Analysis Overview
SHA256
d9740755673a2b1025f0a9ea9a579657b0d22d7c00a049d113f84326d37b66bb
Threat Level: Known bad
The file a96c1c2b0b245740ae897f75cfe80db8 was found to be: Known bad.
Malicious Activity Summary
Detects BazaLoader malware
WarzoneRat, AveMaria
Warzone RAT payload
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-27 14:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-27 14:45
Reported
2024-02-27 14:48
Platform
win7-20240221-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Detects BazaLoader malware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3032 set thread context of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\a96c1c2b0b245740ae897f75cfe80db8.exe | C:\Users\Admin\AppData\Local\Temp\a96c1c2b0b245740ae897f75cfe80db8.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a96c1c2b0b245740ae897f75cfe80db8.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a96c1c2b0b245740ae897f75cfe80db8.exe
"C:\Users\Admin\AppData\Local\Temp\a96c1c2b0b245740ae897f75cfe80db8.exe"
C:\Users\Admin\AppData\Local\Temp\a96c1c2b0b245740ae897f75cfe80db8.exe
"{path}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 200
Network
Files
memory/3032-0-0x0000000001190000-0x0000000001204000-memory.dmp
memory/3032-1-0x0000000074BD0000-0x00000000752BE000-memory.dmp
memory/3032-2-0x0000000001080000-0x00000000010C0000-memory.dmp
memory/3032-3-0x0000000000310000-0x0000000000318000-memory.dmp
memory/3032-4-0x0000000074BD0000-0x00000000752BE000-memory.dmp
memory/3032-5-0x0000000001080000-0x00000000010C0000-memory.dmp
memory/3032-6-0x0000000007C70000-0x0000000007CEC000-memory.dmp
memory/3032-7-0x00000000009C0000-0x00000000009EE000-memory.dmp
memory/2532-8-0x0000000000400000-0x000000000055E000-memory.dmp
memory/2532-9-0x0000000000400000-0x000000000055E000-memory.dmp
memory/2532-10-0x0000000000400000-0x000000000055E000-memory.dmp
memory/2532-12-0x0000000000400000-0x000000000055E000-memory.dmp
memory/2532-16-0x0000000000400000-0x000000000055E000-memory.dmp
memory/2532-14-0x0000000000400000-0x000000000055E000-memory.dmp
memory/2532-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2532-20-0x0000000000400000-0x000000000055E000-memory.dmp
memory/3032-22-0x0000000074BD0000-0x00000000752BE000-memory.dmp
memory/2532-23-0x0000000000400000-0x000000000055E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-27 14:45
Reported
2024-02-27 14:48
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects BazaLoader malware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4232 set thread context of 2656 | N/A | C:\Users\Admin\AppData\Local\Temp\a96c1c2b0b245740ae897f75cfe80db8.exe | C:\Users\Admin\AppData\Local\Temp\a96c1c2b0b245740ae897f75cfe80db8.exe |
| PID 380 set thread context of 5064 | N/A | C:\ProgramData\images.exe | C:\ProgramData\images.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a96c1c2b0b245740ae897f75cfe80db8.exe
"C:\Users\Admin\AppData\Local\Temp\a96c1c2b0b245740ae897f75cfe80db8.exe"
C:\Users\Admin\AppData\Local\Temp\a96c1c2b0b245740ae897f75cfe80db8.exe
"{path}"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"{path}"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| LV | 46.183.221.21:5200 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.178.17.96.in-addr.arpa | udp |
| LV | 46.183.221.21:5200 | tcp | |
| LV | 46.183.221.21:5200 | tcp | |
| US | 8.8.8.8:53 | 121.150.79.40.in-addr.arpa | udp |
| LV | 46.183.221.21:5200 | tcp |
Files
memory/4232-1-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/4232-0-0x00000000007A0000-0x0000000000814000-memory.dmp
memory/4232-2-0x00000000057C0000-0x0000000005D64000-memory.dmp
memory/4232-3-0x0000000005210000-0x00000000052A2000-memory.dmp
memory/4232-4-0x00000000051D0000-0x00000000051E0000-memory.dmp
memory/4232-5-0x00000000052D0000-0x00000000052DA000-memory.dmp
memory/4232-6-0x00000000057B0000-0x00000000057B8000-memory.dmp
memory/4232-7-0x0000000006410000-0x00000000064AC000-memory.dmp
memory/4232-8-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/4232-9-0x00000000051D0000-0x00000000051E0000-memory.dmp
memory/4232-10-0x0000000007D60000-0x0000000007DDC000-memory.dmp
memory/4232-11-0x0000000007C10000-0x0000000007C3E000-memory.dmp
memory/2656-12-0x0000000000400000-0x000000000055E000-memory.dmp
memory/4232-16-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/2656-15-0x0000000000400000-0x000000000055E000-memory.dmp
memory/2656-17-0x0000000000400000-0x000000000055E000-memory.dmp
C:\ProgramData\images.exe
| MD5 | a96c1c2b0b245740ae897f75cfe80db8 |
| SHA1 | 1cd3e303ae71082e72bd0ff4a57c62dc56b17687 |
| SHA256 | d9740755673a2b1025f0a9ea9a579657b0d22d7c00a049d113f84326d37b66bb |
| SHA512 | 4669813ea0edd51caae66a762b0ec9b3912a7de839a77f2ce4c51ffd4bda26f81f20fe78989a7460c7ee230d579fe718dc2d22a2b243e1701fec1dd4c5215861 |
memory/380-23-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/2656-22-0x0000000000400000-0x000000000055E000-memory.dmp
memory/380-24-0x00000000053E0000-0x00000000053F0000-memory.dmp
memory/380-25-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/380-26-0x00000000053E0000-0x00000000053F0000-memory.dmp
memory/5064-31-0x0000000000400000-0x000000000055E000-memory.dmp
memory/380-32-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/5064-33-0x0000000000400000-0x000000000055E000-memory.dmp
memory/1064-34-0x00000000010F0000-0x00000000010F1000-memory.dmp
memory/5064-36-0x0000000000400000-0x000000000055E000-memory.dmp