Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 13:50
Static task
static1
Behavioral task
behavioral1
Sample
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe
Resource
win10v2004-20240412-en
General
-
Target
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe
-
Size
577KB
-
MD5
a9862010588f43a61bd317483b93947b
-
SHA1
31987c99822c71a38cebc13d8d3261833313a77c
-
SHA256
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447
-
SHA512
1ac4380dfb2c8cea6a4071c56d6cbf21a17cb79c791fe264dbe65b5f72749dd159918810d0ab00cbb84b8531e464f2c697d8d00fc34b7044228096a5d7dd06b1
-
SSDEEP
12288:er3Qp5I9xWZvHgYAXGWKkv5oT4sIrT9t4GH:ejOySRA2nsRNH
Malware Config
Extracted
warzonerat
51.77.167.59:5951
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2588-25-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2588-27-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2588-29-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2588-24-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2656-72-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2656-75-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2560 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2224 cmd.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2560 set thread context of 2656 2560 svchost.exe wmplayer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 628 2656 WerFault.exe wmplayer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2720 timeout.exe -
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 2432 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exesvchost.exepid process 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe 2560 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exesvchost.exedescription pid process Token: SeDebugPrivilege 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe Token: SeDebugPrivilege 2560 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.execmd.execmd.exesvchost.exedescription pid process target process PID 1640 wrote to memory of 2120 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe cmd.exe PID 1640 wrote to memory of 2120 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe cmd.exe PID 1640 wrote to memory of 2120 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe cmd.exe PID 1640 wrote to memory of 2224 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe cmd.exe PID 1640 wrote to memory of 2224 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe cmd.exe PID 1640 wrote to memory of 2224 1640 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe cmd.exe PID 2120 wrote to memory of 2736 2120 cmd.exe schtasks.exe PID 2120 wrote to memory of 2736 2120 cmd.exe schtasks.exe PID 2120 wrote to memory of 2736 2120 cmd.exe schtasks.exe PID 2224 wrote to memory of 2720 2224 cmd.exe timeout.exe PID 2224 wrote to memory of 2720 2224 cmd.exe timeout.exe PID 2224 wrote to memory of 2720 2224 cmd.exe timeout.exe PID 2224 wrote to memory of 2560 2224 cmd.exe svchost.exe PID 2224 wrote to memory of 2560 2224 cmd.exe svchost.exe PID 2224 wrote to memory of 2560 2224 cmd.exe svchost.exe PID 2560 wrote to memory of 2588 2560 svchost.exe cmd.exe PID 2560 wrote to memory of 2588 2560 svchost.exe cmd.exe PID 2560 wrote to memory of 2588 2560 svchost.exe cmd.exe PID 2560 wrote to memory of 2588 2560 svchost.exe cmd.exe PID 2560 wrote to memory of 2588 2560 svchost.exe cmd.exe PID 2560 wrote to memory of 2588 2560 svchost.exe cmd.exe PID 2560 wrote to memory of 2588 2560 svchost.exe cmd.exe PID 2560 wrote to memory of 2588 2560 svchost.exe cmd.exe PID 2560 wrote to memory of 2588 2560 svchost.exe cmd.exe PID 2560 wrote to memory of 2588 2560 svchost.exe cmd.exe PID 2560 wrote to memory of 2432 2560 svchost.exe regedit.exe PID 2560 wrote to memory of 2432 2560 svchost.exe regedit.exe PID 2560 wrote to memory of 2432 2560 svchost.exe regedit.exe PID 2560 wrote to memory of 2432 2560 svchost.exe regedit.exe PID 2560 wrote to memory of 2432 2560 svchost.exe regedit.exe PID 2560 wrote to memory of 2432 2560 svchost.exe regedit.exe PID 2560 wrote to memory of 2432 2560 svchost.exe regedit.exe PID 2560 wrote to memory of 2432 2560 svchost.exe regedit.exe PID 2560 wrote to memory of 2432 2560 svchost.exe regedit.exe PID 2560 wrote to memory of 2432 2560 svchost.exe regedit.exe PID 2560 wrote to memory of 2912 2560 svchost.exe aspnet_wp.exe PID 2560 wrote to memory of 2912 2560 svchost.exe aspnet_wp.exe PID 2560 wrote to memory of 2912 2560 svchost.exe aspnet_wp.exe PID 2560 wrote to memory of 2912 2560 svchost.exe aspnet_wp.exe PID 2560 wrote to memory of 2912 2560 svchost.exe aspnet_wp.exe PID 2560 wrote to memory of 2912 2560 svchost.exe aspnet_wp.exe PID 2560 wrote to memory of 2912 2560 svchost.exe aspnet_wp.exe PID 2560 wrote to memory of 2912 2560 svchost.exe aspnet_wp.exe PID 2560 wrote to memory of 2912 2560 svchost.exe aspnet_wp.exe PID 2560 wrote to memory of 2912 2560 svchost.exe aspnet_wp.exe PID 2560 wrote to memory of 2912 2560 svchost.exe aspnet_wp.exe PID 2560 wrote to memory of 1992 2560 svchost.exe vbc.exe PID 2560 wrote to memory of 1992 2560 svchost.exe vbc.exe PID 2560 wrote to memory of 1992 2560 svchost.exe vbc.exe PID 2560 wrote to memory of 1992 2560 svchost.exe vbc.exe PID 2560 wrote to memory of 1992 2560 svchost.exe vbc.exe PID 2560 wrote to memory of 1992 2560 svchost.exe vbc.exe PID 2560 wrote to memory of 1992 2560 svchost.exe vbc.exe PID 2560 wrote to memory of 1992 2560 svchost.exe vbc.exe PID 2560 wrote to memory of 1992 2560 svchost.exe vbc.exe PID 2560 wrote to memory of 1992 2560 svchost.exe vbc.exe PID 2560 wrote to memory of 1992 2560 svchost.exe vbc.exe PID 2560 wrote to memory of 2656 2560 svchost.exe wmplayer.exe PID 2560 wrote to memory of 2656 2560 svchost.exe wmplayer.exe PID 2560 wrote to memory of 2656 2560 svchost.exe wmplayer.exe PID 2560 wrote to memory of 2656 2560 svchost.exe wmplayer.exe PID 2560 wrote to memory of 2656 2560 svchost.exe wmplayer.exe PID 2560 wrote to memory of 2656 2560 svchost.exe wmplayer.exe PID 2560 wrote to memory of 2656 2560 svchost.exe wmplayer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe"C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:2736 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEDF.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2720 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2588
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"4⤵
- Runs regedit.exe
PID:2432 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"4⤵PID:2912
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵PID:1992
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"4⤵PID:2656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 2005⤵
- Program crash
PID:628 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"4⤵PID:2312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5b6ed3657bb0bb72e22b45244d24b7847
SHA13bd8b07bd9016fcf28b90af5b5d82cf219bdb6f9
SHA256755c1f0d37cf6d499c0a75d1033f6df75236fcc9dc3dc2901fc87de40210219a
SHA512255c77d2c0274e8c690c2d75144b3de800e3c12404b1fb815675ee57973ca6a315a3130e5d2449145f30bd8c9dd0d1ef5d945daf154e0f1920387a7ca5905c57
-
Filesize
577KB
MD5a9862010588f43a61bd317483b93947b
SHA131987c99822c71a38cebc13d8d3261833313a77c
SHA25674ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447
SHA5121ac4380dfb2c8cea6a4071c56d6cbf21a17cb79c791fe264dbe65b5f72749dd159918810d0ab00cbb84b8531e464f2c697d8d00fc34b7044228096a5d7dd06b1