Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
14-02-2024 15:35
Static task
static1
Behavioral task
behavioral1
Sample
9c0a708ac219fdf26a8df99f338ba1da.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9c0a708ac219fdf26a8df99f338ba1da.exe
Resource
win10v2004-20231222-en
General
-
Target
9c0a708ac219fdf26a8df99f338ba1da.exe
-
Size
507KB
-
MD5
9c0a708ac219fdf26a8df99f338ba1da
-
SHA1
a84dbb0ee9c53b9e2dceca4a37a88dbdbdeb2c20
-
SHA256
7aefa586d32593736751d667d9588fcf4c3091ace48375d38f06947aa119129e
-
SHA512
e76bde008c2464d0c917c3ec4b3490f8fb0c6ee09f4210ac0852a4c99e9db92c1383e9d74d383d719daa16e540598ef274d9084c9ee34bd2cec9353ba7966109
-
SSDEEP
12288:CZZsq/S5WTYPnd8lzM452uiwKDeI5S9AV83CXlco9FzwHJe:m8SCKBciICAu3CX+o95wpe
Malware Config
Extracted
warzonerat
tobi12345.hopto.org:50501
Signatures
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral2/memory/392-11-0x0000000007930000-0x00000000079A6000-memory.dmp family_zgrat_v1 behavioral2/memory/392-12-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-13-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-15-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-17-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-19-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-21-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-23-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-25-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-33-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-31-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-35-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-29-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-51-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-61-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-71-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-75-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-73-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-69-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-67-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-65-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-63-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-59-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-57-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-55-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-53-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-49-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-47-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-45-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-43-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-41-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-39-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-37-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 behavioral2/memory/392-27-0x0000000007930000-0x00000000079A0000-memory.dmp family_zgrat_v1 -
Detects BazaLoader malware 4 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral2/memory/116-2453-0x0000000000400000-0x000000000055E000-memory.dmp BazaLoader behavioral2/memory/116-2461-0x0000000000400000-0x000000000055E000-memory.dmp BazaLoader behavioral2/memory/668-4922-0x0000000000400000-0x000000000055E000-memory.dmp BazaLoader behavioral2/memory/668-4926-0x0000000000400000-0x000000000055E000-memory.dmp BazaLoader -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
resource yara_rule behavioral2/memory/116-2453-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat behavioral2/memory/116-2461-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat behavioral2/memory/668-4922-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat behavioral2/memory/668-4926-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat 9c0a708ac219fdf26a8df99f338ba1da.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start 9c0a708ac219fdf26a8df99f338ba1da.exe -
Executes dropped EXE 7 IoCs
pid Process 4484 win32.exe 1908 win32.exe 5092 win32.exe 3216 win32.exe 3992 win32.exe 3964 win32.exe 668 win32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\win32.exe\"" 9c0a708ac219fdf26a8df99f338ba1da.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\win32.exe\"" win32.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 392 set thread context of 116 392 9c0a708ac219fdf26a8df99f338ba1da.exe 92 PID 4484 set thread context of 668 4484 win32.exe 103 -
NTFS ADS 1 IoCs
description ioc Process File created C:\ProgramData:ApplicationData 9c0a708ac219fdf26a8df99f338ba1da.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 392 9c0a708ac219fdf26a8df99f338ba1da.exe 392 9c0a708ac219fdf26a8df99f338ba1da.exe 392 9c0a708ac219fdf26a8df99f338ba1da.exe 392 9c0a708ac219fdf26a8df99f338ba1da.exe 392 9c0a708ac219fdf26a8df99f338ba1da.exe 392 9c0a708ac219fdf26a8df99f338ba1da.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe 4484 win32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 392 9c0a708ac219fdf26a8df99f338ba1da.exe Token: SeDebugPrivilege 4484 win32.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 392 wrote to memory of 4492 392 9c0a708ac219fdf26a8df99f338ba1da.exe 91 PID 392 wrote to memory of 4492 392 9c0a708ac219fdf26a8df99f338ba1da.exe 91 PID 392 wrote to memory of 4492 392 9c0a708ac219fdf26a8df99f338ba1da.exe 91 PID 392 wrote to memory of 116 392 9c0a708ac219fdf26a8df99f338ba1da.exe 92 PID 392 wrote to memory of 116 392 9c0a708ac219fdf26a8df99f338ba1da.exe 92 PID 392 wrote to memory of 116 392 9c0a708ac219fdf26a8df99f338ba1da.exe 92 PID 392 wrote to memory of 116 392 9c0a708ac219fdf26a8df99f338ba1da.exe 92 PID 392 wrote to memory of 116 392 9c0a708ac219fdf26a8df99f338ba1da.exe 92 PID 392 wrote to memory of 116 392 9c0a708ac219fdf26a8df99f338ba1da.exe 92 PID 392 wrote to memory of 116 392 9c0a708ac219fdf26a8df99f338ba1da.exe 92 PID 392 wrote to memory of 116 392 9c0a708ac219fdf26a8df99f338ba1da.exe 92 PID 392 wrote to memory of 116 392 9c0a708ac219fdf26a8df99f338ba1da.exe 92 PID 392 wrote to memory of 116 392 9c0a708ac219fdf26a8df99f338ba1da.exe 92 PID 116 wrote to memory of 1216 116 9c0a708ac219fdf26a8df99f338ba1da.exe 94 PID 116 wrote to memory of 1216 116 9c0a708ac219fdf26a8df99f338ba1da.exe 94 PID 116 wrote to memory of 1216 116 9c0a708ac219fdf26a8df99f338ba1da.exe 94 PID 116 wrote to memory of 4484 116 9c0a708ac219fdf26a8df99f338ba1da.exe 96 PID 116 wrote to memory of 4484 116 9c0a708ac219fdf26a8df99f338ba1da.exe 96 PID 116 wrote to memory of 4484 116 9c0a708ac219fdf26a8df99f338ba1da.exe 96 PID 1216 wrote to memory of 1684 1216 cmd.exe 97 PID 1216 wrote to memory of 1684 1216 cmd.exe 97 PID 1216 wrote to memory of 1684 1216 cmd.exe 97 PID 4484 wrote to memory of 1908 4484 win32.exe 98 PID 4484 wrote to memory of 1908 4484 win32.exe 98 PID 4484 wrote to memory of 1908 4484 win32.exe 98 PID 4484 wrote to memory of 5092 4484 win32.exe 99 PID 4484 wrote to memory of 5092 4484 win32.exe 99 PID 4484 wrote to memory of 5092 4484 win32.exe 99 PID 4484 wrote to memory of 3216 4484 win32.exe 100 PID 4484 wrote to memory of 3216 4484 win32.exe 100 PID 4484 wrote to memory of 3216 4484 win32.exe 100 PID 4484 wrote to memory of 3992 4484 win32.exe 101 PID 4484 wrote to memory of 3992 4484 win32.exe 101 PID 4484 wrote to memory of 3992 4484 win32.exe 101 PID 4484 wrote to memory of 3964 4484 win32.exe 102 PID 4484 wrote to memory of 3964 4484 win32.exe 102 PID 4484 wrote to memory of 3964 4484 win32.exe 102 PID 4484 wrote to memory of 668 4484 win32.exe 103 PID 4484 wrote to memory of 668 4484 win32.exe 103 PID 4484 wrote to memory of 668 4484 win32.exe 103 PID 4484 wrote to memory of 668 4484 win32.exe 103 PID 4484 wrote to memory of 668 4484 win32.exe 103 PID 4484 wrote to memory of 668 4484 win32.exe 103 PID 4484 wrote to memory of 668 4484 win32.exe 103 PID 4484 wrote to memory of 668 4484 win32.exe 103 PID 4484 wrote to memory of 668 4484 win32.exe 103 PID 4484 wrote to memory of 668 4484 win32.exe 103 PID 668 wrote to memory of 2624 668 win32.exe 104 PID 668 wrote to memory of 2624 668 win32.exe 104 PID 668 wrote to memory of 2624 668 win32.exe 104 PID 668 wrote to memory of 2624 668 win32.exe 104 PID 668 wrote to memory of 2624 668 win32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c0a708ac219fdf26a8df99f338ba1da.exe"C:\Users\Admin\AppData\Local\Temp\9c0a708ac219fdf26a8df99f338ba1da.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Local\Temp\9c0a708ac219fdf26a8df99f338ba1da.exeC:\Users\Admin\AppData\Local\Temp\9c0a708ac219fdf26a8df99f338ba1da.exe2⤵PID:4492
-
-
C:\Users\Admin\AppData\Local\Temp\9c0a708ac219fdf26a8df99f338ba1da.exeC:\Users\Admin\AppData\Local\Temp\9c0a708ac219fdf26a8df99f338ba1da.exe2⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\cmd.execmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\win32.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\win32.exe"4⤵PID:1684
-
-
-
C:\ProgramData\win32.exe"C:\ProgramData\win32.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\win32.exeC:\Users\Admin\AppData\Local\Temp\win32.exe4⤵
- Executes dropped EXE
PID:1908
-
-
C:\Users\Admin\AppData\Local\Temp\win32.exeC:\Users\Admin\AppData\Local\Temp\win32.exe4⤵
- Executes dropped EXE
PID:5092
-
-
C:\Users\Admin\AppData\Local\Temp\win32.exeC:\Users\Admin\AppData\Local\Temp\win32.exe4⤵
- Executes dropped EXE
PID:3216
-
-
C:\Users\Admin\AppData\Local\Temp\win32.exeC:\Users\Admin\AppData\Local\Temp\win32.exe4⤵
- Executes dropped EXE
PID:3992
-
-
C:\Users\Admin\AppData\Local\Temp\win32.exeC:\Users\Admin\AppData\Local\Temp\win32.exe4⤵
- Executes dropped EXE
PID:3964
-
-
C:\Users\Admin\AppData\Local\Temp\win32.exeC:\Users\Admin\AppData\Local\Temp\win32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵PID:2624
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
507KB
MD59c0a708ac219fdf26a8df99f338ba1da
SHA1a84dbb0ee9c53b9e2dceca4a37a88dbdbdeb2c20
SHA2567aefa586d32593736751d667d9588fcf4c3091ace48375d38f06947aa119129e
SHA512e76bde008c2464d0c917c3ec4b3490f8fb0c6ee09f4210ac0852a4c99e9db92c1383e9d74d383d719daa16e540598ef274d9084c9ee34bd2cec9353ba7966109