Analysis

  • max time kernel
    185s
  • max time network
    209s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 13:50

General

  • Target

    74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe

  • Size

    577KB

  • MD5

    a9862010588f43a61bd317483b93947b

  • SHA1

    31987c99822c71a38cebc13d8d3261833313a77c

  • SHA256

    74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447

  • SHA512

    1ac4380dfb2c8cea6a4071c56d6cbf21a17cb79c791fe264dbe65b5f72749dd159918810d0ab00cbb84b8531e464f2c697d8d00fc34b7044228096a5d7dd06b1

  • SSDEEP

    12288:er3Qp5I9xWZvHgYAXGWKkv5oT4sIrT9t4GH:ejOySRA2nsRNH

Malware Config

Extracted

Family

warzonerat

C2

51.77.167.59:5951

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe
    "C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3192
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1924
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC24.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:220
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1324
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3988
        • C:\Windows\regedit.exe
          "C:\Windows\regedit.exe"
          4⤵
          • Runs regedit.exe
          PID:868
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          4⤵
            PID:1280

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpAC24.tmp.bat

      Filesize

      151B

      MD5

      cdd08673f901d5eb3f63751713050d61

      SHA1

      12e73f07d10bee3cc3d5f8f0284216430b5f9eb0

      SHA256

      2929344e53b2ad12d5b3c1f69b1f1b1fa3fc6242f82d066d786c8d438a184ac6

      SHA512

      ef2ef35c59fbc416e1b599eae10192a88f7082c22860e130a5122ecbe6505f6fe7af42056a1e8c957b4c7752b15915efb9efef94342734ff8cb1486e490007aa

    • C:\Users\Admin\AppData\Roaming\svchost.exe

      Filesize

      577KB

      MD5

      a9862010588f43a61bd317483b93947b

      SHA1

      31987c99822c71a38cebc13d8d3261833313a77c

      SHA256

      74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447

      SHA512

      1ac4380dfb2c8cea6a4071c56d6cbf21a17cb79c791fe264dbe65b5f72749dd159918810d0ab00cbb84b8531e464f2c697d8d00fc34b7044228096a5d7dd06b1

    • memory/1280-19-0x0000000000400000-0x000000000055A000-memory.dmp

      Filesize

      1.4MB

    • memory/1280-18-0x0000000000400000-0x000000000055A000-memory.dmp

      Filesize

      1.4MB

    • memory/1280-16-0x0000000000400000-0x000000000055A000-memory.dmp

      Filesize

      1.4MB

    • memory/3192-10-0x00007FFDD1B90000-0x00007FFDD2651000-memory.dmp

      Filesize

      10.8MB

    • memory/3192-0-0x000001C60C5A0000-0x000001C60C5BC000-memory.dmp

      Filesize

      112KB

    • memory/3192-6-0x00007FFDD1B90000-0x00007FFDD2651000-memory.dmp

      Filesize

      10.8MB

    • memory/3192-3-0x000001C626B00000-0x000001C626B7A000-memory.dmp

      Filesize

      488KB

    • memory/3192-2-0x000001C626D60000-0x000001C626D70000-memory.dmp

      Filesize

      64KB

    • memory/3192-1-0x00007FFDD1B90000-0x00007FFDD2651000-memory.dmp

      Filesize

      10.8MB

    • memory/3988-14-0x00007FFDD19E0000-0x00007FFDD24A1000-memory.dmp

      Filesize

      10.8MB

    • memory/3988-15-0x00007FFDD19E0000-0x00007FFDD24A1000-memory.dmp

      Filesize

      10.8MB