Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-02-2024 18:15

General

  • Target

    9e3ab2e7f5e0800dcd95225fd81209e4.exe

  • Size

    1.2MB

  • MD5

    9e3ab2e7f5e0800dcd95225fd81209e4

  • SHA1

    c7caae28067a798e4f592ec157b5f779aae87344

  • SHA256

    a9164bf7d30f6de9782008453c71e87856e4bbf3e7ef8867e48f2121cd6a74f0

  • SHA512

    07516d474e51194e05aca5f07037d388c55ce02c94f13a48d691ba43d3629ae28f90e08524db01e994020140f5539d52b333afb6c10b3e5d4c2349f2c2bb9d22

  • SSDEEP

    24576:dHS/d3NKzkssksbxtn13SAdEVAdw/vdFy8jh8N6ZN9Z:IK0t1N2w0lFON6ZN9

Malware Config

Extracted

Family

warzonerat

C2

warzonlogs.duckdns.org:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • CustAttr .NET packer 2 IoCs

    Detects CustAttr .NET packer in memory.

  • Warzone RAT payload 7 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
    "C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PuxfpXXblaf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF4C0.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1840
    • C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
      "C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"
      2⤵
        PID:4808
      • C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
        "C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"
        2⤵
          PID:3260
        • C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe
          "C:\Users\Admin\AppData\Local\Temp\9e3ab2e7f5e0800dcd95225fd81209e4.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1540
          • C:\ProgramData\images.exe
            "C:\ProgramData\images.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1960
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PuxfpXXblaf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC68.tmp"
              4⤵
              • Creates scheduled task(s)
              PID:4372
            • C:\ProgramData\images.exe
              "C:\ProgramData\images.exe"
              4⤵
              • Executes dropped EXE
              PID:1920

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\images.exe

        Filesize

        1.2MB

        MD5

        9e3ab2e7f5e0800dcd95225fd81209e4

        SHA1

        c7caae28067a798e4f592ec157b5f779aae87344

        SHA256

        a9164bf7d30f6de9782008453c71e87856e4bbf3e7ef8867e48f2121cd6a74f0

        SHA512

        07516d474e51194e05aca5f07037d388c55ce02c94f13a48d691ba43d3629ae28f90e08524db01e994020140f5539d52b333afb6c10b3e5d4c2349f2c2bb9d22

      • C:\ProgramData\images.exe

        Filesize

        512KB

        MD5

        907e8de94742ded80a9560ff0fc0f55e

        SHA1

        3b968b957bc33d5611a1b4292bb1c671ad44439d

        SHA256

        e0cc36e41fe9551d741461677a97dd85a1873c12f4bfe0630849f704b86da294

        SHA512

        fa29c45556101395223b20504253c1246011d164349c1387f909ede49ed68d1693b10f7e2f69b730b691bce56284c06a283dd6e2f9b69f343ffbacbb8597017f

      • C:\Users\Admin\AppData\Local\Temp\tmpF4C0.tmp

        Filesize

        1KB

        MD5

        e536b4c0b440384b272d09a19b1ae7d5

        SHA1

        2fa64109ad69064e2c0645845e665eaca579cf2a

        SHA256

        f2b084597de0f7292a0d68357d8fd1b0346d848dafa63d1000c03d9eb8dd836d

        SHA512

        13f074fbb1c85f01a08fbcf2d1f1a19b55456d93497e6edad361110c679eb181d4535ae73b54b4dfb7cd1a1f10d9aaa6389e3ae0028034aa725c467a7809e951

      • memory/1540-27-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/1540-22-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/1540-20-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/1540-17-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/1916-7-0x0000000005060000-0x0000000005072000-memory.dmp

        Filesize

        72KB

      • memory/1916-2-0x0000000005630000-0x0000000005BD4000-memory.dmp

        Filesize

        5.6MB

      • memory/1916-9-0x00000000050F0000-0x0000000005100000-memory.dmp

        Filesize

        64KB

      • memory/1916-10-0x0000000005FC0000-0x000000000604C000-memory.dmp

        Filesize

        560KB

      • memory/1916-11-0x0000000005CF0000-0x0000000005D12000-memory.dmp

        Filesize

        136KB

      • memory/1916-0-0x0000000000480000-0x00000000005B0000-memory.dmp

        Filesize

        1.2MB

      • memory/1916-6-0x00000000052D0000-0x000000000536C000-memory.dmp

        Filesize

        624KB

      • memory/1916-5-0x0000000005040000-0x000000000504A000-memory.dmp

        Filesize

        40KB

      • memory/1916-21-0x0000000074860000-0x0000000075010000-memory.dmp

        Filesize

        7.7MB

      • memory/1916-4-0x00000000050F0000-0x0000000005100000-memory.dmp

        Filesize

        64KB

      • memory/1916-3-0x0000000004F80000-0x0000000005012000-memory.dmp

        Filesize

        584KB

      • memory/1916-8-0x0000000074860000-0x0000000075010000-memory.dmp

        Filesize

        7.7MB

      • memory/1916-1-0x0000000074860000-0x0000000075010000-memory.dmp

        Filesize

        7.7MB

      • memory/1920-39-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/1920-41-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/1920-42-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/1960-29-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

        Filesize

        64KB

      • memory/1960-30-0x0000000004730000-0x0000000004742000-memory.dmp

        Filesize

        72KB

      • memory/1960-31-0x00000000740C0000-0x0000000074870000-memory.dmp

        Filesize

        7.7MB

      • memory/1960-32-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

        Filesize

        64KB

      • memory/1960-28-0x00000000740C0000-0x0000000074870000-memory.dmp

        Filesize

        7.7MB

      • memory/1960-40-0x00000000740C0000-0x0000000074870000-memory.dmp

        Filesize

        7.7MB