Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 04:05
Static task
static1
Behavioral task
behavioral1
Sample
undercover.zip
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
undercover.zip
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
undercover.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
undercover.exe
Resource
win10v2004-20240426-en
General
-
Target
undercover.exe
-
Size
642KB
-
MD5
c7dde9741228fbc2c317bae1ef4c8231
-
SHA1
26deeac180d6bf406bd004a718cbc86b1586c494
-
SHA256
d1d0a4c2a7489201006748a364e5cc6dca7b0721dbce83c54566c555bc56ca68
-
SHA512
05508db7f290282c91d461b7284c1856ee9ad2e042dc57f9203f79374492ba69c457985177d9e11195758680b6c211261fa7df2662c380edb1bb0b3678e1139e
-
SSDEEP
12288:y0WWObW5cBj7O56jp7t8c6B5wAmjPDynKr7fP7E3caoAqI+lRW:l4JugjEc6B5wT6KrL7E3hVElR
Malware Config
Extracted
warzonerat
93.123.118.3:65535
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 6 IoCs
Processes:
resource yara_rule behavioral3/memory/2660-21-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral3/memory/2660-23-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral3/memory/2660-17-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral3/memory/2660-13-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral3/memory/2660-11-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral3/memory/2660-15-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
undercover.exedescription pid process target process PID 2340 set thread context of 2660 2340 undercover.exe undercover.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2388 2660 WerFault.exe undercover.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2636 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
undercover.exeundercover.exedescription pid process target process PID 2340 wrote to memory of 2636 2340 undercover.exe powershell.exe PID 2340 wrote to memory of 2636 2340 undercover.exe powershell.exe PID 2340 wrote to memory of 2636 2340 undercover.exe powershell.exe PID 2340 wrote to memory of 2636 2340 undercover.exe powershell.exe PID 2340 wrote to memory of 2660 2340 undercover.exe undercover.exe PID 2340 wrote to memory of 2660 2340 undercover.exe undercover.exe PID 2340 wrote to memory of 2660 2340 undercover.exe undercover.exe PID 2340 wrote to memory of 2660 2340 undercover.exe undercover.exe PID 2340 wrote to memory of 2660 2340 undercover.exe undercover.exe PID 2340 wrote to memory of 2660 2340 undercover.exe undercover.exe PID 2340 wrote to memory of 2660 2340 undercover.exe undercover.exe PID 2340 wrote to memory of 2660 2340 undercover.exe undercover.exe PID 2340 wrote to memory of 2660 2340 undercover.exe undercover.exe PID 2340 wrote to memory of 2660 2340 undercover.exe undercover.exe PID 2340 wrote to memory of 2660 2340 undercover.exe undercover.exe PID 2340 wrote to memory of 2660 2340 undercover.exe undercover.exe PID 2660 wrote to memory of 2388 2660 undercover.exe WerFault.exe PID 2660 wrote to memory of 2388 2660 undercover.exe WerFault.exe PID 2660 wrote to memory of 2388 2660 undercover.exe WerFault.exe PID 2660 wrote to memory of 2388 2660 undercover.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\undercover.exe"C:\Users\Admin\AppData\Local\Temp\undercover.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\undercover.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\undercover.exe"C:\Users\Admin\AppData\Local\Temp\undercover.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 2123⤵
- Program crash
PID:2388