Analysis
-
max time kernel
134s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
23-04-2024 16:02
Static task
static1
Behavioral task
behavioral1
Sample
PO-46564343.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
PO-46564343.exe
Resource
win10v2004-20240412-en
General
-
Target
PO-46564343.exe
-
Size
3.4MB
-
MD5
b2c650f3a8e5745c8a832b2a0b18a399
-
SHA1
39140b79507c5af0b91ef864129ae3598373e061
-
SHA256
6f68da459050effdc1e643ec81bec63c3860f0ea1c333a1cd451c11c8c08856c
-
SHA512
3116c1d3c5f1106ea7324157d72ff150e9858a2777b7677802c283a9ab92c3add533fcb4c5d0fbde24cabdf7cd8b9e5b509f4ae1aa8f5bd694e07ad0f6e54c1c
-
SSDEEP
49152:qYQ9p/TMILu3UAJvYIJ7PBJw47zvqgFQmUn3ZhNr:Kpg63Zr
Malware Config
Extracted
warzonerat
107.173.4.16:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/4360-0-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/4360-2-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/4360-3-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/4360-7-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 2132 images.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CasPol.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\images.exe" CasPol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO-46564343.exedescription pid process target process PID 4520 set thread context of 4360 4520 PO-46564343.exe CasPol.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
PO-46564343.exeCasPol.exedescription pid process target process PID 4520 wrote to memory of 4428 4520 PO-46564343.exe AddInProcess32.exe PID 4520 wrote to memory of 4428 4520 PO-46564343.exe AddInProcess32.exe PID 4520 wrote to memory of 4428 4520 PO-46564343.exe AddInProcess32.exe PID 4520 wrote to memory of 4100 4520 PO-46564343.exe msbuild.exe PID 4520 wrote to memory of 4100 4520 PO-46564343.exe msbuild.exe PID 4520 wrote to memory of 4100 4520 PO-46564343.exe msbuild.exe PID 4520 wrote to memory of 4360 4520 PO-46564343.exe CasPol.exe PID 4520 wrote to memory of 4360 4520 PO-46564343.exe CasPol.exe PID 4520 wrote to memory of 4360 4520 PO-46564343.exe CasPol.exe PID 4520 wrote to memory of 4360 4520 PO-46564343.exe CasPol.exe PID 4520 wrote to memory of 4360 4520 PO-46564343.exe CasPol.exe PID 4520 wrote to memory of 4360 4520 PO-46564343.exe CasPol.exe PID 4520 wrote to memory of 4360 4520 PO-46564343.exe CasPol.exe PID 4520 wrote to memory of 4360 4520 PO-46564343.exe CasPol.exe PID 4520 wrote to memory of 4360 4520 PO-46564343.exe CasPol.exe PID 4520 wrote to memory of 4360 4520 PO-46564343.exe CasPol.exe PID 4520 wrote to memory of 4360 4520 PO-46564343.exe CasPol.exe PID 4360 wrote to memory of 2132 4360 CasPol.exe images.exe PID 4360 wrote to memory of 2132 4360 CasPol.exe images.exe PID 4360 wrote to memory of 2132 4360 CasPol.exe images.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO-46564343.exe"C:\Users\Admin\AppData\Local\Temp\PO-46564343.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:4428
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵PID:4100
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\Documents\images.exe"C:\Users\Admin\Documents\images.exe"3⤵
- Executes dropped EXE
PID:2132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD5ac93f60717f1fee8c678e624f54852ee
SHA1d9c9828396d19a7f2920af68a4692409f16beaa9
SHA2561fa79bf14d80519f7965a44dcc1f69ec1d24e83eea2927b474c3545e65062f24
SHA5129ff7dfe9c8bc2ae775a97227990f332d8b799fbb4235eea7c73756a5359841d355805d1b624b40fe8f7e864c997a604d3c10ad1fa1182deb5842ab77aad9b1b7