Analysis
-
max time kernel
62s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-04-2024 07:45
Static task
static1
Behavioral task
behavioral1
Sample
Lisect_AV-T_G3_308.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Lisect_AV-T_G3_308.exe
Resource
win10v2004-20240412-en
General
-
Target
Lisect_AV-T_G3_308.exe
-
Size
232KB
-
MD5
bb5accb1bb157c951f739f0f3890b244
-
SHA1
fc9cf64ecd7a7eb794b478ce8e5cfbebc5954dc8
-
SHA256
c55c56828532ad2b3d922b0fb7eeb999c44cc3490deeccb3572e28166067be2a
-
SHA512
92a15ba0ff7353b08c262505a668ecced11ea4a0dda3f96f4224fb8f6e93a17cd388dfd14ce5ffee3574bbb5868f44bc9924379a464f34763a39bbf7dc2e314d
-
SSDEEP
6144:b+YD77nfv1aFxU5JOtXOgfNb6fTF4MoiwBP/DGDMDSj:bBfnfdKU5J6iATPrGS
Malware Config
Extracted
warzonerat
185.225.75.68:2222
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2596-8-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral1/memory/2596-7-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral1/memory/2596-10-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral1/memory/2596-12-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral1/memory/2596-15-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral1/memory/2596-17-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat -
Executes dropped EXE 1 IoCs
Processes:
roh.exepid process 2324 roh.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
Lisect_AV-T_G3_308.exeroh.exedescription pid process target process PID 2744 set thread context of 2596 2744 Lisect_AV-T_G3_308.exe vbc.exe PID 2324 set thread context of 1360 2324 roh.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2756 2596 WerFault.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1552 schtasks.exe 2532 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Lisect_AV-T_G3_308.exevbc.execmd.exetaskeng.exeroh.execmd.exedescription pid process target process PID 2744 wrote to memory of 2596 2744 Lisect_AV-T_G3_308.exe vbc.exe PID 2744 wrote to memory of 2596 2744 Lisect_AV-T_G3_308.exe vbc.exe PID 2744 wrote to memory of 2596 2744 Lisect_AV-T_G3_308.exe vbc.exe PID 2744 wrote to memory of 2596 2744 Lisect_AV-T_G3_308.exe vbc.exe PID 2744 wrote to memory of 2596 2744 Lisect_AV-T_G3_308.exe vbc.exe PID 2744 wrote to memory of 2596 2744 Lisect_AV-T_G3_308.exe vbc.exe PID 2744 wrote to memory of 2596 2744 Lisect_AV-T_G3_308.exe vbc.exe PID 2744 wrote to memory of 2596 2744 Lisect_AV-T_G3_308.exe vbc.exe PID 2744 wrote to memory of 2596 2744 Lisect_AV-T_G3_308.exe vbc.exe PID 2744 wrote to memory of 2596 2744 Lisect_AV-T_G3_308.exe vbc.exe PID 2744 wrote to memory of 2596 2744 Lisect_AV-T_G3_308.exe vbc.exe PID 2744 wrote to memory of 2596 2744 Lisect_AV-T_G3_308.exe vbc.exe PID 2744 wrote to memory of 2512 2744 Lisect_AV-T_G3_308.exe cmd.exe PID 2744 wrote to memory of 2512 2744 Lisect_AV-T_G3_308.exe cmd.exe PID 2744 wrote to memory of 2512 2744 Lisect_AV-T_G3_308.exe cmd.exe PID 2744 wrote to memory of 2512 2744 Lisect_AV-T_G3_308.exe cmd.exe PID 2744 wrote to memory of 2636 2744 Lisect_AV-T_G3_308.exe cmd.exe PID 2744 wrote to memory of 2636 2744 Lisect_AV-T_G3_308.exe cmd.exe PID 2744 wrote to memory of 2636 2744 Lisect_AV-T_G3_308.exe cmd.exe PID 2744 wrote to memory of 2636 2744 Lisect_AV-T_G3_308.exe cmd.exe PID 2744 wrote to memory of 2660 2744 Lisect_AV-T_G3_308.exe cmd.exe PID 2744 wrote to memory of 2660 2744 Lisect_AV-T_G3_308.exe cmd.exe PID 2744 wrote to memory of 2660 2744 Lisect_AV-T_G3_308.exe cmd.exe PID 2744 wrote to memory of 2660 2744 Lisect_AV-T_G3_308.exe cmd.exe PID 2596 wrote to memory of 2756 2596 vbc.exe WerFault.exe PID 2596 wrote to memory of 2756 2596 vbc.exe WerFault.exe PID 2596 wrote to memory of 2756 2596 vbc.exe WerFault.exe PID 2596 wrote to memory of 2756 2596 vbc.exe WerFault.exe PID 2636 wrote to memory of 2532 2636 cmd.exe schtasks.exe PID 2636 wrote to memory of 2532 2636 cmd.exe schtasks.exe PID 2636 wrote to memory of 2532 2636 cmd.exe schtasks.exe PID 2636 wrote to memory of 2532 2636 cmd.exe schtasks.exe PID 480 wrote to memory of 2324 480 taskeng.exe roh.exe PID 480 wrote to memory of 2324 480 taskeng.exe roh.exe PID 480 wrote to memory of 2324 480 taskeng.exe roh.exe PID 480 wrote to memory of 2324 480 taskeng.exe roh.exe PID 2324 wrote to memory of 1360 2324 roh.exe vbc.exe PID 2324 wrote to memory of 1360 2324 roh.exe vbc.exe PID 2324 wrote to memory of 1360 2324 roh.exe vbc.exe PID 2324 wrote to memory of 1360 2324 roh.exe vbc.exe PID 2324 wrote to memory of 1360 2324 roh.exe vbc.exe PID 2324 wrote to memory of 1360 2324 roh.exe vbc.exe PID 2324 wrote to memory of 1360 2324 roh.exe vbc.exe PID 2324 wrote to memory of 1360 2324 roh.exe vbc.exe PID 2324 wrote to memory of 1360 2324 roh.exe vbc.exe PID 2324 wrote to memory of 1360 2324 roh.exe vbc.exe PID 2324 wrote to memory of 1360 2324 roh.exe vbc.exe PID 2324 wrote to memory of 1360 2324 roh.exe vbc.exe PID 2324 wrote to memory of 1096 2324 roh.exe cmd.exe PID 2324 wrote to memory of 1096 2324 roh.exe cmd.exe PID 2324 wrote to memory of 1096 2324 roh.exe cmd.exe PID 2324 wrote to memory of 1096 2324 roh.exe cmd.exe PID 2324 wrote to memory of 2320 2324 roh.exe cmd.exe PID 2324 wrote to memory of 2320 2324 roh.exe cmd.exe PID 2324 wrote to memory of 2320 2324 roh.exe cmd.exe PID 2324 wrote to memory of 2320 2324 roh.exe cmd.exe PID 2324 wrote to memory of 1860 2324 roh.exe cmd.exe PID 2324 wrote to memory of 1860 2324 roh.exe cmd.exe PID 2324 wrote to memory of 1860 2324 roh.exe cmd.exe PID 2324 wrote to memory of 1860 2324 roh.exe cmd.exe PID 2320 wrote to memory of 1552 2320 cmd.exe schtasks.exe PID 2320 wrote to memory of 1552 2320 cmd.exe schtasks.exe PID 2320 wrote to memory of 1552 2320 cmd.exe schtasks.exe PID 2320 wrote to memory of 1552 2320 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lisect_AV-T_G3_308.exe"C:\Users\Admin\AppData\Local\Temp\Lisect_AV-T_G3_308.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 2123⤵
- Program crash
PID:2756 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\roh"2⤵PID:2512
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f3⤵
- Creates scheduled task(s)
PID:2532 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Lisect_AV-T_G3_308.exe" "C:\Users\Admin\AppData\Roaming\roh\roh.exe"2⤵PID:2660
-
C:\Windows\system32\taskeng.exetaskeng.exe {79760462-8CD8-4673-BEE5-640D6C5A38D6} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Users\Admin\AppData\Roaming\roh\roh.exeC:\Users\Admin\AppData\Roaming\roh\roh.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵PID:1360
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\roh"3⤵PID:1096
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f4⤵
- Creates scheduled task(s)
PID:1552 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\roh\roh.exe" "C:\Users\Admin\AppData\Roaming\roh\roh.exe"3⤵PID:1860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD5bb5accb1bb157c951f739f0f3890b244
SHA1fc9cf64ecd7a7eb794b478ce8e5cfbebc5954dc8
SHA256c55c56828532ad2b3d922b0fb7eeb999c44cc3490deeccb3572e28166067be2a
SHA51292a15ba0ff7353b08c262505a668ecced11ea4a0dda3f96f4224fb8f6e93a17cd388dfd14ce5ffee3574bbb5868f44bc9924379a464f34763a39bbf7dc2e314d