Analysis Overview
SHA256
65578feb0c4c1850e41dfa8928d9619d3057913feb2ddb83e10fb000c9de5869
Threat Level: Known bad
The file afa66b8e771f237de3d28774bc761117 was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Warzone RAT payload
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-29 22:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-29 22:40
Reported
2024-02-29 22:42
Platform
win7-20240221-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" | C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe
"C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 194.5.97.145:9976 | tcp | |
| NL | 194.5.97.145:9976 | tcp | |
| NL | 194.5.97.145:9976 | tcp | |
| NL | 194.5.97.145:9976 | tcp | |
| NL | 194.5.97.145:9976 | tcp |
Files
memory/2200-0-0x0000000075920000-0x0000000075A20000-memory.dmp
memory/2200-1-0x0000000002180000-0x00000000022D4000-memory.dmp
memory/2200-3-0x0000000002370000-0x0000000002E70000-memory.dmp
\ProgramData\images.exe
| MD5 | 9437aef9e8bdb096bae754eb35879ce7 |
| SHA1 | 6d51c986a9ef64e1460cd065e3fb6052239715dd |
| SHA256 | 1b3daaf23221030ff9ee2b2af9617c1bb47d8f901c9666d5864d28468034f8a0 |
| SHA512 | 7285d0ca0aac5be17024c6da9c9a68a6b235d7eac6c87d502e6ab89751889f664f936aeb6a420d5d681756a87ebc6e0e06b824c6839d8f1a0e1fd267cba1f2a6 |
C:\ProgramData\images.exe
| MD5 | afa66b8e771f237de3d28774bc761117 |
| SHA1 | f5eec9e4d2289d661fa0f4fa18ce16bd6c00b06f |
| SHA256 | 65578feb0c4c1850e41dfa8928d9619d3057913feb2ddb83e10fb000c9de5869 |
| SHA512 | e0292bd2f66faf1c44b6afeb787e5b6a02b60a27593e376b4bf492b25e38e3f46ffd6a7da7344e09966d23ca795665bb71fd8f73b3266c09fbb45fe7a6111f99 |
memory/2200-14-0x0000000002180000-0x00000000022D4000-memory.dmp
memory/2200-15-0x0000000075920000-0x0000000075A20000-memory.dmp
memory/2576-16-0x00000000009A0000-0x0000000000AF4000-memory.dmp
C:\ProgramData\images.exe
| MD5 | 2eb81c9ac17aad97c2a7e013a57e018b |
| SHA1 | 03bbe8bfefdfad42206a73ace35a95f72a3ab308 |
| SHA256 | aaca42251376921b4d883f71af8ef619fa397b55d6ef3d22ef85acd66b0340c0 |
| SHA512 | ae662ba5250c8a8a1137ef9ae914a22755a0cd79613b8f0f96aabf5ccfece4d067a3d4486a34dcf3febb31667225e2addb6cc2b1b736fe3fdefff3056a4d4858 |
memory/2892-24-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2892-26-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2576-30-0x0000000075920000-0x0000000075A20000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-29 22:40
Reported
2024-02-29 22:42
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
157s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" | C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2972 wrote to memory of 3352 | N/A | C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe | C:\ProgramData\images.exe |
| PID 2972 wrote to memory of 3352 | N/A | C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe | C:\ProgramData\images.exe |
| PID 2972 wrote to memory of 3352 | N/A | C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe | C:\ProgramData\images.exe |
| PID 3352 wrote to memory of 3608 | N/A | C:\ProgramData\images.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3352 wrote to memory of 3608 | N/A | C:\ProgramData\images.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3352 wrote to memory of 3608 | N/A | C:\ProgramData\images.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3352 wrote to memory of 3608 | N/A | C:\ProgramData\images.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3352 wrote to memory of 3608 | N/A | C:\ProgramData\images.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe
"C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4084 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| NL | 194.5.97.145:9976 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| NL | 194.5.97.145:9976 | tcp | |
| NL | 194.5.97.145:9976 | tcp | |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| NL | 194.5.97.145:9976 | tcp |
Files
memory/2972-0-0x0000000076B80000-0x0000000076D20000-memory.dmp
memory/2972-1-0x0000000003240000-0x0000000003D40000-memory.dmp
memory/2972-2-0x0000000002EB0000-0x0000000003004000-memory.dmp
C:\ProgramData\images.exe
| MD5 | db855e6916913c5b79d6468428343162 |
| SHA1 | e10074d5d85f4b0fc6a3e25c694c826df0f5db99 |
| SHA256 | 5b84b8e69ade43f9f3e8d5a05e10198b61c1f5ba7a9939fbc26ba8b8f51dc96a |
| SHA512 | f7147726f84f8515c403e2ae47f604a4364e05d8294967d92bbd3321e85b68628f34bb1e863762f9d7acca9f444bcb027e0c210051b89da7ddaf7892e278a215 |
memory/2972-12-0x0000000002EB0000-0x0000000003004000-memory.dmp
memory/2972-13-0x0000000076B80000-0x0000000076D20000-memory.dmp
C:\ProgramData\images.exe
| MD5 | c32ab115d9d9b9557a3e80aa9858ad43 |
| SHA1 | 96ae7aed930134ba6a6a8fe959577d28e8d7136f |
| SHA256 | e9c3a757d7382627f2848b02dcfc5fdd95d925e3aedfbec526e0707a64796ef0 |
| SHA512 | 19cd406bc40936222c3404166e27a7f86249dcdeb933b233f1b476c76a7927ab48f5752dccffb4a468f17e99fa7829563db292bb7843f730314cbba1d86bcf96 |
memory/3352-15-0x0000000076B80000-0x0000000076D20000-memory.dmp
memory/3352-16-0x0000000002AB0000-0x0000000002C04000-memory.dmp
memory/3608-23-0x0000000001860000-0x0000000001861000-memory.dmp