Analysis

  • max time kernel
    106s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-04-2024 07:45

General

  • Target

    Lisect_AV-T_G3_308.exe

  • Size

    232KB

  • MD5

    bb5accb1bb157c951f739f0f3890b244

  • SHA1

    fc9cf64ecd7a7eb794b478ce8e5cfbebc5954dc8

  • SHA256

    c55c56828532ad2b3d922b0fb7eeb999c44cc3490deeccb3572e28166067be2a

  • SHA512

    92a15ba0ff7353b08c262505a668ecced11ea4a0dda3f96f4224fb8f6e93a17cd388dfd14ce5ffee3574bbb5868f44bc9924379a464f34763a39bbf7dc2e314d

  • SSDEEP

    6144:b+YD77nfv1aFxU5JOtXOgfNb6fTF4MoiwBP/DGDMDSj:bBfnfdKU5J6iATPrGS

Malware Config

Extracted

Family

warzonerat

C2

185.225.75.68:2222

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 8 IoCs
  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lisect_AV-T_G3_308.exe
    "C:\Users\Admin\AppData\Local\Temp\Lisect_AV-T_G3_308.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:4788
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\roh"
        2⤵
          PID:1840
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2800
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f
            3⤵
            • Creates scheduled task(s)
            PID:4856
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Lisect_AV-T_G3_308.exe" "C:\Users\Admin\AppData\Roaming\roh\roh.exe"
          2⤵
            PID:3956
        • C:\Users\Admin\AppData\Roaming\roh\roh.exe
          C:\Users\Admin\AppData\Roaming\roh\roh.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:764
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            2⤵
              PID:4104
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 544
                3⤵
                • Program crash
                PID:5096
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\roh"
              2⤵
                PID:3876
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2352
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f
                  3⤵
                  • Creates scheduled task(s)
                  PID:4100
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c copy "C:\Users\Admin\AppData\Roaming\roh\roh.exe" "C:\Users\Admin\AppData\Roaming\roh\roh.exe"
                2⤵
                  PID:4160
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4104 -ip 4104
                1⤵
                  PID:2064
                • C:\Users\Admin\AppData\Roaming\roh\roh.exe
                  C:\Users\Admin\AppData\Roaming\roh\roh.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:1512
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                    2⤵
                      PID:876
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\roh"
                      2⤵
                        PID:1220
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f
                        2⤵
                          PID:2040
                          • C:\Windows\SysWOW64\schtasks.exe
                            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\roh\roh.exe'" /f
                            3⤵
                            • Creates scheduled task(s)
                            PID:4228
                        • C:\Windows\SysWOW64\cmd.exe
                          "cmd" /c copy "C:\Users\Admin\AppData\Roaming\roh\roh.exe" "C:\Users\Admin\AppData\Roaming\roh\roh.exe"
                          2⤵
                            PID:4488

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\roh.exe.log

                          Filesize

                          425B

                          MD5

                          4eaca4566b22b01cd3bc115b9b0b2196

                          SHA1

                          e743e0792c19f71740416e7b3c061d9f1336bf94

                          SHA256

                          34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

                          SHA512

                          bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

                        • C:\Users\Admin\AppData\Roaming\roh\roh.exe

                          Filesize

                          232KB

                          MD5

                          bb5accb1bb157c951f739f0f3890b244

                          SHA1

                          fc9cf64ecd7a7eb794b478ce8e5cfbebc5954dc8

                          SHA256

                          c55c56828532ad2b3d922b0fb7eeb999c44cc3490deeccb3572e28166067be2a

                          SHA512

                          92a15ba0ff7353b08c262505a668ecced11ea4a0dda3f96f4224fb8f6e93a17cd388dfd14ce5ffee3574bbb5868f44bc9924379a464f34763a39bbf7dc2e314d

                        • memory/536-1-0x0000000074460000-0x0000000074C10000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/536-2-0x0000000005870000-0x0000000005880000-memory.dmp

                          Filesize

                          64KB

                        • memory/536-8-0x0000000074460000-0x0000000074C10000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/536-0-0x0000000000E50000-0x0000000000E90000-memory.dmp

                          Filesize

                          256KB

                        • memory/764-28-0x0000000073D30000-0x00000000744E0000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/764-13-0x0000000073D30000-0x00000000744E0000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/764-14-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

                          Filesize

                          64KB

                        • memory/876-39-0x0000000000400000-0x000000000055C000-memory.dmp

                          Filesize

                          1.4MB

                        • memory/876-37-0x0000000000400000-0x000000000055C000-memory.dmp

                          Filesize

                          1.4MB

                        • memory/1512-33-0x0000000073DD0000-0x0000000074580000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/1512-34-0x00000000055B0000-0x00000000055C0000-memory.dmp

                          Filesize

                          64KB

                        • memory/1512-38-0x0000000073DD0000-0x0000000074580000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/4104-26-0x0000000000700000-0x000000000085C000-memory.dmp

                          Filesize

                          1.4MB

                        • memory/4104-21-0x0000000000700000-0x000000000085C000-memory.dmp

                          Filesize

                          1.4MB

                        • memory/4788-29-0x0000000000400000-0x000000000055C000-memory.dmp

                          Filesize

                          1.4MB

                        • memory/4788-7-0x0000000000400000-0x000000000055C000-memory.dmp

                          Filesize

                          1.4MB

                        • memory/4788-6-0x0000000000400000-0x000000000055C000-memory.dmp

                          Filesize

                          1.4MB

                        • memory/4788-3-0x0000000000400000-0x000000000055C000-memory.dmp

                          Filesize

                          1.4MB