Analysis
-
max time kernel
185s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 13:50
Static task
static1
Behavioral task
behavioral1
Sample
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe
Resource
win10v2004-20240412-en
General
-
Target
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe
-
Size
577KB
-
MD5
a9862010588f43a61bd317483b93947b
-
SHA1
31987c99822c71a38cebc13d8d3261833313a77c
-
SHA256
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447
-
SHA512
1ac4380dfb2c8cea6a4071c56d6cbf21a17cb79c791fe264dbe65b5f72749dd159918810d0ab00cbb84b8531e464f2c697d8d00fc34b7044228096a5d7dd06b1
-
SSDEEP
12288:er3Qp5I9xWZvHgYAXGWKkv5oT4sIrT9t4GH:ejOySRA2nsRNH
Malware Config
Extracted
warzonerat
51.77.167.59:5951
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1280-16-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral2/memory/1280-18-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral2/memory/1280-19-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3988 svchost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3988 set thread context of 1280 3988 svchost.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1324 timeout.exe -
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 868 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exesvchost.exepid process 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe 3988 svchost.exe 3988 svchost.exe 3988 svchost.exe 3988 svchost.exe 3988 svchost.exe 3988 svchost.exe 3988 svchost.exe 3988 svchost.exe 3988 svchost.exe 3988 svchost.exe 3988 svchost.exe 3988 svchost.exe 3988 svchost.exe 3988 svchost.exe 3988 svchost.exe 3988 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exesvchost.exedescription pid process Token: SeDebugPrivilege 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe Token: SeDebugPrivilege 3988 svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.execmd.execmd.exesvchost.exedescription pid process target process PID 3192 wrote to memory of 452 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe cmd.exe PID 3192 wrote to memory of 452 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe cmd.exe PID 3192 wrote to memory of 220 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe cmd.exe PID 3192 wrote to memory of 220 3192 74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe cmd.exe PID 220 wrote to memory of 1324 220 cmd.exe timeout.exe PID 220 wrote to memory of 1324 220 cmd.exe timeout.exe PID 452 wrote to memory of 1924 452 cmd.exe schtasks.exe PID 452 wrote to memory of 1924 452 cmd.exe schtasks.exe PID 220 wrote to memory of 3988 220 cmd.exe svchost.exe PID 220 wrote to memory of 3988 220 cmd.exe svchost.exe PID 3988 wrote to memory of 868 3988 svchost.exe regedit.exe PID 3988 wrote to memory of 868 3988 svchost.exe regedit.exe PID 3988 wrote to memory of 868 3988 svchost.exe regedit.exe PID 3988 wrote to memory of 868 3988 svchost.exe regedit.exe PID 3988 wrote to memory of 868 3988 svchost.exe regedit.exe PID 3988 wrote to memory of 868 3988 svchost.exe regedit.exe PID 3988 wrote to memory of 868 3988 svchost.exe regedit.exe PID 3988 wrote to memory of 868 3988 svchost.exe regedit.exe PID 3988 wrote to memory of 868 3988 svchost.exe regedit.exe PID 3988 wrote to memory of 1280 3988 svchost.exe vbc.exe PID 3988 wrote to memory of 1280 3988 svchost.exe vbc.exe PID 3988 wrote to memory of 1280 3988 svchost.exe vbc.exe PID 3988 wrote to memory of 1280 3988 svchost.exe vbc.exe PID 3988 wrote to memory of 1280 3988 svchost.exe vbc.exe PID 3988 wrote to memory of 1280 3988 svchost.exe vbc.exe PID 3988 wrote to memory of 1280 3988 svchost.exe vbc.exe PID 3988 wrote to memory of 1280 3988 svchost.exe vbc.exe PID 3988 wrote to memory of 1280 3988 svchost.exe vbc.exe PID 3988 wrote to memory of 1280 3988 svchost.exe vbc.exe PID 3988 wrote to memory of 1280 3988 svchost.exe vbc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe"C:\Users\Admin\AppData\Local\Temp\74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:1924 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC24.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1324 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe"4⤵
- Runs regedit.exe
PID:868 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵PID:1280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5cdd08673f901d5eb3f63751713050d61
SHA112e73f07d10bee3cc3d5f8f0284216430b5f9eb0
SHA2562929344e53b2ad12d5b3c1f69b1f1b1fa3fc6242f82d066d786c8d438a184ac6
SHA512ef2ef35c59fbc416e1b599eae10192a88f7082c22860e130a5122ecbe6505f6fe7af42056a1e8c957b4c7752b15915efb9efef94342734ff8cb1486e490007aa
-
Filesize
577KB
MD5a9862010588f43a61bd317483b93947b
SHA131987c99822c71a38cebc13d8d3261833313a77c
SHA25674ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447
SHA5121ac4380dfb2c8cea6a4071c56d6cbf21a17cb79c791fe264dbe65b5f72749dd159918810d0ab00cbb84b8531e464f2c697d8d00fc34b7044228096a5d7dd06b1