Analysis

  • max time kernel
    134s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-04-2024 16:02

General

  • Target

    PO-46564343.exe

  • Size

    3.4MB

  • MD5

    b2c650f3a8e5745c8a832b2a0b18a399

  • SHA1

    39140b79507c5af0b91ef864129ae3598373e061

  • SHA256

    6f68da459050effdc1e643ec81bec63c3860f0ea1c333a1cd451c11c8c08856c

  • SHA512

    3116c1d3c5f1106ea7324157d72ff150e9858a2777b7677802c283a9ab92c3add533fcb4c5d0fbde24cabdf7cd8b9e5b509f4ae1aa8f5bd694e07ad0f6e54c1c

  • SSDEEP

    49152:qYQ9p/TMILu3UAJvYIJ7PBJw47zvqgFQmUn3ZhNr:Kpg63Zr

Malware Config

Extracted

Family

warzonerat

C2

107.173.4.16:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO-46564343.exe
    "C:\Users\Admin\AppData\Local\Temp\PO-46564343.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
        PID:4428
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        2⤵
          PID:4100
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
          2⤵
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4360
          • C:\Users\Admin\Documents\images.exe
            "C:\Users\Admin\Documents\images.exe"
            3⤵
            • Executes dropped EXE
            PID:2132

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Documents\images.exe

        Filesize

        105KB

        MD5

        ac93f60717f1fee8c678e624f54852ee

        SHA1

        d9c9828396d19a7f2920af68a4692409f16beaa9

        SHA256

        1fa79bf14d80519f7965a44dcc1f69ec1d24e83eea2927b474c3545e65062f24

        SHA512

        9ff7dfe9c8bc2ae775a97227990f332d8b799fbb4235eea7c73756a5359841d355805d1b624b40fe8f7e864c997a604d3c10ad1fa1182deb5842ab77aad9b1b7

      • memory/2132-10-0x0000000073EA0000-0x000000007458E000-memory.dmp

        Filesize

        6.9MB

      • memory/2132-9-0x0000000000040000-0x000000000005C000-memory.dmp

        Filesize

        112KB

      • memory/2132-12-0x0000000073EA0000-0x000000007458E000-memory.dmp

        Filesize

        6.9MB

      • memory/4360-0-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

      • memory/4360-2-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

      • memory/4360-3-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

      • memory/4360-7-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB