Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 01:43
Behavioral task
behavioral1
Sample
tes1.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
tes1.exe
Resource
win10v2004-20240709-en
General
-
Target
tes1.exe
-
Size
132KB
-
MD5
b77ff60d464d3aa97d0432680c468bf5
-
SHA1
9523926751ef97005e7c87beac04ef74ba353fe2
-
SHA256
eb71118942d0a74070e815d3aa153cca01c172f4bce9c64fe64b097ce95ec797
-
SHA512
699bb186b2859460d86ce1cff238665ecb3ed27291e7f8c2d85632e98596a0e31b186096e5fd1d3c77d52b3e5e029f0aa0f0f2a81e20ee8d79010d32627984ac
-
SSDEEP
3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a
Malware Config
Extracted
warzonerat
194.59.30.96:7771
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\Documents\images.exe warzonerat -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 2524 images.exe -
Loads dropped DLL 2 IoCs
Processes:
tes1.exepid process 2504 tes1.exe 2504 tes1.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
tes1.exeimages.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tes1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language images.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
tes1.exedescription pid process target process PID 2504 wrote to memory of 2524 2504 tes1.exe images.exe PID 2504 wrote to memory of 2524 2504 tes1.exe images.exe PID 2504 wrote to memory of 2524 2504 tes1.exe images.exe PID 2504 wrote to memory of 2524 2504 tes1.exe images.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tes1.exe"C:\Users\Admin\AppData\Local\Temp\tes1.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\Documents\images.exe"C:\Users\Admin\Documents\images.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5b77ff60d464d3aa97d0432680c468bf5
SHA19523926751ef97005e7c87beac04ef74ba353fe2
SHA256eb71118942d0a74070e815d3aa153cca01c172f4bce9c64fe64b097ce95ec797
SHA512699bb186b2859460d86ce1cff238665ecb3ed27291e7f8c2d85632e98596a0e31b186096e5fd1d3c77d52b3e5e029f0aa0f0f2a81e20ee8d79010d32627984ac