Analysis
-
max time kernel
298s -
max time network
302s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-04-2024 14:06
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Server.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral4
Sample
Server.exe
Resource
win11-20240412-en
General
-
Target
Server.exe
-
Size
132KB
-
MD5
70cac1d5f3bca89d948821f6c2b51bf7
-
SHA1
86f8c769a840e902c0f7073943d2c0506e5c6c15
-
SHA256
6898a4a5134e3da33a28477ce504ef8385021d2200080573e85e5ea332724d0e
-
SHA512
e8e13f252fe72635de37c45b5a6a1a0dbed5bddcded64ad1dd5f47b94ec08a080adccf61203b20fa3922c0ac15b2d1063c6e767a4cb13154704c7f7c7f44fa69
-
SSDEEP
3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Drops startup file 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat Server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Antivirus = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" Server.exe -
NTFS ADS 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Users\Admin\Documents\Documents:ApplicationData Server.exe File opened for modification C:\Users\Admin\Documents\Documents:ApplicationData Server.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3672 powershell.exe 3672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3672 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Server.exedescription pid process target process PID 492 wrote to memory of 3672 492 Server.exe powershell.exe PID 492 wrote to memory of 3672 492 Server.exe powershell.exe PID 492 wrote to memory of 3672 492 Server.exe powershell.exe PID 492 wrote to memory of 4456 492 Server.exe cmd.exe PID 492 wrote to memory of 4456 492 Server.exe cmd.exe PID 492 wrote to memory of 4456 492 Server.exe cmd.exe PID 492 wrote to memory of 4456 492 Server.exe cmd.exe PID 492 wrote to memory of 4456 492 Server.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:4456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82