Analysis

  • max time kernel
    148s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    14-02-2024 15:35

General

  • Target

    9c0a708ac219fdf26a8df99f338ba1da.exe

  • Size

    507KB

  • MD5

    9c0a708ac219fdf26a8df99f338ba1da

  • SHA1

    a84dbb0ee9c53b9e2dceca4a37a88dbdbdeb2c20

  • SHA256

    7aefa586d32593736751d667d9588fcf4c3091ace48375d38f06947aa119129e

  • SHA512

    e76bde008c2464d0c917c3ec4b3490f8fb0c6ee09f4210ac0852a4c99e9db92c1383e9d74d383d719daa16e540598ef274d9084c9ee34bd2cec9353ba7966109

  • SSDEEP

    12288:CZZsq/S5WTYPnd8lzM452uiwKDeI5S9AV83CXlco9FzwHJe:m8SCKBciICAu3CX+o95wpe

Malware Config

Extracted

Family

warzonerat

C2

tobi12345.hopto.org:50501

Signatures

  • Detect ZGRat V1 34 IoCs
  • Detects BazaLoader malware 4 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Warzone RAT payload 4 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c0a708ac219fdf26a8df99f338ba1da.exe
    "C:\Users\Admin\AppData\Local\Temp\9c0a708ac219fdf26a8df99f338ba1da.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Local\Temp\9c0a708ac219fdf26a8df99f338ba1da.exe
      C:\Users\Admin\AppData\Local\Temp\9c0a708ac219fdf26a8df99f338ba1da.exe
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\win32.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\win32.exe"
          4⤵
            PID:1096
        • C:\ProgramData\win32.exe
          "C:\ProgramData\win32.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Users\Admin\AppData\Local\Temp\win32.exe
            C:\Users\Admin\AppData\Local\Temp\win32.exe
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1608
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe"
              5⤵
                PID:2116

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\win32.exe

        Filesize

        96KB

        MD5

        74509540ac2bb7dfd8b690a99decdad8

        SHA1

        8d9829f3b7d258768228d876bcd775877613c53c

        SHA256

        310afaeca5111e22d7043f50d055d202bd8535f9c2094d068922879f7064656b

        SHA512

        c7f2ebec0c49b178cc27c2550fd052468c887d9a52101860e7d72786e67d9338857228270c4a2473d0c61b52f8a23f8afca1cf33364700fe5c412cdfa1fa3095

      • \ProgramData\win32.exe

        Filesize

        507KB

        MD5

        9c0a708ac219fdf26a8df99f338ba1da

        SHA1

        a84dbb0ee9c53b9e2dceca4a37a88dbdbdeb2c20

        SHA256

        7aefa586d32593736751d667d9588fcf4c3091ace48375d38f06947aa119129e

        SHA512

        e76bde008c2464d0c917c3ec4b3490f8fb0c6ee09f4210ac0852a4c99e9db92c1383e9d74d383d719daa16e540598ef274d9084c9ee34bd2cec9353ba7966109

      • memory/1608-4949-0x0000000000400000-0x000000000055E000-memory.dmp

        Filesize

        1.4MB

      • memory/1608-4940-0x0000000000400000-0x000000000055E000-memory.dmp

        Filesize

        1.4MB

      • memory/1724-2478-0x0000000001230000-0x00000000012B4000-memory.dmp

        Filesize

        528KB

      • memory/1724-2479-0x0000000000A50000-0x0000000000A90000-memory.dmp

        Filesize

        256KB

      • memory/1724-4938-0x0000000074530000-0x0000000074C1E000-memory.dmp

        Filesize

        6.9MB

      • memory/1724-2477-0x0000000074530000-0x0000000074C1E000-memory.dmp

        Filesize

        6.9MB

      • memory/1724-2482-0x0000000000A50000-0x0000000000A90000-memory.dmp

        Filesize

        256KB

      • memory/1724-2481-0x0000000074530000-0x0000000074C1E000-memory.dmp

        Filesize

        6.9MB

      • memory/1724-2480-0x0000000000280000-0x0000000000281000-memory.dmp

        Filesize

        4KB

      • memory/2116-4948-0x0000000000120000-0x0000000000121000-memory.dmp

        Filesize

        4KB

      • memory/2208-36-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-52-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-10-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-12-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-14-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-16-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-18-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-20-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-22-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-24-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-26-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-28-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-30-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-32-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-34-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-8-0x0000000005EF0000-0x0000000005F66000-memory.dmp

        Filesize

        472KB

      • memory/2208-38-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-40-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-44-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-42-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-46-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-48-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-50-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-9-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-54-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-56-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-58-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-60-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-62-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-64-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-66-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-68-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-70-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-7-0x0000000000BB0000-0x0000000000C08000-memory.dmp

        Filesize

        352KB

      • memory/2208-6-0x0000000000B10000-0x0000000000B68000-memory.dmp

        Filesize

        352KB

      • memory/2208-5-0x0000000001110000-0x0000000001150000-memory.dmp

        Filesize

        256KB

      • memory/2208-4-0x0000000074600000-0x0000000074CEE000-memory.dmp

        Filesize

        6.9MB

      • memory/2208-3-0x0000000000280000-0x0000000000281000-memory.dmp

        Filesize

        4KB

      • memory/2208-2-0x0000000001110000-0x0000000001150000-memory.dmp

        Filesize

        256KB

      • memory/2208-1-0x0000000074600000-0x0000000074CEE000-memory.dmp

        Filesize

        6.9MB

      • memory/2208-0-0x0000000001370000-0x00000000013F4000-memory.dmp

        Filesize

        528KB

      • memory/2208-72-0x0000000005EF0000-0x0000000005F60000-memory.dmp

        Filesize

        448KB

      • memory/2208-2460-0x0000000074600000-0x0000000074CEE000-memory.dmp

        Filesize

        6.9MB

      • memory/2920-2462-0x0000000000400000-0x000000000055E000-memory.dmp

        Filesize

        1.4MB

      • memory/2920-2476-0x0000000000400000-0x000000000055E000-memory.dmp

        Filesize

        1.4MB