Analysis
-
max time kernel
299s -
max time network
302s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 14:06
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Server.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral4
Sample
Server.exe
Resource
win11-20240412-en
General
-
Target
Server.exe
-
Size
132KB
-
MD5
70cac1d5f3bca89d948821f6c2b51bf7
-
SHA1
86f8c769a840e902c0f7073943d2c0506e5c6c15
-
SHA256
6898a4a5134e3da33a28477ce504ef8385021d2200080573e85e5ea332724d0e
-
SHA512
e8e13f252fe72635de37c45b5a6a1a0dbed5bddcded64ad1dd5f47b94ec08a080adccf61203b20fa3922c0ac15b2d1063c6e767a4cb13154704c7f7c7f44fa69
-
SSDEEP
3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Drops startup file 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start Server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WD Antivirus = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" Server.exe -
Modifies WinLogon 2 TTPs 4 IoCs
Processes:
Server.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\AutsI.. = "0" Server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\xjtkuGI = "0" Server.exe -
NTFS ADS 2 IoCs
Processes:
Server.exedescription ioc process File opened for modification C:\Users\Admin\Documents\Documents:ApplicationData Server.exe File created C:\Users\Admin\Documents\Documents:ApplicationData Server.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2184 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.execmd.execmd.exedescription pid process Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 2248 cmd.exe Token: SeDebugPrivilege 1936 cmd.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Server.exedescription pid process target process PID 2480 wrote to memory of 2184 2480 Server.exe powershell.exe PID 2480 wrote to memory of 2184 2480 Server.exe powershell.exe PID 2480 wrote to memory of 2184 2480 Server.exe powershell.exe PID 2480 wrote to memory of 2184 2480 Server.exe powershell.exe PID 2480 wrote to memory of 2508 2480 Server.exe cmd.exe PID 2480 wrote to memory of 2508 2480 Server.exe cmd.exe PID 2480 wrote to memory of 2508 2480 Server.exe cmd.exe PID 2480 wrote to memory of 2508 2480 Server.exe cmd.exe PID 2480 wrote to memory of 2508 2480 Server.exe cmd.exe PID 2480 wrote to memory of 2508 2480 Server.exe cmd.exe PID 2480 wrote to memory of 2248 2480 Server.exe cmd.exe PID 2480 wrote to memory of 2248 2480 Server.exe cmd.exe PID 2480 wrote to memory of 2248 2480 Server.exe cmd.exe PID 2480 wrote to memory of 2248 2480 Server.exe cmd.exe PID 2480 wrote to memory of 2248 2480 Server.exe cmd.exe PID 2480 wrote to memory of 2248 2480 Server.exe cmd.exe PID 2480 wrote to memory of 1936 2480 Server.exe cmd.exe PID 2480 wrote to memory of 1936 2480 Server.exe cmd.exe PID 2480 wrote to memory of 1936 2480 Server.exe cmd.exe PID 2480 wrote to memory of 1936 2480 Server.exe cmd.exe PID 2480 wrote to memory of 1936 2480 Server.exe cmd.exe PID 2480 wrote to memory of 1936 2480 Server.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Modifies WinLogon
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:2508
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936