Analysis Overview
SHA256
59dc7fff61938536be577f4f4bffccd30490bc65f63438b3f5a9fb3de94aaa64
Threat Level: Known bad
The file 59dc7fff61938536be577f4f4bffccd30490bc65f63438b3f5a9fb3de94aaa64 was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Warzone RAT payload
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-17 14:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 14:28
Reported
2024-04-17 14:31
Platform
win7-20231129-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2240 set thread context of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488.exe
"C:\Users\Admin\AppData\Local\Temp\de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jWrCcgXRUONxj.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jWrCcgXRUONxj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp402C.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 38.255.33.106:7896 | tcp | |
| US | 38.255.33.106:7896 | tcp | |
| US | 38.255.33.106:7896 | tcp | |
| US | 38.255.33.106:7896 | tcp | |
| US | 38.255.33.106:7896 | tcp | |
| US | 38.255.33.106:7896 | tcp |
Files
memory/2240-0-0x0000000000030000-0x00000000000F2000-memory.dmp
memory/2240-1-0x0000000074150000-0x000000007483E000-memory.dmp
memory/2240-2-0x0000000004DC0000-0x0000000004E00000-memory.dmp
memory/2240-3-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2240-4-0x0000000001F00000-0x0000000001F0A000-memory.dmp
memory/2240-5-0x0000000001F10000-0x0000000001F1E000-memory.dmp
memory/2240-6-0x00000000043C0000-0x0000000004424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp402C.tmp
| MD5 | 7eb4ecd6154fe5f0e22e6206e34d01e5 |
| SHA1 | 4399cb2e1ac3737b43c5f16356551dd8d937db0e |
| SHA256 | 05094ee2bb5223bb3cd92a2e35f7150fbcc0592c46e7d6a1c616a5b11e57db98 |
| SHA512 | 15bb3173e778676fc64b7232efc3594fd694e17d07f578513934e8080f92eabac8e16014f56885e1762a342ea56dfd46334cba26404de73b8ce82820945dd822 |
memory/3008-15-0x000000006E4A0000-0x000000006EA4B000-memory.dmp
memory/2568-14-0x0000000000400000-0x0000000000554000-memory.dmp
memory/3008-17-0x000000006E4A0000-0x000000006EA4B000-memory.dmp
memory/3008-19-0x0000000002820000-0x0000000002860000-memory.dmp
memory/3008-21-0x0000000002820000-0x0000000002860000-memory.dmp
memory/3008-23-0x0000000002820000-0x0000000002860000-memory.dmp
memory/2568-24-0x0000000000400000-0x0000000000554000-memory.dmp
memory/2568-22-0x0000000000400000-0x0000000000554000-memory.dmp
memory/2568-18-0x0000000000400000-0x0000000000554000-memory.dmp
memory/2568-26-0x0000000000400000-0x0000000000554000-memory.dmp
memory/2568-27-0x0000000000400000-0x0000000000554000-memory.dmp
memory/2568-25-0x0000000000400000-0x0000000000554000-memory.dmp
memory/2568-28-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2568-29-0x0000000000400000-0x0000000000554000-memory.dmp
memory/2568-31-0x0000000000400000-0x0000000000554000-memory.dmp
memory/2240-32-0x0000000074150000-0x000000007483E000-memory.dmp
memory/2568-33-0x0000000000400000-0x0000000000554000-memory.dmp
memory/3008-34-0x000000006E4A0000-0x000000006EA4B000-memory.dmp
memory/2568-35-0x0000000000400000-0x0000000000554000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 14:28
Reported
2024-04-17 14:32
Platform
win10v2004-20240412-en
Max time kernel
142s
Max time network
159s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 708 set thread context of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488.exe
"C:\Users\Admin\AppData\Local\Temp\de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jWrCcgXRUONxj.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jWrCcgXRUONxj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBD93.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.81.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 38.255.33.106:7896 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.139.73.23.in-addr.arpa | udp |
| US | 38.255.33.106:7896 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 52.111.229.19:443 | tcp | |
| US | 38.255.33.106:7896 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 38.255.33.106:7896 | tcp | |
| US | 38.255.33.106:7896 | tcp | |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/708-0-0x0000000000960000-0x0000000000A22000-memory.dmp
memory/708-1-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/708-2-0x0000000005AA0000-0x0000000006044000-memory.dmp
memory/708-3-0x0000000005400000-0x0000000005492000-memory.dmp
memory/708-4-0x00000000053F0000-0x0000000005400000-memory.dmp
memory/708-5-0x0000000005600000-0x000000000560A000-memory.dmp
memory/708-6-0x00000000056C0000-0x000000000575C000-memory.dmp
memory/708-7-0x0000000005680000-0x0000000005694000-memory.dmp
memory/708-8-0x0000000006A80000-0x0000000006A8A000-memory.dmp
memory/708-9-0x0000000006AA0000-0x0000000006AAE000-memory.dmp
memory/708-10-0x0000000006D00000-0x0000000006D64000-memory.dmp
memory/4468-15-0x0000000005330000-0x0000000005366000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpBD93.tmp
| MD5 | ed22eb8a1bf11ad2bd36f0626c29accb |
| SHA1 | c0b7bd69ce79caaf7f40e68efcd4000e4b1f74f9 |
| SHA256 | 3532b09fa35c27ba7fbe36011ae93664e8326f03b47cfc44a199409db51d9861 |
| SHA512 | 891169ea6910812a913c88677d0f66f3e757d0a6d303f9349b6246c787c059063977bec8b3bf44c4eb4a1ad0adff20d49eab25fee46178e662cb9522a7a7cf97 |
memory/708-17-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/4468-19-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/4468-18-0x0000000005AF0000-0x0000000006118000-memory.dmp
memory/4468-21-0x00000000054B0000-0x00000000054C0000-memory.dmp
memory/708-22-0x00000000053F0000-0x0000000005400000-memory.dmp
memory/4468-20-0x00000000054B0000-0x00000000054C0000-memory.dmp
memory/5024-23-0x0000000000400000-0x0000000000554000-memory.dmp
memory/4468-26-0x0000000005940000-0x0000000005962000-memory.dmp
memory/5024-27-0x0000000000400000-0x0000000000554000-memory.dmp
memory/708-29-0x0000000074800000-0x0000000074FB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_egkqln1d.e3x.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4468-35-0x0000000006290000-0x00000000062F6000-memory.dmp
memory/5024-28-0x0000000000400000-0x0000000000554000-memory.dmp
memory/4468-40-0x0000000006470000-0x00000000064D6000-memory.dmp
memory/4468-41-0x00000000064E0000-0x0000000006834000-memory.dmp
memory/4468-42-0x0000000006240000-0x000000000625E000-memory.dmp
memory/4468-43-0x00000000069C0000-0x0000000006A0C000-memory.dmp
memory/4468-44-0x00000000054B0000-0x00000000054C0000-memory.dmp
memory/4468-45-0x0000000006ED0000-0x0000000006F02000-memory.dmp
memory/4468-46-0x0000000070C90000-0x0000000070CDC000-memory.dmp
memory/4468-56-0x0000000006EB0000-0x0000000006ECE000-memory.dmp
memory/4468-57-0x0000000007940000-0x00000000079E3000-memory.dmp
memory/4468-58-0x00000000083B0000-0x0000000008A2A000-memory.dmp
memory/4468-59-0x0000000006980000-0x000000000699A000-memory.dmp
memory/4468-60-0x0000000007A10000-0x0000000007A1A000-memory.dmp
memory/4468-61-0x0000000007F10000-0x0000000007FA6000-memory.dmp
memory/4468-62-0x0000000007B00000-0x0000000007B11000-memory.dmp
memory/4468-63-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/4468-64-0x00000000054B0000-0x00000000054C0000-memory.dmp
memory/4468-65-0x00000000054B0000-0x00000000054C0000-memory.dmp
memory/5024-66-0x0000000000400000-0x0000000000554000-memory.dmp
memory/4468-68-0x0000000007E90000-0x0000000007E9E000-memory.dmp
memory/4468-69-0x0000000007EA0000-0x0000000007EB4000-memory.dmp
memory/4468-70-0x00000000054B0000-0x00000000054C0000-memory.dmp
memory/4468-71-0x0000000007EE0000-0x0000000007EFA000-memory.dmp
memory/4468-72-0x0000000007ED0000-0x0000000007ED8000-memory.dmp
memory/4468-75-0x0000000074800000-0x0000000074FB0000-memory.dmp