Overview

overview

10

Static

static

10

bb6af94db4...78.exe

windows7-x64

10

bb6af94db4...78.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-04-2024 02:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb6af94db448e5a030dbcf2299c11359cd28acb6d56a2d8a0750e3a62bf8e678.exe

  • Size

    2.9MB

  • MD5

    cec533685df238ca2c999bb4458eca65

  • SHA1

    9b50e4d10b75d73b8102180a2a43a2cc91afc045

  • SHA256

    bb6af94db448e5a030dbcf2299c11359cd28acb6d56a2d8a0750e3a62bf8e678

  • SHA512

    7dbca1534603f331c3955c38162068c11f87738378d8664b3ea97ce861126e0322e827234e616b596619cfeae655554729bd30be2b778927cd91351ca9759007

  • SSDEEP

    24576:bTO7AsmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHq:bTO7Asmw4gxeOw46fUbNecCCFbNecT

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Detects executables packed with ASPack 33 IoCs
  • Warzone RAT payload 2 IoCs
    rat
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb6af94db448e5a030dbcf2299c11359cd28acb6d56a2d8a0750e3a62bf8e678.exe
    "C:\Users\Admin\AppData\Local\Temp\bb6af94db448e5a030dbcf2299c11359cd28acb6d56a2d8a0750e3a62bf8e678.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\bb6af94db448e5a030dbcf2299c11359cd28acb6d56a2d8a0750e3a62bf8e678.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
      2⤵
      • Drops startup file
      PID:2156
    • C:\Users\Admin\AppData\Local\Temp\bb6af94db448e5a030dbcf2299c11359cd28acb6d56a2d8a0750e3a62bf8e678.exe
      C:\Users\Admin\AppData\Local\Temp\bb6af94db448e5a030dbcf2299c11359cd28acb6d56a2d8a0750e3a62bf8e678.exe
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Users\Admin\AppData\Local\Temp\bb6af94db448e5a030dbcf2299c11359cd28acb6d56a2d8a0750e3a62bf8e678.exe
        C:\Users\Admin\AppData\Local\Temp\bb6af94db448e5a030dbcf2299c11359cd28acb6d56a2d8a0750e3a62bf8e678.exe
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2764
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1280
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
            5⤵
            • Drops startup file
            PID:1624
          • \??\c:\windows\system\explorer.exe
            c:\windows\system\explorer.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            PID:632
            • \??\c:\windows\system\explorer.exe
              c:\windows\system\explorer.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:1488
            • C:\Windows\SysWOW64\diskperf.exe
              "C:\Windows\SysWOW64\diskperf.exe"
              6⤵
                PID:1816
        • C:\Windows\SysWOW64\diskperf.exe
          "C:\Windows\SysWOW64\diskperf.exe"
          3⤵
            PID:2944

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
        Filesize

        2.9MB

        MD5

        cec533685df238ca2c999bb4458eca65

        SHA1

        9b50e4d10b75d73b8102180a2a43a2cc91afc045

        SHA256

        bb6af94db448e5a030dbcf2299c11359cd28acb6d56a2d8a0750e3a62bf8e678

        SHA512

        7dbca1534603f331c3955c38162068c11f87738378d8664b3ea97ce861126e0322e827234e616b596619cfeae655554729bd30be2b778927cd91351ca9759007

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
        Filesize

        93B

        MD5

        8445bfa5a278e2f068300c604a78394b

        SHA1

        9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

        SHA256

        5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

        SHA512

        8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

        Download Submit

      • C:\Windows\system\explorer.exe
        Filesize

        2.9MB

        MD5

        57b6ef60c05685a6ba97d5b4abd79e30

        SHA1

        418d1a22e3579cc80e5f6c1bdb1b3e36e93a6efc

        SHA256

        b7c5c44fdaafb8df0632e21662c29d445c0b1d97b0f0dffc208cce8a10010d82

        SHA512

        0308d0bfdc5006d188d7ab42c1c50b3d52e18cd3b92fec4260f257c31a0f39b8f8631e7eed5263e81dc52be11f2997917a11d11bfad1c4ddeaebc87592bc3b7f

        Download Submit

      • memory/632-166-0x0000000000400000-0x0000000001990000-memory.dmp

        Filesize

        21.6MB

        Download

      • memory/632-130-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB

        Download

      • memory/632-113-0x0000000000400000-0x0000000001990000-memory.dmp

        Filesize

        21.6MB

        Download

      • memory/1488-169-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1816-165-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2740-34-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-39-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2740-13-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-14-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-16-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-15-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-17-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-18-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2740-21-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-24-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-26-0x0000000000400000-0x0000000000628000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/2740-28-0x0000000000400000-0x0000000000628000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/2740-29-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-30-0x0000000000400000-0x0000000000628000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/2740-31-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-32-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-33-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-1-0x0000000000300000-0x0000000000400000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2740-35-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-37-0x0000000000400000-0x0000000000628000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/2740-38-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-36-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-12-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-40-0x0000000000400000-0x0000000000628000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/2740-42-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2740-2-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-4-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-6-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-7-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-8-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-9-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-10-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-11-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2740-71-0x0000000000400000-0x0000000000628000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/2740-70-0x0000000000400000-0x0000000001400000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2764-60-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2764-120-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2764-45-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2764-47-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2764-49-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2764-53-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2944-69-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2944-72-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2944-65-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2944-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2944-59-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download