Analysis
-
max time kernel
126s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
14-02-2024 04:39
Static task
static1
Behavioral task
behavioral1
Sample
9ac604ab0f70a0d75f107b8f52d97000.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9ac604ab0f70a0d75f107b8f52d97000.exe
Resource
win10v2004-20231215-en
General
-
Target
9ac604ab0f70a0d75f107b8f52d97000.exe
-
Size
1.4MB
-
MD5
9ac604ab0f70a0d75f107b8f52d97000
-
SHA1
48bfbec3b38f5070419e63efce548e7a234a3f0c
-
SHA256
46dff1fda981f377a8ae116f14a7a4352e373787186606d2c5a91ae0c6c25609
-
SHA512
5abea1a5274fd72fc64a44f3aea3545e4b5ab3e2d261c399ff40495f42fc59089756f832f1f0fa408e8714f76a710d2d616017193b53ba074172498e722bcd73
-
SSDEEP
24576:V/CqsL1yQdGc9O42AT2fXB52MMMMMMMMMMMuMMMMMMMMMMMMMMMMMMMMMMMMMMMX:icAGc9O42AT2/KMMMMMMMMMMMuMMMMML
Malware Config
Extracted
warzonerat
185.222.57.73:4557
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
resource yara_rule behavioral2/memory/3728-18-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/3728-21-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/3728-22-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/3728-24-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 9ac604ab0f70a0d75f107b8f52d97000.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 368 set thread context of 3728 368 9ac604ab0f70a0d75f107b8f52d97000.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4372 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 368 9ac604ab0f70a0d75f107b8f52d97000.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 368 9ac604ab0f70a0d75f107b8f52d97000.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 368 wrote to memory of 4372 368 9ac604ab0f70a0d75f107b8f52d97000.exe 93 PID 368 wrote to memory of 4372 368 9ac604ab0f70a0d75f107b8f52d97000.exe 93 PID 368 wrote to memory of 4372 368 9ac604ab0f70a0d75f107b8f52d97000.exe 93 PID 368 wrote to memory of 3728 368 9ac604ab0f70a0d75f107b8f52d97000.exe 95 PID 368 wrote to memory of 3728 368 9ac604ab0f70a0d75f107b8f52d97000.exe 95 PID 368 wrote to memory of 3728 368 9ac604ab0f70a0d75f107b8f52d97000.exe 95 PID 368 wrote to memory of 3728 368 9ac604ab0f70a0d75f107b8f52d97000.exe 95 PID 368 wrote to memory of 3728 368 9ac604ab0f70a0d75f107b8f52d97000.exe 95 PID 368 wrote to memory of 3728 368 9ac604ab0f70a0d75f107b8f52d97000.exe 95 PID 368 wrote to memory of 3728 368 9ac604ab0f70a0d75f107b8f52d97000.exe 95 PID 368 wrote to memory of 3728 368 9ac604ab0f70a0d75f107b8f52d97000.exe 95 PID 368 wrote to memory of 3728 368 9ac604ab0f70a0d75f107b8f52d97000.exe 95 PID 368 wrote to memory of 3728 368 9ac604ab0f70a0d75f107b8f52d97000.exe 95 PID 368 wrote to memory of 3728 368 9ac604ab0f70a0d75f107b8f52d97000.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oUZjHsjH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF55C.tmp"2⤵
- Creates scheduled task(s)
PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"2⤵PID:3728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD551b8e5ba2921294201821908afb13d9c
SHA1f8e3be854ac33a7877cf9997c8126f295dedc7da
SHA2568934577514c6870ec3d301fd69c20157efaf554296274e2f2c96252c4922d383
SHA51289cb9a316e866084ee8cc72fa10328b9aa4a07b32b37b78c44464424c1d5c251c0bccf8d7baa3f12a1497c37111178c40c021b5c3312581b453cf31fe4077a16