Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 04:04
Static task
static1
Behavioral task
behavioral1
Sample
undercover.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
undercover.exe
Resource
win10v2004-20240426-en
General
-
Target
undercover.exe
-
Size
642KB
-
MD5
c7dde9741228fbc2c317bae1ef4c8231
-
SHA1
26deeac180d6bf406bd004a718cbc86b1586c494
-
SHA256
d1d0a4c2a7489201006748a364e5cc6dca7b0721dbce83c54566c555bc56ca68
-
SHA512
05508db7f290282c91d461b7284c1856ee9ad2e042dc57f9203f79374492ba69c457985177d9e11195758680b6c211261fa7df2662c380edb1bb0b3678e1139e
-
SSDEEP
12288:y0WWObW5cBj7O56jp7t8c6B5wAmjPDynKr7fP7E3caoAqI+lRW:l4JugjEc6B5wT6KrL7E3hVElR
Malware Config
Extracted
warzonerat
93.123.118.3:65535
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2224-11-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral1/memory/2224-18-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral1/memory/2224-15-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral1/memory/2224-14-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral1/memory/2224-13-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral1/memory/2224-20-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
undercover.exedescription pid process target process PID 2180 set thread context of 2224 2180 undercover.exe undercover.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2384 2224 WerFault.exe undercover.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2548 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2548 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
undercover.exeundercover.exedescription pid process target process PID 2180 wrote to memory of 2548 2180 undercover.exe powershell.exe PID 2180 wrote to memory of 2548 2180 undercover.exe powershell.exe PID 2180 wrote to memory of 2548 2180 undercover.exe powershell.exe PID 2180 wrote to memory of 2548 2180 undercover.exe powershell.exe PID 2180 wrote to memory of 2224 2180 undercover.exe undercover.exe PID 2180 wrote to memory of 2224 2180 undercover.exe undercover.exe PID 2180 wrote to memory of 2224 2180 undercover.exe undercover.exe PID 2180 wrote to memory of 2224 2180 undercover.exe undercover.exe PID 2180 wrote to memory of 2224 2180 undercover.exe undercover.exe PID 2180 wrote to memory of 2224 2180 undercover.exe undercover.exe PID 2180 wrote to memory of 2224 2180 undercover.exe undercover.exe PID 2180 wrote to memory of 2224 2180 undercover.exe undercover.exe PID 2180 wrote to memory of 2224 2180 undercover.exe undercover.exe PID 2180 wrote to memory of 2224 2180 undercover.exe undercover.exe PID 2180 wrote to memory of 2224 2180 undercover.exe undercover.exe PID 2180 wrote to memory of 2224 2180 undercover.exe undercover.exe PID 2224 wrote to memory of 2384 2224 undercover.exe WerFault.exe PID 2224 wrote to memory of 2384 2224 undercover.exe WerFault.exe PID 2224 wrote to memory of 2384 2224 undercover.exe WerFault.exe PID 2224 wrote to memory of 2384 2224 undercover.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\undercover.exe"C:\Users\Admin\AppData\Local\Temp\undercover.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\undercover.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\undercover.exe"C:\Users\Admin\AppData\Local\Temp\undercover.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 2123⤵
- Program crash
PID:2384