Analysis

  • max time kernel
    121s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-02-2024 01:47

General

  • Target

    3abd65d34fbbd87ce50eaa1b0eb439d0.exe

  • Size

    579KB

  • MD5

    3abd65d34fbbd87ce50eaa1b0eb439d0

  • SHA1

    ff225553cca948f35a0765f48b5b146f43bb4203

  • SHA256

    d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e

  • SHA512

    3ce3c7fc6f0ae3706458e8079e50ad1e1d7235394528e001a107c5fa577badc9116f99639a3ff21fa169f941c56ba7df2b960ab0678c51b71cb6a5ae9070e616

  • SSDEEP

    12288:VZSmPwRYnOELz89xPQdPmcOYe5bGs88GqUoJBqmafhkL7OO7BU:VZSmP0Y74qdPmN5bGs88GeBfPFU

Malware Config

Extracted

Family

warzonerat

C2

sgh2024.ddns.net:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 13 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
    "C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
      "C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"
      2⤵
        PID:2816
      • C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
        "C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"
        2⤵
          PID:2648
        • C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
          "C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"
          2⤵
            PID:2708
          • C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
            "C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"
            2⤵
              PID:2680
            • C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe
              "C:\Users\Admin\AppData\Local\Temp\3abd65d34fbbd87ce50eaa1b0eb439d0.exe"
              2⤵
              • Loads dropped DLL
              • Adds Run key to start application
              • Suspicious use of WriteProcessMemory
              PID:2556
              • C:\Users\Admin\Documents\IntelDrivers.exe
                "C:\Users\Admin\Documents\IntelDrivers.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2380
                • C:\Users\Admin\Documents\IntelDrivers.exe
                  "C:\Users\Admin\Documents\IntelDrivers.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1556

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \Users\Admin\Documents\IntelDrivers.exe

            Filesize

            579KB

            MD5

            3abd65d34fbbd87ce50eaa1b0eb439d0

            SHA1

            ff225553cca948f35a0765f48b5b146f43bb4203

            SHA256

            d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e

            SHA512

            3ce3c7fc6f0ae3706458e8079e50ad1e1d7235394528e001a107c5fa577badc9116f99639a3ff21fa169f941c56ba7df2b960ab0678c51b71cb6a5ae9070e616

          • memory/1556-58-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB

          • memory/1556-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/1556-53-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB

          • memory/1556-54-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB

          • memory/1556-55-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB

          • memory/1556-56-0x0000000005270000-0x0000000005370000-memory.dmp

            Filesize

            1024KB

          • memory/1556-57-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB

          • memory/1916-5-0x0000000004E50000-0x0000000004EB8000-memory.dmp

            Filesize

            416KB

          • memory/1916-20-0x0000000074DE0000-0x00000000754CE000-memory.dmp

            Filesize

            6.9MB

          • memory/1916-7-0x0000000004ED0000-0x0000000004F10000-memory.dmp

            Filesize

            256KB

          • memory/1916-6-0x0000000074DE0000-0x00000000754CE000-memory.dmp

            Filesize

            6.9MB

          • memory/1916-1-0x0000000074DE0000-0x00000000754CE000-memory.dmp

            Filesize

            6.9MB

          • memory/1916-4-0x0000000000460000-0x0000000000472000-memory.dmp

            Filesize

            72KB

          • memory/1916-3-0x0000000000430000-0x000000000044C000-memory.dmp

            Filesize

            112KB

          • memory/1916-0-0x00000000000D0000-0x0000000000168000-memory.dmp

            Filesize

            608KB

          • memory/1916-2-0x0000000004ED0000-0x0000000004F10000-memory.dmp

            Filesize

            256KB

          • memory/2380-52-0x0000000074B00000-0x00000000751EE000-memory.dmp

            Filesize

            6.9MB

          • memory/2380-35-0x0000000074B00000-0x00000000751EE000-memory.dmp

            Filesize

            6.9MB

          • memory/2380-33-0x0000000074B00000-0x00000000751EE000-memory.dmp

            Filesize

            6.9MB

          • memory/2380-32-0x0000000000360000-0x00000000003F8000-memory.dmp

            Filesize

            608KB

          • memory/2380-34-0x00000000049B0000-0x00000000049F0000-memory.dmp

            Filesize

            256KB

          • memory/2556-8-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB

          • memory/2556-31-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB

          • memory/2556-21-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB

          • memory/2556-19-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB

          • memory/2556-17-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB

          • memory/2556-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/2556-14-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB

          • memory/2556-13-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB

          • memory/2556-12-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB

          • memory/2556-11-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB

          • memory/2556-10-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB

          • memory/2556-9-0x0000000000400000-0x000000000055A000-memory.dmp

            Filesize

            1.4MB