 | 4a2440159fbd1b7cb2de9cecc21f6b1567ce5eaf |
| SHA256 | 05a0b5712473edd26e530cb7936561352b67310c54cd0c4cc2e67450c160573b |
| SHA512 | b4ae832efe1dfe14a81ecd1226cdc5d36521cc8fcb3c8f4ae9028763b4a5b44349021cc388eaee2afd0148b200982557c589c9c37634c9e4af1cd69272cd8807 |
memory/1188-21-0x0000000005A30000-0x0000000005A52000-memory.dmp
memory/2396-22-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1iknd2hd.cvv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1188-29-0x0000000005B60000-0x0000000005BC6000-memory.dmp
memory/2396-30-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2396-37-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4752-39-0x0000000074FE0000-0x0000000075790000-memory.dmp
memory/1188-38-0x0000000005EF0000-0x0000000006244000-memory.dmp
memory/1188-35-0x0000000005E80000-0x0000000005EE6000-memory.dmp
memory/1188-40-0x0000000005E60000-0x0000000005E7E000-memory.dmp
memory/1188-41-0x0000000006280000-0x00000000062CC000-memory.dmp
memory/1188-42-0x000000007FCC0000-0x000000007FCD0000-memory.dmp
memory/1188-43-0x00000000071F0000-0x0000000007222000-memory.dmp
memory/1188-44-0x0000000075870000-0x00000000758BC000-memory.dmp
memory/1188-54-0x00000000029C0000-0x00000000029D0000-memory.dmp
memory/1188-55-0x00000000067E0000-0x00000000067FE000-memory.dmp
memory/1188-56-0x0000000007230000-0x00000000072D3000-memory.dmp
memory/1188-57-0x0000000007BB0000-0x000000000822A000-memory.dmp
memory/1188-58-0x0000000007570000-0x000000000758A000-memory.dmp
memory/1188-59-0x00000000075E0000-0x00000000075EA000-memory.dmp
memory/1188-60-0x00000000077F0000-0x0000000007886000-memory.dmp
memory/1188-61-0x0000000007770000-0x0000000007781000-memory.dmp
memory/1188-62-0x00000000077A0000-0x00000000077AE000-memory.dmp
memory/1188-63-0x00000000077B0000-0x00000000077C4000-memory.dmp
memory/1188-64-0x00000000078B0000-0x00000000078CA000-memory.dmp
memory/1188-65-0x0000000007890000-0x0000000007898000-memory.dmp
memory/1188-68-0x0000000074FE0000-0x0000000075790000-memory.dmp
memory/2396-69-0x0000000000400000-0x000000000041D000-memory.dmp