Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
15-02-2024 18:15
Static task
static1
Behavioral task
behavioral1
Sample
9e3ab2e7f5e0800dcd95225fd81209e4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9e3ab2e7f5e0800dcd95225fd81209e4.exe
Resource
win10v2004-20231222-en
General
-
Target
9e3ab2e7f5e0800dcd95225fd81209e4.exe
-
Size
1.2MB
-
MD5
9e3ab2e7f5e0800dcd95225fd81209e4
-
SHA1
c7caae28067a798e4f592ec157b5f779aae87344
-
SHA256
a9164bf7d30f6de9782008453c71e87856e4bbf3e7ef8867e48f2121cd6a74f0
-
SHA512
07516d474e51194e05aca5f07037d388c55ce02c94f13a48d691ba43d3629ae28f90e08524db01e994020140f5539d52b333afb6c10b3e5d4c2349f2c2bb9d22
-
SSDEEP
24576:dHS/d3NKzkssksbxtn13SAdEVAdw/vdFy8jh8N6ZN9Z:IK0t1N2w0lFON6ZN9
Malware Config
Extracted
warzonerat
warzonlogs.duckdns.org:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
CustAttr .NET packer 2 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral2/memory/1916-7-0x0000000005060000-0x0000000005072000-memory.dmp CustAttr behavioral2/memory/1960-30-0x0000000004730000-0x0000000004742000-memory.dmp CustAttr -
Warzone RAT payload 7 IoCs
resource yara_rule behavioral2/memory/1540-17-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/1540-20-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/1540-22-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/1540-27-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/1920-39-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/1920-41-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/1920-42-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 9e3ab2e7f5e0800dcd95225fd81209e4.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation images.exe -
Executes dropped EXE 2 IoCs
pid Process 1960 images.exe 1920 images.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1916 set thread context of 1540 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 96 PID 1960 set thread context of 1920 1960 images.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1840 schtasks.exe 4372 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 1960 images.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe Token: SeDebugPrivilege 1960 images.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1916 wrote to memory of 1840 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 92 PID 1916 wrote to memory of 1840 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 92 PID 1916 wrote to memory of 1840 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 92 PID 1916 wrote to memory of 4808 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 94 PID 1916 wrote to memory of 4808 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 94 PID 1916 wrote to memory of 4808 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 94 PID 1916 wrote to memory of 3260 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 95 PID 1916 wrote to memory of 3260 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 95 PID 1916 wrote to memory of 3260 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 95 PID 1916 wrote to memory of 1540 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 96 PID 1916 wrote to memory of 1540 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 96 PID 1916 wrote to memory of 1540 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 96 PID 1916 wrote to memory of 1540 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 96 PID 1916 wrote to memory of 1540 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 96 PID 1916 wrote to memory of 1540 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 96 PID 1916 wrote to memory of 1540 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 96 PID 1916 wrote to memory of 1540 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 96 PID 1916 wrote to memory of 1540 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 96 PID 1916 wrote to memory of 1540 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 96 PID 1916 wrote to memory of 1540 1916 9e3ab2e7f5e0800dcd95225fd81209e4.exe 96 PID 1540 wrote to memory of 1960 1540 9e3ab2e7f5e0800dcd95225fd81209e4.exe 97 PID 1540 wrote to memory of 1960 1540 9e3ab2e7f5e0800dcd95225fd81209e4.exe 97 PID 1540 wrote to memory of 1960 1540 9e3ab2e7f5e0800dcd95225fd81209e4.exe 97 PID 1960 wrote to memory of 4372 1960 images.exe 99 PID 1960 wrote to memory of 4372 1960 images.exe 99 PID 1960 wrote to memory of 4372 1960 images.exe 99 PID 1960 wrote to memory of 1920 1960 images.exe 100 PID 1960 wrote to memory of 1920 1960 images.exe 100 PID 1960 wrote to memory of 1920 1960 images.exe 100 PID 1960 wrote to memory of 1920 1960 images.exe 100 PID 1960 wrote to memory of 1920 1960 images.exe 100 PID 1960 wrote to memory of 1920 1960 images.exe 100 PID 1960 wrote to memory of 1920 1960 images.exe 100 PID 1960 wrote to memory of 1920 1960 images.exe 100 PID 1960 wrote to memory of 1920 1960 images.exe 100 PID 1960 wrote to memory of 1920 1960 images.exe 100 PID 1960 wrote to memory of 1920 1960 images.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PuxfpXXblaf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF4C0.tmp"2⤵
- Creates scheduled task(s)
PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"2⤵PID:4808
-
-
C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"2⤵PID:3260
-
-
C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PuxfpXXblaf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC68.tmp"4⤵
- Creates scheduled task(s)
PID:4372
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"4⤵
- Executes dropped EXE
PID:1920
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD59e3ab2e7f5e0800dcd95225fd81209e4
SHA1c7caae28067a798e4f592ec157b5f779aae87344
SHA256a9164bf7d30f6de9782008453c71e87856e4bbf3e7ef8867e48f2121cd6a74f0
SHA51207516d474e51194e05aca5f07037d388c55ce02c94f13a48d691ba43d3629ae28f90e08524db01e994020140f5539d52b333afb6c10b3e5d4c2349f2c2bb9d22
-
Filesize
512KB
MD5907e8de94742ded80a9560ff0fc0f55e
SHA13b968b957bc33d5611a1b4292bb1c671ad44439d
SHA256e0cc36e41fe9551d741461677a97dd85a1873c12f4bfe0630849f704b86da294
SHA512fa29c45556101395223b20504253c1246011d164349c1387f909ede49ed68d1693b10f7e2f69b730b691bce56284c06a283dd6e2f9b69f343ffbacbb8597017f
-
Filesize
1KB
MD5e536b4c0b440384b272d09a19b1ae7d5
SHA12fa64109ad69064e2c0645845e665eaca579cf2a
SHA256f2b084597de0f7292a0d68357d8fd1b0346d848dafa63d1000c03d9eb8dd836d
SHA51213f074fbb1c85f01a08fbcf2d1f1a19b55456d93497e6edad361110c679eb181d4535ae73b54b4dfb7cd1a1f10d9aaa6389e3ae0028034aa725c467a7809e951