Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
14-02-2024 10:04
Static task
static1
Behavioral task
behavioral1
Sample
9b631808752d97a24c25c81b99a8739ff79b3a5689aeb4e5e9a9068d155e8009.xll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9b631808752d97a24c25c81b99a8739ff79b3a5689aeb4e5e9a9068d155e8009.xll
Resource
win10v2004-20231222-en
General
-
Target
9b631808752d97a24c25c81b99a8739ff79b3a5689aeb4e5e9a9068d155e8009.xll
-
Size
1.0MB
-
MD5
08fea09ff0b64eeed38c5e5056626b86
-
SHA1
5bed42391c7c2c2bfd853a51b5f38b87e0ee03ed
-
SHA256
9b631808752d97a24c25c81b99a8739ff79b3a5689aeb4e5e9a9068d155e8009
-
SHA512
630fd25bc6dda06257069dfdee0488f03fa0bceb1c2f4425d65983ca21f42a1b5b5ac67e8f6468d46ea39c58d1f4033762ce3e18e118a11c81e54d8dd0f39066
-
SSDEEP
24576:qoOOMX1p+QHT+ddtvGIs6oa/UTpmdjH23NY/q:qoOOw+QHsPv9oaw6SdYS
Malware Config
Extracted
Extracted
warzonerat
qoldwold.zanity.net:5208
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 9 IoCs
resource yara_rule behavioral2/memory/1500-65-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/1500-71-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/1500-74-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/4388-76-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/1500-77-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/4388-81-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/3524-91-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/3524-94-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/3524-107-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Executes dropped EXE 6 IoCs
pid Process 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 1500 0537a932-4d88-4664-8b92-dc52364ce737.exe 4388 0537a932-4d88-4664-8b92-dc52364ce737.exe 3756 cmages.exe 4680 cmages.exe 3524 cmages.exe -
Loads dropped DLL 2 IoCs
pid Process 1464 EXCEL.EXE 1464 EXCEL.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cmages = "C:\\ProgramData\\cmages.exe" 0537a932-4d88-4664-8b92-dc52364ce737.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3116 set thread context of 1500 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 90 PID 3116 set thread context of 4388 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 91 PID 3756 set thread context of 4680 3756 cmages.exe 93 PID 3756 set thread context of 3524 3756 cmages.exe 94 -
Program crash 1 IoCs
pid pid_target Process procid_target 776 4680 WerFault.exe 93 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1464 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1464 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1464 EXCEL.EXE Token: SeDebugPrivilege 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe Token: SeDebugPrivilege 3756 cmages.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1464 EXCEL.EXE 1464 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1464 EXCEL.EXE 1464 EXCEL.EXE 1464 EXCEL.EXE 1464 EXCEL.EXE 1464 EXCEL.EXE 1464 EXCEL.EXE 1464 EXCEL.EXE 1464 EXCEL.EXE 1464 EXCEL.EXE 1464 EXCEL.EXE -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 1464 wrote to memory of 3116 1464 EXCEL.EXE 89 PID 1464 wrote to memory of 3116 1464 EXCEL.EXE 89 PID 1464 wrote to memory of 3116 1464 EXCEL.EXE 89 PID 3116 wrote to memory of 1500 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 90 PID 3116 wrote to memory of 1500 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 90 PID 3116 wrote to memory of 1500 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 90 PID 3116 wrote to memory of 1500 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 90 PID 3116 wrote to memory of 1500 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 90 PID 3116 wrote to memory of 1500 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 90 PID 3116 wrote to memory of 1500 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 90 PID 3116 wrote to memory of 1500 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 90 PID 3116 wrote to memory of 1500 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 90 PID 3116 wrote to memory of 1500 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 90 PID 3116 wrote to memory of 1500 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 90 PID 3116 wrote to memory of 4388 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 91 PID 3116 wrote to memory of 4388 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 91 PID 3116 wrote to memory of 4388 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 91 PID 3116 wrote to memory of 4388 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 91 PID 3116 wrote to memory of 4388 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 91 PID 3116 wrote to memory of 4388 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 91 PID 3116 wrote to memory of 4388 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 91 PID 3116 wrote to memory of 4388 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 91 PID 3116 wrote to memory of 4388 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 91 PID 3116 wrote to memory of 4388 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 91 PID 3116 wrote to memory of 4388 3116 0537a932-4d88-4664-8b92-dc52364ce737.exe 91 PID 4388 wrote to memory of 3756 4388 0537a932-4d88-4664-8b92-dc52364ce737.exe 92 PID 4388 wrote to memory of 3756 4388 0537a932-4d88-4664-8b92-dc52364ce737.exe 92 PID 4388 wrote to memory of 3756 4388 0537a932-4d88-4664-8b92-dc52364ce737.exe 92 PID 3756 wrote to memory of 4680 3756 cmages.exe 93 PID 3756 wrote to memory of 4680 3756 cmages.exe 93 PID 3756 wrote to memory of 4680 3756 cmages.exe 93 PID 3756 wrote to memory of 4680 3756 cmages.exe 93 PID 3756 wrote to memory of 4680 3756 cmages.exe 93 PID 3756 wrote to memory of 4680 3756 cmages.exe 93 PID 3756 wrote to memory of 4680 3756 cmages.exe 93 PID 3756 wrote to memory of 4680 3756 cmages.exe 93 PID 3756 wrote to memory of 4680 3756 cmages.exe 93 PID 3756 wrote to memory of 4680 3756 cmages.exe 93 PID 3756 wrote to memory of 4680 3756 cmages.exe 93 PID 3756 wrote to memory of 3524 3756 cmages.exe 94 PID 3756 wrote to memory of 3524 3756 cmages.exe 94 PID 3756 wrote to memory of 3524 3756 cmages.exe 94 PID 3756 wrote to memory of 3524 3756 cmages.exe 94 PID 3756 wrote to memory of 3524 3756 cmages.exe 94 PID 3756 wrote to memory of 3524 3756 cmages.exe 94 PID 3756 wrote to memory of 3524 3756 cmages.exe 94 PID 3756 wrote to memory of 3524 3756 cmages.exe 94 PID 3756 wrote to memory of 3524 3756 cmages.exe 94 PID 3756 wrote to memory of 3524 3756 cmages.exe 94 PID 3756 wrote to memory of 3524 3756 cmages.exe 94
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9b631808752d97a24c25c81b99a8739ff79b3a5689aeb4e5e9a9068d155e8009.xll"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\0537a932-4d88-4664-8b92-dc52364ce737.exe"C:\Users\Admin\AppData\Local\Temp\0537a932-4d88-4664-8b92-dc52364ce737.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\0537a932-4d88-4664-8b92-dc52364ce737.exeC:\Users\Admin\AppData\Local\Temp\0537a932-4d88-4664-8b92-dc52364ce737.exe3⤵
- Executes dropped EXE
PID:1500
-
-
C:\Users\Admin\AppData\Local\Temp\0537a932-4d88-4664-8b92-dc52364ce737.exeC:\Users\Admin\AppData\Local\Temp\0537a932-4d88-4664-8b92-dc52364ce737.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\ProgramData\cmages.exe"C:\ProgramData\cmages.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\ProgramData\cmages.exeC:\ProgramData\cmages.exe5⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 806⤵
- Program crash
PID:776
-
-
-
C:\ProgramData\cmages.exeC:\ProgramData\cmages.exe5⤵
- Executes dropped EXE
PID:3524
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4680 -ip 46801⤵PID:1428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
486KB
MD5c4c2b1de0beed142e649ed9db54135d8
SHA13c290091b7ef5b8e3a9f5f1d7b5a091845c5cbf3
SHA256bf81759f58a1c186019e567df6ef5347d61ec3d032be37c6a9268a59c5679a88
SHA512f806647de157e68cc6f47008eb8661aa238fba136eea475183fab03339e566c8c47cd36a2539626cd978ff1b0e8926fa6242a369f44ed7d68ce3989ee12949cc
-
C:\Users\Admin\AppData\Local\Temp\9b631808752d97a24c25c81b99a8739ff79b3a5689aeb4e5e9a9068d155e8009.xll
Filesize1.0MB
MD508fea09ff0b64eeed38c5e5056626b86
SHA15bed42391c7c2c2bfd853a51b5f38b87e0ee03ed
SHA2569b631808752d97a24c25c81b99a8739ff79b3a5689aeb4e5e9a9068d155e8009
SHA512630fd25bc6dda06257069dfdee0488f03fa0bceb1c2f4425d65983ca21f42a1b5b5ac67e8f6468d46ea39c58d1f4033762ce3e18e118a11c81e54d8dd0f39066