Analysis

  • max time kernel
    62s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-04-2024 07:45

General

  • Target

    Lisect_AV-T_G3_308.exe

  • Size

    232KB

  • MD5

    bb5accb1bb157c951f739f0f3890b244

  • SHA1

    fc9cf64ecd7a7eb794b478ce8e5cfbebc5954dc8

  • SHA256

    c55c56828532ad2b3d922b0fb7eeb999c44cc3490deeccb3572e28166067be2a

  • SHA512

    92a15ba0ff7353b08c262505a668ecced11ea4a0dda3f96f4224fb8f6e93a17cd388dfd14ce5ffee3574bbb5868f44bc9924379a464f34763a39bbf7dc2e314d

  • SSDEEP

    6144:b+YD77nfv1aFxU5JOtXOgfNb6fTF4MoiwBP/DGDMDSj:bBfnfdKU5J6iATPrGS

Malware Config

Extracted

Family

warzonerat

C2

185.225.75.68:2222

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lisect_AV-T_G3_308.exe
    "C:\Users\Admin\AppData\Local\Temp\Lisect_AV-T_G3_308.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 212
        3⤵
        • Program crash
        PID:2756
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\roh"
      2⤵
        PID:2512
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f
          3⤵
          • Creates scheduled task(s)
          PID:2532
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Lisect_AV-T_G3_308.exe" "C:\Users\Admin\AppData\Roaming\roh\roh.exe"
        2⤵
          PID:2660
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {79760462-8CD8-4673-BEE5-640D6C5A38D6} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:480
        • C:\Users\Admin\AppData\Roaming\roh\roh.exe
          C:\Users\Admin\AppData\Roaming\roh\roh.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2324
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            3⤵
              PID:1360
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\roh"
              3⤵
                PID:1096
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2320
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f
                  4⤵
                  • Creates scheduled task(s)
                  PID:1552
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c copy "C:\Users\Admin\AppData\Roaming\roh\roh.exe" "C:\Users\Admin\AppData\Roaming\roh\roh.exe"
                3⤵
                  PID:1860

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\roh\roh.exe

              Filesize

              232KB

              MD5

              bb5accb1bb157c951f739f0f3890b244

              SHA1

              fc9cf64ecd7a7eb794b478ce8e5cfbebc5954dc8

              SHA256

              c55c56828532ad2b3d922b0fb7eeb999c44cc3490deeccb3572e28166067be2a

              SHA512

              92a15ba0ff7353b08c262505a668ecced11ea4a0dda3f96f4224fb8f6e93a17cd388dfd14ce5ffee3574bbb5868f44bc9924379a464f34763a39bbf7dc2e314d

            • memory/2324-37-0x0000000074000000-0x00000000746EE000-memory.dmp

              Filesize

              6.9MB

            • memory/2324-24-0x0000000000C80000-0x0000000000CC0000-memory.dmp

              Filesize

              256KB

            • memory/2324-23-0x0000000074000000-0x00000000746EE000-memory.dmp

              Filesize

              6.9MB

            • memory/2596-10-0x0000000000400000-0x000000000055C000-memory.dmp

              Filesize

              1.4MB

            • memory/2596-5-0x0000000000400000-0x000000000055C000-memory.dmp

              Filesize

              1.4MB

            • memory/2596-6-0x0000000000400000-0x000000000055C000-memory.dmp

              Filesize

              1.4MB

            • memory/2596-7-0x0000000000400000-0x000000000055C000-memory.dmp

              Filesize

              1.4MB

            • memory/2596-3-0x0000000000400000-0x000000000055C000-memory.dmp

              Filesize

              1.4MB

            • memory/2596-14-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

              Filesize

              4KB

            • memory/2596-12-0x0000000000400000-0x000000000055C000-memory.dmp

              Filesize

              1.4MB

            • memory/2596-15-0x0000000000400000-0x000000000055C000-memory.dmp

              Filesize

              1.4MB

            • memory/2596-17-0x0000000000400000-0x000000000055C000-memory.dmp

              Filesize

              1.4MB

            • memory/2596-8-0x0000000000400000-0x000000000055C000-memory.dmp

              Filesize

              1.4MB

            • memory/2744-20-0x0000000074860000-0x0000000074F4E000-memory.dmp

              Filesize

              6.9MB

            • memory/2744-1-0x0000000074860000-0x0000000074F4E000-memory.dmp

              Filesize

              6.9MB

            • memory/2744-2-0x00000000042B0000-0x00000000042F0000-memory.dmp

              Filesize

              256KB

            • memory/2744-0-0x0000000000340000-0x0000000000380000-memory.dmp

              Filesize

              256KB