Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 16:02
Static task
static1
Behavioral task
behavioral1
Sample
PO-46564343.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
PO-46564343.exe
Resource
win10v2004-20240412-en
General
-
Target
PO-46564343.exe
-
Size
3.4MB
-
MD5
b2c650f3a8e5745c8a832b2a0b18a399
-
SHA1
39140b79507c5af0b91ef864129ae3598373e061
-
SHA256
6f68da459050effdc1e643ec81bec63c3860f0ea1c333a1cd451c11c8c08856c
-
SHA512
3116c1d3c5f1106ea7324157d72ff150e9858a2777b7677802c283a9ab92c3add533fcb4c5d0fbde24cabdf7cd8b9e5b509f4ae1aa8f5bd694e07ad0f6e54c1c
-
SSDEEP
49152:qYQ9p/TMILu3UAJvYIJ7PBJw47zvqgFQmUn3ZhNr:Kpg63Zr
Malware Config
Extracted
warzonerat
107.173.4.16:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4740-0-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral2/memory/4740-2-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral2/memory/4740-3-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral2/memory/4740-7-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 2280 images.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CasPol.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\images.exe" CasPol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO-46564343.exedescription pid process target process PID 3220 set thread context of 4740 3220 PO-46564343.exe CasPol.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
PO-46564343.exeCasPol.exedescription pid process target process PID 3220 wrote to memory of 4740 3220 PO-46564343.exe CasPol.exe PID 3220 wrote to memory of 4740 3220 PO-46564343.exe CasPol.exe PID 3220 wrote to memory of 4740 3220 PO-46564343.exe CasPol.exe PID 3220 wrote to memory of 4740 3220 PO-46564343.exe CasPol.exe PID 3220 wrote to memory of 4740 3220 PO-46564343.exe CasPol.exe PID 3220 wrote to memory of 4740 3220 PO-46564343.exe CasPol.exe PID 3220 wrote to memory of 4740 3220 PO-46564343.exe CasPol.exe PID 3220 wrote to memory of 4740 3220 PO-46564343.exe CasPol.exe PID 3220 wrote to memory of 4740 3220 PO-46564343.exe CasPol.exe PID 3220 wrote to memory of 4740 3220 PO-46564343.exe CasPol.exe PID 3220 wrote to memory of 4740 3220 PO-46564343.exe CasPol.exe PID 4740 wrote to memory of 2280 4740 CasPol.exe images.exe PID 4740 wrote to memory of 2280 4740 CasPol.exe images.exe PID 4740 wrote to memory of 2280 4740 CasPol.exe images.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO-46564343.exe"C:\Users\Admin\AppData\Local\Temp\PO-46564343.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\Documents\images.exe"C:\Users\Admin\Documents\images.exe"3⤵
- Executes dropped EXE
PID:2280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106KB
MD5914f728c04d3eddd5fba59420e74e56b
SHA18c68ca3f013c490161c0156ef359af03594ae5e2
SHA2567d3bdb5b7ee9685c7c18c0c3272da2a593f6c5c326f1ea67f22aae27c57ba1e6
SHA512d7e49b361544ba22a0c66cf097e9d84db4f3759fbcc20386251caac6da80c591861c1468cb7a102eee1a1f86c974086ebc61de4027f9cd22ad06d63550400d6d