Analysis
-
max time kernel
148s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14-02-2024 15:35
Static task
static1
Behavioral task
behavioral1
Sample
9c0a708ac219fdf26a8df99f338ba1da.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9c0a708ac219fdf26a8df99f338ba1da.exe
Resource
win10v2004-20231222-en
General
-
Target
9c0a708ac219fdf26a8df99f338ba1da.exe
-
Size
507KB
-
MD5
9c0a708ac219fdf26a8df99f338ba1da
-
SHA1
a84dbb0ee9c53b9e2dceca4a37a88dbdbdeb2c20
-
SHA256
7aefa586d32593736751d667d9588fcf4c3091ace48375d38f06947aa119129e
-
SHA512
e76bde008c2464d0c917c3ec4b3490f8fb0c6ee09f4210ac0852a4c99e9db92c1383e9d74d383d719daa16e540598ef274d9084c9ee34bd2cec9353ba7966109
-
SSDEEP
12288:CZZsq/S5WTYPnd8lzM452uiwKDeI5S9AV83CXlco9FzwHJe:m8SCKBciICAu3CX+o95wpe
Malware Config
Extracted
warzonerat
tobi12345.hopto.org:50501
Signatures
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral1/memory/2208-8-0x0000000005EF0000-0x0000000005F66000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-9-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-10-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-12-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-14-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-16-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-18-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-20-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-22-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-24-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-26-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-28-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-30-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-32-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-34-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-36-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-38-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-40-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-44-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-42-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-46-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-48-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-50-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-52-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-54-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-56-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-58-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-60-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-62-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-64-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-66-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-68-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-70-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 behavioral1/memory/2208-72-0x0000000005EF0000-0x0000000005F60000-memory.dmp family_zgrat_v1 -
Detects BazaLoader malware 4 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral1/memory/2920-2462-0x0000000000400000-0x000000000055E000-memory.dmp BazaLoader behavioral1/memory/2920-2476-0x0000000000400000-0x000000000055E000-memory.dmp BazaLoader behavioral1/memory/1608-4940-0x0000000000400000-0x000000000055E000-memory.dmp BazaLoader behavioral1/memory/1608-4949-0x0000000000400000-0x000000000055E000-memory.dmp BazaLoader -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
resource yara_rule behavioral1/memory/2920-2462-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat behavioral1/memory/2920-2476-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat behavioral1/memory/1608-4940-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat behavioral1/memory/1608-4949-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat 9c0a708ac219fdf26a8df99f338ba1da.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start 9c0a708ac219fdf26a8df99f338ba1da.exe -
Executes dropped EXE 2 IoCs
pid Process 1724 win32.exe 1608 win32.exe -
Loads dropped DLL 2 IoCs
pid Process 2920 9c0a708ac219fdf26a8df99f338ba1da.exe 1724 win32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\win32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\win32.exe\"" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\win32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\win32.exe\"" 9c0a708ac219fdf26a8df99f338ba1da.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2208 set thread context of 2920 2208 9c0a708ac219fdf26a8df99f338ba1da.exe 28 PID 1724 set thread context of 1608 1724 win32.exe 35 -
NTFS ADS 1 IoCs
description ioc Process File created C:\ProgramData:ApplicationData 9c0a708ac219fdf26a8df99f338ba1da.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2208 9c0a708ac219fdf26a8df99f338ba1da.exe 1724 win32.exe 1724 win32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2208 9c0a708ac219fdf26a8df99f338ba1da.exe Token: SeDebugPrivilege 1724 win32.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2920 2208 9c0a708ac219fdf26a8df99f338ba1da.exe 28 PID 2208 wrote to memory of 2920 2208 9c0a708ac219fdf26a8df99f338ba1da.exe 28 PID 2208 wrote to memory of 2920 2208 9c0a708ac219fdf26a8df99f338ba1da.exe 28 PID 2208 wrote to memory of 2920 2208 9c0a708ac219fdf26a8df99f338ba1da.exe 28 PID 2208 wrote to memory of 2920 2208 9c0a708ac219fdf26a8df99f338ba1da.exe 28 PID 2208 wrote to memory of 2920 2208 9c0a708ac219fdf26a8df99f338ba1da.exe 28 PID 2208 wrote to memory of 2920 2208 9c0a708ac219fdf26a8df99f338ba1da.exe 28 PID 2208 wrote to memory of 2920 2208 9c0a708ac219fdf26a8df99f338ba1da.exe 28 PID 2208 wrote to memory of 2920 2208 9c0a708ac219fdf26a8df99f338ba1da.exe 28 PID 2208 wrote to memory of 2920 2208 9c0a708ac219fdf26a8df99f338ba1da.exe 28 PID 2208 wrote to memory of 2920 2208 9c0a708ac219fdf26a8df99f338ba1da.exe 28 PID 2920 wrote to memory of 1520 2920 9c0a708ac219fdf26a8df99f338ba1da.exe 29 PID 2920 wrote to memory of 1520 2920 9c0a708ac219fdf26a8df99f338ba1da.exe 29 PID 2920 wrote to memory of 1520 2920 9c0a708ac219fdf26a8df99f338ba1da.exe 29 PID 2920 wrote to memory of 1520 2920 9c0a708ac219fdf26a8df99f338ba1da.exe 29 PID 2920 wrote to memory of 1724 2920 9c0a708ac219fdf26a8df99f338ba1da.exe 30 PID 2920 wrote to memory of 1724 2920 9c0a708ac219fdf26a8df99f338ba1da.exe 30 PID 2920 wrote to memory of 1724 2920 9c0a708ac219fdf26a8df99f338ba1da.exe 30 PID 2920 wrote to memory of 1724 2920 9c0a708ac219fdf26a8df99f338ba1da.exe 30 PID 1520 wrote to memory of 1096 1520 cmd.exe 32 PID 1520 wrote to memory of 1096 1520 cmd.exe 32 PID 1520 wrote to memory of 1096 1520 cmd.exe 32 PID 1520 wrote to memory of 1096 1520 cmd.exe 32 PID 1724 wrote to memory of 1608 1724 win32.exe 35 PID 1724 wrote to memory of 1608 1724 win32.exe 35 PID 1724 wrote to memory of 1608 1724 win32.exe 35 PID 1724 wrote to memory of 1608 1724 win32.exe 35 PID 1724 wrote to memory of 1608 1724 win32.exe 35 PID 1724 wrote to memory of 1608 1724 win32.exe 35 PID 1724 wrote to memory of 1608 1724 win32.exe 35 PID 1724 wrote to memory of 1608 1724 win32.exe 35 PID 1724 wrote to memory of 1608 1724 win32.exe 35 PID 1724 wrote to memory of 1608 1724 win32.exe 35 PID 1724 wrote to memory of 1608 1724 win32.exe 35 PID 1608 wrote to memory of 2116 1608 win32.exe 36 PID 1608 wrote to memory of 2116 1608 win32.exe 36 PID 1608 wrote to memory of 2116 1608 win32.exe 36 PID 1608 wrote to memory of 2116 1608 win32.exe 36 PID 1608 wrote to memory of 2116 1608 win32.exe 36 PID 1608 wrote to memory of 2116 1608 win32.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c0a708ac219fdf26a8df99f338ba1da.exe"C:\Users\Admin\AppData\Local\Temp\9c0a708ac219fdf26a8df99f338ba1da.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\9c0a708ac219fdf26a8df99f338ba1da.exeC:\Users\Admin\AppData\Local\Temp\9c0a708ac219fdf26a8df99f338ba1da.exe2⤵
- Drops startup file
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\cmd.execmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\win32.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\win32.exe"4⤵PID:1096
-
-
-
C:\ProgramData\win32.exe"C:\ProgramData\win32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\win32.exeC:\Users\Admin\AppData\Local\Temp\win32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵PID:2116
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD574509540ac2bb7dfd8b690a99decdad8
SHA18d9829f3b7d258768228d876bcd775877613c53c
SHA256310afaeca5111e22d7043f50d055d202bd8535f9c2094d068922879f7064656b
SHA512c7f2ebec0c49b178cc27c2550fd052468c887d9a52101860e7d72786e67d9338857228270c4a2473d0c61b52f8a23f8afca1cf33364700fe5c412cdfa1fa3095
-
Filesize
507KB
MD59c0a708ac219fdf26a8df99f338ba1da
SHA1a84dbb0ee9c53b9e2dceca4a37a88dbdbdeb2c20
SHA2567aefa586d32593736751d667d9588fcf4c3091ace48375d38f06947aa119129e
SHA512e76bde008c2464d0c917c3ec4b3490f8fb0c6ee09f4210ac0852a4c99e9db92c1383e9d74d383d719daa16e540598ef274d9084c9ee34bd2cec9353ba7966109