Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
17-02-2024 04:44
Static task
static1
Behavioral task
behavioral1
Sample
b629c386aad3d232fcab9767273721b1a31277cf7ff2397d1b6b5cc8920cc68a.xll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
b629c386aad3d232fcab9767273721b1a31277cf7ff2397d1b6b5cc8920cc68a.xll
Resource
win10v2004-20231215-en
General
-
Target
b629c386aad3d232fcab9767273721b1a31277cf7ff2397d1b6b5cc8920cc68a.xll
-
Size
979KB
-
MD5
33d33e32134191de2d7a75b3e9c4b289
-
SHA1
a66979de85535a31eb6a0c199f8598a4581291f2
-
SHA256
b629c386aad3d232fcab9767273721b1a31277cf7ff2397d1b6b5cc8920cc68a
-
SHA512
0fe41ed5e82f94d3eea9fcd22137196cc22a3e11bdd8e9591c6ef7c901ea200c961f55a8e551ad776d6b9b60bf7a5367956efee95ed361c8c79b05f6602e5e92
-
SSDEEP
24576:3oOOMX1f+QHT+dAodK0h8jzTv6JDs2cfp2G:3oOOm+QHsf8jzTv6ksG
Malware Config
Extracted
Extracted
warzonerat
satgobleien.jumpingcrab.com:5208
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 9 IoCs
resource yara_rule behavioral2/memory/4448-65-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/4448-69-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/4448-71-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/4448-82-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/668-93-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/668-98-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/5044-100-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/5044-104-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/668-107-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables embedding command execution via IExecuteCommand COM object 9 IoCs
resource yara_rule behavioral2/memory/4448-65-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM behavioral2/memory/4448-69-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM behavioral2/memory/4448-71-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM behavioral2/memory/4448-82-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM behavioral2/memory/668-93-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM behavioral2/memory/668-98-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM behavioral2/memory/5044-100-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM behavioral2/memory/5044-104-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM behavioral2/memory/668-107-0x0000000000400000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM -
Detects executables packed with ConfuserEx Mod 5 IoCs
resource yara_rule behavioral2/memory/4832-40-0x0000022C08DC0000-0x0000022C08E2A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral2/files/0x0008000000023177-45.dat INDICATOR_EXE_Packed_ConfuserEx behavioral2/memory/4328-54-0x00000000000C0000-0x0000000000128000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral2/memory/4328-57-0x0000000004A80000-0x0000000004A90000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral2/memory/4328-58-0x000000000D650000-0x000000000D6BA000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx -
Warzone RAT payload 9 IoCs
resource yara_rule behavioral2/memory/4448-65-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/4448-69-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/4448-71-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/4448-82-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/668-93-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/668-98-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/5044-100-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/5044-104-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/668-107-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Executes dropped EXE 6 IoCs
pid Process 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 2844 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 4448 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 3880 rimages.exe 668 rimages.exe 5044 rimages.exe -
Loads dropped DLL 2 IoCs
pid Process 4832 EXCEL.EXE 4832 EXCEL.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmages = "C:\\ProgramData\\rimages.exe" 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4328 set thread context of 2844 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 90 PID 4328 set thread context of 4448 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 91 PID 3880 set thread context of 668 3880 rimages.exe 99 PID 3880 set thread context of 5044 3880 rimages.exe 100 -
Program crash 1 IoCs
pid pid_target Process procid_target 2392 2844 WerFault.exe 90 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4832 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4832 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4832 EXCEL.EXE Token: SeDebugPrivilege 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe Token: SeDebugPrivilege 3880 rimages.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4832 EXCEL.EXE 4832 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4832 EXCEL.EXE 4832 EXCEL.EXE 4832 EXCEL.EXE 4832 EXCEL.EXE 4832 EXCEL.EXE 4832 EXCEL.EXE 4832 EXCEL.EXE 4832 EXCEL.EXE 4832 EXCEL.EXE 4832 EXCEL.EXE 4832 EXCEL.EXE 4832 EXCEL.EXE -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 4832 wrote to memory of 4328 4832 EXCEL.EXE 89 PID 4832 wrote to memory of 4328 4832 EXCEL.EXE 89 PID 4832 wrote to memory of 4328 4832 EXCEL.EXE 89 PID 4328 wrote to memory of 2844 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 90 PID 4328 wrote to memory of 2844 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 90 PID 4328 wrote to memory of 2844 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 90 PID 4328 wrote to memory of 2844 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 90 PID 4328 wrote to memory of 2844 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 90 PID 4328 wrote to memory of 2844 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 90 PID 4328 wrote to memory of 2844 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 90 PID 4328 wrote to memory of 2844 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 90 PID 4328 wrote to memory of 2844 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 90 PID 4328 wrote to memory of 2844 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 90 PID 4328 wrote to memory of 2844 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 90 PID 4328 wrote to memory of 4448 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 91 PID 4328 wrote to memory of 4448 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 91 PID 4328 wrote to memory of 4448 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 91 PID 4328 wrote to memory of 4448 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 91 PID 4328 wrote to memory of 4448 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 91 PID 4328 wrote to memory of 4448 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 91 PID 4328 wrote to memory of 4448 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 91 PID 4328 wrote to memory of 4448 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 91 PID 4328 wrote to memory of 4448 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 91 PID 4328 wrote to memory of 4448 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 91 PID 4328 wrote to memory of 4448 4328 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 91 PID 4448 wrote to memory of 3880 4448 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 97 PID 4448 wrote to memory of 3880 4448 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 97 PID 4448 wrote to memory of 3880 4448 483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe 97 PID 3880 wrote to memory of 668 3880 rimages.exe 99 PID 3880 wrote to memory of 668 3880 rimages.exe 99 PID 3880 wrote to memory of 668 3880 rimages.exe 99 PID 3880 wrote to memory of 668 3880 rimages.exe 99 PID 3880 wrote to memory of 668 3880 rimages.exe 99 PID 3880 wrote to memory of 668 3880 rimages.exe 99 PID 3880 wrote to memory of 668 3880 rimages.exe 99 PID 3880 wrote to memory of 668 3880 rimages.exe 99 PID 3880 wrote to memory of 668 3880 rimages.exe 99 PID 3880 wrote to memory of 668 3880 rimages.exe 99 PID 3880 wrote to memory of 668 3880 rimages.exe 99 PID 3880 wrote to memory of 5044 3880 rimages.exe 100 PID 3880 wrote to memory of 5044 3880 rimages.exe 100 PID 3880 wrote to memory of 5044 3880 rimages.exe 100 PID 3880 wrote to memory of 5044 3880 rimages.exe 100 PID 3880 wrote to memory of 5044 3880 rimages.exe 100 PID 3880 wrote to memory of 5044 3880 rimages.exe 100 PID 3880 wrote to memory of 5044 3880 rimages.exe 100 PID 3880 wrote to memory of 5044 3880 rimages.exe 100 PID 3880 wrote to memory of 5044 3880 rimages.exe 100 PID 3880 wrote to memory of 5044 3880 rimages.exe 100 PID 3880 wrote to memory of 5044 3880 rimages.exe 100
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b629c386aad3d232fcab9767273721b1a31277cf7ff2397d1b6b5cc8920cc68a.xll"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe"C:\Users\Admin\AppData\Local\Temp\483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exeC:\Users\Admin\AppData\Local\Temp\483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe3⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 804⤵
- Program crash
PID:2392
-
-
-
C:\Users\Admin\AppData\Local\Temp\483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exeC:\Users\Admin\AppData\Local\Temp\483eb5d4-c0a5-4e97-b3cf-d2d2f65f0a19.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\ProgramData\rimages.exe"C:\ProgramData\rimages.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\ProgramData\rimages.exeC:\ProgramData\rimages.exe5⤵
- Executes dropped EXE
PID:668
-
-
C:\ProgramData\rimages.exeC:\ProgramData\rimages.exe5⤵
- Executes dropped EXE
PID:5044
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2844 -ip 28441⤵PID:4632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
383KB
MD5b473264c556546f6adf84b8af73b90a2
SHA120936e113bcac50382fc4f2770acec2b027a48cc
SHA256ef1703000daf0e15e2476b6b7df6b04afdfe16b6bf935625161e6ed8bcc937f5
SHA51213848d52ee286a026803afdbbc124f6bb03c04bd8b77540a35dc6df13516730c162ccc61b5c936081f3449a30bbb594a90ba15abd2f750ee1d030271a815b90a
-
C:\Users\Admin\AppData\Local\Temp\b629c386aad3d232fcab9767273721b1a31277cf7ff2397d1b6b5cc8920cc68a.xll
Filesize979KB
MD533d33e32134191de2d7a75b3e9c4b289
SHA1a66979de85535a31eb6a0c199f8598a4581291f2
SHA256b629c386aad3d232fcab9767273721b1a31277cf7ff2397d1b6b5cc8920cc68a
SHA5120fe41ed5e82f94d3eea9fcd22137196cc22a3e11bdd8e9591c6ef7c901ea200c961f55a8e551ad776d6b9b60bf7a5367956efee95ed361c8c79b05f6602e5e92