Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 14:54

General

  • Target

    913377afa6c3d7afb49a491f830d52a33353349819f0e91157a01dc8336ac5b3.exe

  • Size

    582KB

  • MD5

    7bee43d88ddd5717c4059960d4f7abbb

  • SHA1

    51768285fb6047a523af3d28e3e8601fa17a181d

  • SHA256

    913377afa6c3d7afb49a491f830d52a33353349819f0e91157a01dc8336ac5b3

  • SHA512

    b3043c68445d95d1794e6557d9ce096c812c631e7d43dcdfe40850731e94ed877799fd6baf162197c888d0484a07b9c8c73994b08c9844434d3f388b768162cd

  • SSDEEP

    12288:nSQ3xl2I6NRNXDrI9GeZnbfPJJgR5lbULc1tBWpK9s3FqFLtomQ:Bf6rNX1eVXjGbt1oqFLtoN

Malware Config

Extracted

Family

warzonerat

C2

satgobleien.jumpingcrab.com:5201

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 9 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\913377afa6c3d7afb49a491f830d52a33353349819f0e91157a01dc8336ac5b3.exe
    "C:\Users\Admin\AppData\Local\Temp\913377afa6c3d7afb49a491f830d52a33353349819f0e91157a01dc8336ac5b3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Users\Admin\AppData\Local\Temp\913377afa6c3d7afb49a491f830d52a33353349819f0e91157a01dc8336ac5b3.exe
      C:\Users\Admin\AppData\Local\Temp\913377afa6c3d7afb49a491f830d52a33353349819f0e91157a01dc8336ac5b3.exe
      2⤵
        PID:3144
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 80
          3⤵
          • Program crash
          PID:3696
      • C:\Users\Admin\AppData\Local\Temp\913377afa6c3d7afb49a491f830d52a33353349819f0e91157a01dc8336ac5b3.exe
        C:\Users\Admin\AppData\Local\Temp\913377afa6c3d7afb49a491f830d52a33353349819f0e91157a01dc8336ac5b3.exe
        2⤵
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2124
        • C:\ProgramData\vimages.exe
          "C:\ProgramData\vimages.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4064
          • C:\ProgramData\vimages.exe
            C:\ProgramData\vimages.exe
            4⤵
            • Executes dropped EXE
            PID:1048
          • C:\ProgramData\vimages.exe
            C:\ProgramData\vimages.exe
            4⤵
            • Executes dropped EXE
            PID:1384
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3144 -ip 3144
      1⤵
        PID:3904

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\vimages.exe

        Filesize

        582KB

        MD5

        7bee43d88ddd5717c4059960d4f7abbb

        SHA1

        51768285fb6047a523af3d28e3e8601fa17a181d

        SHA256

        913377afa6c3d7afb49a491f830d52a33353349819f0e91157a01dc8336ac5b3

        SHA512

        b3043c68445d95d1794e6557d9ce096c812c631e7d43dcdfe40850731e94ed877799fd6baf162197c888d0484a07b9c8c73994b08c9844434d3f388b768162cd

      • memory/1048-34-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/1048-30-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/1048-25-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/1384-33-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/1384-32-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/1604-5-0x00000000081C0000-0x000000000825C000-memory.dmp

        Filesize

        624KB

      • memory/1604-1-0x0000000074EE0000-0x0000000075690000-memory.dmp

        Filesize

        7.7MB

      • memory/1604-12-0x0000000074EE0000-0x0000000075690000-memory.dmp

        Filesize

        7.7MB

      • memory/1604-0-0x0000000000180000-0x000000000021C000-memory.dmp

        Filesize

        624KB

      • memory/1604-2-0x0000000004B40000-0x0000000004B46000-memory.dmp

        Filesize

        24KB

      • memory/1604-6-0x0000000004D60000-0x0000000004D66000-memory.dmp

        Filesize

        24KB

      • memory/1604-3-0x0000000004D90000-0x0000000004DA0000-memory.dmp

        Filesize

        64KB

      • memory/1604-4-0x0000000004CD0000-0x0000000004D64000-memory.dmp

        Filesize

        592KB

      • memory/2124-18-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/2124-8-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/2124-13-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/2124-11-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

      • memory/4064-20-0x0000000004C80000-0x0000000004C90000-memory.dmp

        Filesize

        64KB

      • memory/4064-29-0x00000000747F0000-0x0000000074FA0000-memory.dmp

        Filesize

        7.7MB

      • memory/4064-19-0x00000000747F0000-0x0000000074FA0000-memory.dmp

        Filesize

        7.7MB