Analysis
-
max time kernel
106s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 07:45
Static task
static1
Behavioral task
behavioral1
Sample
Lisect_AV-T_G3_308.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Lisect_AV-T_G3_308.exe
Resource
win10v2004-20240412-en
General
-
Target
Lisect_AV-T_G3_308.exe
-
Size
232KB
-
MD5
bb5accb1bb157c951f739f0f3890b244
-
SHA1
fc9cf64ecd7a7eb794b478ce8e5cfbebc5954dc8
-
SHA256
c55c56828532ad2b3d922b0fb7eeb999c44cc3490deeccb3572e28166067be2a
-
SHA512
92a15ba0ff7353b08c262505a668ecced11ea4a0dda3f96f4224fb8f6e93a17cd388dfd14ce5ffee3574bbb5868f44bc9924379a464f34763a39bbf7dc2e314d
-
SSDEEP
6144:b+YD77nfv1aFxU5JOtXOgfNb6fTF4MoiwBP/DGDMDSj:bBfnfdKU5J6iATPrGS
Malware Config
Extracted
warzonerat
185.225.75.68:2222
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 8 IoCs
Processes:
resource yara_rule behavioral2/memory/4788-3-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/4788-6-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/4788-7-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/4104-21-0x0000000000700000-0x000000000085C000-memory.dmp warzonerat behavioral2/memory/4104-26-0x0000000000700000-0x000000000085C000-memory.dmp warzonerat behavioral2/memory/4788-29-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/876-37-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/876-39-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
roh.exeroh.exepid process 764 roh.exe 1512 roh.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Lisect_AV-T_G3_308.exeroh.exeroh.exedescription pid process target process PID 536 set thread context of 4788 536 Lisect_AV-T_G3_308.exe vbc.exe PID 764 set thread context of 4104 764 roh.exe vbc.exe PID 1512 set thread context of 876 1512 roh.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5096 4104 WerFault.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4856 schtasks.exe 4100 schtasks.exe 4228 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Lisect_AV-T_G3_308.execmd.exeroh.execmd.exeroh.exedescription pid process target process PID 536 wrote to memory of 4788 536 Lisect_AV-T_G3_308.exe vbc.exe PID 536 wrote to memory of 4788 536 Lisect_AV-T_G3_308.exe vbc.exe PID 536 wrote to memory of 4788 536 Lisect_AV-T_G3_308.exe vbc.exe PID 536 wrote to memory of 4788 536 Lisect_AV-T_G3_308.exe vbc.exe PID 536 wrote to memory of 4788 536 Lisect_AV-T_G3_308.exe vbc.exe PID 536 wrote to memory of 4788 536 Lisect_AV-T_G3_308.exe vbc.exe PID 536 wrote to memory of 4788 536 Lisect_AV-T_G3_308.exe vbc.exe PID 536 wrote to memory of 4788 536 Lisect_AV-T_G3_308.exe vbc.exe PID 536 wrote to memory of 4788 536 Lisect_AV-T_G3_308.exe vbc.exe PID 536 wrote to memory of 4788 536 Lisect_AV-T_G3_308.exe vbc.exe PID 536 wrote to memory of 4788 536 Lisect_AV-T_G3_308.exe vbc.exe PID 536 wrote to memory of 1840 536 Lisect_AV-T_G3_308.exe cmd.exe PID 536 wrote to memory of 1840 536 Lisect_AV-T_G3_308.exe cmd.exe PID 536 wrote to memory of 1840 536 Lisect_AV-T_G3_308.exe cmd.exe PID 536 wrote to memory of 2800 536 Lisect_AV-T_G3_308.exe cmd.exe PID 536 wrote to memory of 2800 536 Lisect_AV-T_G3_308.exe cmd.exe PID 536 wrote to memory of 2800 536 Lisect_AV-T_G3_308.exe cmd.exe PID 536 wrote to memory of 3956 536 Lisect_AV-T_G3_308.exe cmd.exe PID 536 wrote to memory of 3956 536 Lisect_AV-T_G3_308.exe cmd.exe PID 536 wrote to memory of 3956 536 Lisect_AV-T_G3_308.exe cmd.exe PID 2800 wrote to memory of 4856 2800 cmd.exe schtasks.exe PID 2800 wrote to memory of 4856 2800 cmd.exe schtasks.exe PID 2800 wrote to memory of 4856 2800 cmd.exe schtasks.exe PID 764 wrote to memory of 4104 764 roh.exe vbc.exe PID 764 wrote to memory of 4104 764 roh.exe vbc.exe PID 764 wrote to memory of 4104 764 roh.exe vbc.exe PID 764 wrote to memory of 4104 764 roh.exe vbc.exe PID 764 wrote to memory of 4104 764 roh.exe vbc.exe PID 764 wrote to memory of 4104 764 roh.exe vbc.exe PID 764 wrote to memory of 4104 764 roh.exe vbc.exe PID 764 wrote to memory of 4104 764 roh.exe vbc.exe PID 764 wrote to memory of 4104 764 roh.exe vbc.exe PID 764 wrote to memory of 4104 764 roh.exe vbc.exe PID 764 wrote to memory of 4104 764 roh.exe vbc.exe PID 764 wrote to memory of 3876 764 roh.exe cmd.exe PID 764 wrote to memory of 3876 764 roh.exe cmd.exe PID 764 wrote to memory of 3876 764 roh.exe cmd.exe PID 764 wrote to memory of 2352 764 roh.exe cmd.exe PID 764 wrote to memory of 2352 764 roh.exe cmd.exe PID 764 wrote to memory of 2352 764 roh.exe cmd.exe PID 764 wrote to memory of 4160 764 roh.exe cmd.exe PID 764 wrote to memory of 4160 764 roh.exe cmd.exe PID 764 wrote to memory of 4160 764 roh.exe cmd.exe PID 2352 wrote to memory of 4100 2352 cmd.exe schtasks.exe PID 2352 wrote to memory of 4100 2352 cmd.exe schtasks.exe PID 2352 wrote to memory of 4100 2352 cmd.exe schtasks.exe PID 1512 wrote to memory of 876 1512 roh.exe vbc.exe PID 1512 wrote to memory of 876 1512 roh.exe vbc.exe PID 1512 wrote to memory of 876 1512 roh.exe vbc.exe PID 1512 wrote to memory of 876 1512 roh.exe vbc.exe PID 1512 wrote to memory of 876 1512 roh.exe vbc.exe PID 1512 wrote to memory of 876 1512 roh.exe vbc.exe PID 1512 wrote to memory of 876 1512 roh.exe vbc.exe PID 1512 wrote to memory of 876 1512 roh.exe vbc.exe PID 1512 wrote to memory of 876 1512 roh.exe vbc.exe PID 1512 wrote to memory of 876 1512 roh.exe vbc.exe PID 1512 wrote to memory of 876 1512 roh.exe vbc.exe PID 1512 wrote to memory of 1220 1512 roh.exe cmd.exe PID 1512 wrote to memory of 1220 1512 roh.exe cmd.exe PID 1512 wrote to memory of 1220 1512 roh.exe cmd.exe PID 1512 wrote to memory of 2040 1512 roh.exe cmd.exe PID 1512 wrote to memory of 2040 1512 roh.exe cmd.exe PID 1512 wrote to memory of 2040 1512 roh.exe cmd.exe PID 1512 wrote to memory of 4488 1512 roh.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lisect_AV-T_G3_308.exe"C:\Users\Admin\AppData\Local\Temp\Lisect_AV-T_G3_308.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:4788
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\roh"2⤵PID:1840
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f3⤵
- Creates scheduled task(s)
PID:4856 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Lisect_AV-T_G3_308.exe" "C:\Users\Admin\AppData\Roaming\roh\roh.exe"2⤵PID:3956
-
C:\Users\Admin\AppData\Roaming\roh\roh.exeC:\Users\Admin\AppData\Roaming\roh\roh.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:4104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 5443⤵
- Program crash
PID:5096 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\roh"2⤵PID:3876
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f3⤵
- Creates scheduled task(s)
PID:4100 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\roh\roh.exe" "C:\Users\Admin\AppData\Roaming\roh\roh.exe"2⤵PID:4160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4104 -ip 41041⤵PID:2064
-
C:\Users\Admin\AppData\Roaming\roh\roh.exeC:\Users\Admin\AppData\Roaming\roh\roh.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:876
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\roh"2⤵PID:1220
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f2⤵PID:2040
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f3⤵
- Creates scheduled task(s)
PID:4228 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\roh\roh.exe" "C:\Users\Admin\AppData\Roaming\roh\roh.exe"2⤵PID:4488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
232KB
MD5bb5accb1bb157c951f739f0f3890b244
SHA1fc9cf64ecd7a7eb794b478ce8e5cfbebc5954dc8
SHA256c55c56828532ad2b3d922b0fb7eeb999c44cc3490deeccb3572e28166067be2a
SHA51292a15ba0ff7353b08c262505a668ecced11ea4a0dda3f96f4224fb8f6e93a17cd388dfd14ce5ffee3574bbb5868f44bc9924379a464f34763a39bbf7dc2e314d