Analysis
-
max time kernel
293s -
max time network
302s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-04-2024 14:06
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Server.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral4
Sample
Server.exe
Resource
win11-20240412-en
General
-
Target
Server.exe
-
Size
132KB
-
MD5
70cac1d5f3bca89d948821f6c2b51bf7
-
SHA1
86f8c769a840e902c0f7073943d2c0506e5c6c15
-
SHA256
6898a4a5134e3da33a28477ce504ef8385021d2200080573e85e5ea332724d0e
-
SHA512
e8e13f252fe72635de37c45b5a6a1a0dbed5bddcded64ad1dd5f47b94ec08a080adccf61203b20fa3922c0ac15b2d1063c6e767a4cb13154704c7f7c7f44fa69
-
SSDEEP
3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Drops startup file 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start Server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Antivirus = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" Server.exe -
NTFS ADS 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Users\Admin\Documents\Documents:ApplicationData Server.exe File opened for modification C:\Users\Admin\Documents\Documents:ApplicationData Server.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 3516 powershell.exe 3516 powershell.exe 3516 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3516 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Server.exedescription pid process target process PID 5032 wrote to memory of 3516 5032 Server.exe powershell.exe PID 5032 wrote to memory of 3516 5032 Server.exe powershell.exe PID 5032 wrote to memory of 3516 5032 Server.exe powershell.exe PID 5032 wrote to memory of 3448 5032 Server.exe cmd.exe PID 5032 wrote to memory of 3448 5032 Server.exe cmd.exe PID 5032 wrote to memory of 3448 5032 Server.exe cmd.exe PID 5032 wrote to memory of 3448 5032 Server.exe cmd.exe PID 5032 wrote to memory of 3448 5032 Server.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:3448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a