Analysis Overview
SHA256
1e67a3cf60838fed3422c381e1a5ea4ed25299c5ea361d98ded1321cb42ffd1c
Threat Level: Known bad
The file a1d607403289b24c36ea8c40ebea62e6 was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Warzone RAT payload
UPX packed file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-24 12:09
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-24 12:09
Reported
2024-02-24 12:12
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a1d607403289b24c36ea8c40ebea62e6.exe
"C:\Users\Admin\AppData\Local\Temp\a1d607403289b24c36ea8c40ebea62e6.exe"
Network
Files
memory/1968-0-0x0000000000400000-0x0000000000528000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-24 12:09
Reported
2024-02-24 12:12
Platform
win10v2004-20240221-en
Max time kernel
135s
Max time network
146s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1d607403289b24c36ea8c40ebea62e6.exe
"C:\Users\Admin\AppData\Local\Temp\a1d607403289b24c36ea8c40ebea62e6.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| CH | 185.19.85.155:1997 | tcp | |
| CH | 185.19.85.155:1997 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| CH | 185.19.85.155:1997 | tcp | |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| CH | 185.19.85.155:1997 | tcp | |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| CH | 185.19.85.155:1997 | tcp | |
| CH | 185.19.85.155:1997 | tcp |
Files
memory/2672-0-0x0000000000400000-0x0000000000528000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | e1adf57016dcad481ba78ab6155ea67e |
| SHA1 | fa1e20cbd2f190ddc004dc8af9809cdcb2ede356 |
| SHA256 | 7f62e5e2d0cfbe0740718588465b71a701fe3e188a8a4755baacbdc6fb41d52c |
| SHA512 | dea2342480f72d07fc123de631d26b1cd2cd1ecb53863475f2ceaca95746b6c1354064f76ce0522a2bdca0dcec29207d287bd051c521b1496b12e21ebad546c5 |
memory/2672-9-0x0000000000400000-0x0000000000528000-memory.dmp
C:\ProgramData\images.exe
| MD5 | 05ea531dad01ac466150c250e1b96ad3 |
| SHA1 | ace81cfae98fb4aac5ad04e31036b46de4bb34e5 |
| SHA256 | 5faed48673591094f646f0e2931037ddf10307f49f422572ef0070e5b6099644 |
| SHA512 | 74ea9666004014795ceca55a549be6c7bb1dd1c3f6fa5708ec21a90896d3d53462079eb7a95c515c5645bdc6a9fd874cc03be1ec972c194d0bd4ac7b475bcf61 |
C:\ProgramData\images.exe
| MD5 | 8025a5c7181046e6af5e84ce1f8a08b6 |
| SHA1 | 70977bb6a5b22614b75df355892d1fd24bbaefc5 |
| SHA256 | 7e6c9d48d626d592c928f3c7c61b53104b5c28cb35d2a4a35dab11c4d18fc434 |
| SHA512 | a7ae9ee68d4def6682da4712ab9f2f8a8b2bfc673a4bd3aa428772c0a8982f411d3766f2a86321b10f0da37dad5a48738ff50cf3e579519b9fc3979dac126235 |
memory/1976-10-0x00000000013E0000-0x00000000013E1000-memory.dmp