Analysis
-
max time kernel
293s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 04:05
Static task
static1
Behavioral task
behavioral1
Sample
undercover.zip
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
undercover.zip
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
undercover.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
undercover.exe
Resource
win10v2004-20240426-en
General
-
Target
undercover.exe
-
Size
642KB
-
MD5
c7dde9741228fbc2c317bae1ef4c8231
-
SHA1
26deeac180d6bf406bd004a718cbc86b1586c494
-
SHA256
d1d0a4c2a7489201006748a364e5cc6dca7b0721dbce83c54566c555bc56ca68
-
SHA512
05508db7f290282c91d461b7284c1856ee9ad2e042dc57f9203f79374492ba69c457985177d9e11195758680b6c211261fa7df2662c380edb1bb0b3678e1139e
-
SSDEEP
12288:y0WWObW5cBj7O56jp7t8c6B5wAmjPDynKr7fP7E3caoAqI+lRW:l4JugjEc6B5wT6KrL7E3hVElR
Malware Config
Extracted
warzonerat
93.123.118.3:65535
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
Processes:
resource yara_rule behavioral4/memory/4164-12-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral4/memory/4164-15-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral4/memory/4164-16-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral4/memory/4164-63-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
undercover.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation undercover.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
undercover.exedescription pid process target process PID 460 set thread context of 4164 460 undercover.exe undercover.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3796 powershell.exe 3796 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3796 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
undercover.exedescription pid process target process PID 460 wrote to memory of 3796 460 undercover.exe powershell.exe PID 460 wrote to memory of 3796 460 undercover.exe powershell.exe PID 460 wrote to memory of 3796 460 undercover.exe powershell.exe PID 460 wrote to memory of 4164 460 undercover.exe undercover.exe PID 460 wrote to memory of 4164 460 undercover.exe undercover.exe PID 460 wrote to memory of 4164 460 undercover.exe undercover.exe PID 460 wrote to memory of 4164 460 undercover.exe undercover.exe PID 460 wrote to memory of 4164 460 undercover.exe undercover.exe PID 460 wrote to memory of 4164 460 undercover.exe undercover.exe PID 460 wrote to memory of 4164 460 undercover.exe undercover.exe PID 460 wrote to memory of 4164 460 undercover.exe undercover.exe PID 460 wrote to memory of 4164 460 undercover.exe undercover.exe PID 460 wrote to memory of 4164 460 undercover.exe undercover.exe PID 460 wrote to memory of 4164 460 undercover.exe undercover.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\undercover.exe"C:\Users\Admin\AppData\Local\Temp\undercover.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\undercover.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\undercover.exe"C:\Users\Admin\AppData\Local\Temp\undercover.exe"2⤵PID:4164
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82