Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 23:33
Static task
static1
Behavioral task
behavioral1
Sample
15833f92c23ba3afbba0f4f273274452.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
15833f92c23ba3afbba0f4f273274452.exe
Resource
win10v2004-20241007-en
General
-
Target
15833f92c23ba3afbba0f4f273274452.exe
-
Size
2.4MB
-
MD5
15833f92c23ba3afbba0f4f273274452
-
SHA1
f9f68f691644f7be60128ede3005699e7d6f4941
-
SHA256
7aa7c19de5eaa2409006038a7d0d7423dd0c7d9b3d9514ffb8d790e4fdc51d2c
-
SHA512
cfe3e16c91e9013c259dcd52527bc458d33b568459995238d8356abf4bb2438a425aa01d517f0ca16e096b80114e6af234dde43cc4ce082f75163f52660f1690
-
SSDEEP
49152:vslBubuANjnMenjn+TH2dfdWVOm+C8tNPd1Zyiu+vbFxqiedJBBmUdP:vslgb9lMkhd1WYmpktd1ZDvbTqRfBrdP
Malware Config
Extracted
warzonerat
162.230.48.189:56001
Extracted
lumma
https://goalyfeastz.site/api
https://contemteny.site/api
https://dilemmadu.site/api
https://authorisev.site/api
Signatures
-
Lumma family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rBr8y66SWW.exedescription pid process target process PID 2308 created 3584 2308 rBr8y66SWW.exe Explorer.EXE -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2148-1125-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/2148-1131-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15833f92c23ba3afbba0f4f273274452.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 15833f92c23ba3afbba0f4f273274452.exe -
Drops startup file 1 IoCs
Processes:
rBr8y66SWW.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CountOut.vbs rBr8y66SWW.exe -
Executes dropped EXE 4 IoCs
Processes:
MkH1oeeWOE.exerBr8y66SWW.exeMkH1oeeWOE.exeMkH1oeeWOE.exepid process 2880 MkH1oeeWOE.exe 2308 rBr8y66SWW.exe 1452 MkH1oeeWOE.exe 1808 MkH1oeeWOE.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
15833f92c23ba3afbba0f4f273274452.exerBr8y66SWW.exeMkH1oeeWOE.exedescription pid process target process PID 896 set thread context of 4152 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 2308 set thread context of 2148 2308 rBr8y66SWW.exe InstallUtil.exe PID 2880 set thread context of 1808 2880 MkH1oeeWOE.exe MkH1oeeWOE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1972 896 WerFault.exe 15833f92c23ba3afbba0f4f273274452.exe 1304 2880 WerFault.exe MkH1oeeWOE.exe 5568 1808 WerFault.exe MkH1oeeWOE.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
15833f92c23ba3afbba0f4f273274452.exe15833f92c23ba3afbba0f4f273274452.exerBr8y66SWW.exeMkH1oeeWOE.exeInstallUtil.exeMkH1oeeWOE.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15833f92c23ba3afbba0f4f273274452.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15833f92c23ba3afbba0f4f273274452.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rBr8y66SWW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MkH1oeeWOE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MkH1oeeWOE.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rBr8y66SWW.exepid process 2308 rBr8y66SWW.exe 2308 rBr8y66SWW.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rBr8y66SWW.exedescription pid process Token: SeDebugPrivilege 2308 rBr8y66SWW.exe Token: SeDebugPrivilege 2308 rBr8y66SWW.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
15833f92c23ba3afbba0f4f273274452.exe15833f92c23ba3afbba0f4f273274452.exerBr8y66SWW.exeMkH1oeeWOE.exedescription pid process target process PID 896 wrote to memory of 3060 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 896 wrote to memory of 3060 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 896 wrote to memory of 3060 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 896 wrote to memory of 548 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 896 wrote to memory of 548 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 896 wrote to memory of 548 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 896 wrote to memory of 4152 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 896 wrote to memory of 4152 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 896 wrote to memory of 4152 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 896 wrote to memory of 4152 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 896 wrote to memory of 4152 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 896 wrote to memory of 4152 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 896 wrote to memory of 4152 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 896 wrote to memory of 4152 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 896 wrote to memory of 4152 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 896 wrote to memory of 4152 896 15833f92c23ba3afbba0f4f273274452.exe 15833f92c23ba3afbba0f4f273274452.exe PID 4152 wrote to memory of 2880 4152 15833f92c23ba3afbba0f4f273274452.exe MkH1oeeWOE.exe PID 4152 wrote to memory of 2880 4152 15833f92c23ba3afbba0f4f273274452.exe MkH1oeeWOE.exe PID 4152 wrote to memory of 2880 4152 15833f92c23ba3afbba0f4f273274452.exe MkH1oeeWOE.exe PID 4152 wrote to memory of 2308 4152 15833f92c23ba3afbba0f4f273274452.exe rBr8y66SWW.exe PID 4152 wrote to memory of 2308 4152 15833f92c23ba3afbba0f4f273274452.exe rBr8y66SWW.exe PID 4152 wrote to memory of 2308 4152 15833f92c23ba3afbba0f4f273274452.exe rBr8y66SWW.exe PID 2308 wrote to memory of 2148 2308 rBr8y66SWW.exe InstallUtil.exe PID 2308 wrote to memory of 2148 2308 rBr8y66SWW.exe InstallUtil.exe PID 2308 wrote to memory of 2148 2308 rBr8y66SWW.exe InstallUtil.exe PID 2308 wrote to memory of 2148 2308 rBr8y66SWW.exe InstallUtil.exe PID 2308 wrote to memory of 2148 2308 rBr8y66SWW.exe InstallUtil.exe PID 2308 wrote to memory of 2148 2308 rBr8y66SWW.exe InstallUtil.exe PID 2308 wrote to memory of 2148 2308 rBr8y66SWW.exe InstallUtil.exe PID 2308 wrote to memory of 2148 2308 rBr8y66SWW.exe InstallUtil.exe PID 2308 wrote to memory of 2148 2308 rBr8y66SWW.exe InstallUtil.exe PID 2308 wrote to memory of 2148 2308 rBr8y66SWW.exe InstallUtil.exe PID 2308 wrote to memory of 2148 2308 rBr8y66SWW.exe InstallUtil.exe PID 2880 wrote to memory of 1452 2880 MkH1oeeWOE.exe MkH1oeeWOE.exe PID 2880 wrote to memory of 1452 2880 MkH1oeeWOE.exe MkH1oeeWOE.exe PID 2880 wrote to memory of 1452 2880 MkH1oeeWOE.exe MkH1oeeWOE.exe PID 2880 wrote to memory of 1808 2880 MkH1oeeWOE.exe MkH1oeeWOE.exe PID 2880 wrote to memory of 1808 2880 MkH1oeeWOE.exe MkH1oeeWOE.exe PID 2880 wrote to memory of 1808 2880 MkH1oeeWOE.exe MkH1oeeWOE.exe PID 2880 wrote to memory of 1808 2880 MkH1oeeWOE.exe MkH1oeeWOE.exe PID 2880 wrote to memory of 1808 2880 MkH1oeeWOE.exe MkH1oeeWOE.exe PID 2880 wrote to memory of 1808 2880 MkH1oeeWOE.exe MkH1oeeWOE.exe PID 2880 wrote to memory of 1808 2880 MkH1oeeWOE.exe MkH1oeeWOE.exe PID 2880 wrote to memory of 1808 2880 MkH1oeeWOE.exe MkH1oeeWOE.exe PID 2880 wrote to memory of 1808 2880 MkH1oeeWOE.exe MkH1oeeWOE.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe"C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe"C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe"3⤵PID:3060
-
-
C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe"C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe"3⤵PID:548
-
-
C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe"C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Users\Admin\AppData\Roaming\MkH1oeeWOE.exe"C:\Users\Admin\AppData\Roaming\MkH1oeeWOE.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Roaming\MkH1oeeWOE.exe"C:\Users\Admin\AppData\Roaming\MkH1oeeWOE.exe"5⤵
- Executes dropped EXE
PID:1452
-
-
C:\Users\Admin\AppData\Roaming\MkH1oeeWOE.exe"C:\Users\Admin\AppData\Roaming\MkH1oeeWOE.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 12646⤵
- Program crash
PID:5568
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 2725⤵
- Program crash
PID:1304
-
-
-
C:\Users\Admin\AppData\Roaming\rBr8y66SWW.exe"C:\Users\Admin\AppData\Roaming\rBr8y66SWW.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 2883⤵
- Program crash
PID:1972
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 896 -ip 8961⤵PID:1732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2880 -ip 28801⤵PID:4040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1808 -ip 18081⤵PID:5516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
689KB
MD54936c0448e4102ef927a39dbf8091a28
SHA1d633d0a36ff0b44dc46055ad46f88f2bf4e8cbd1
SHA25689e63f0332e999a1a687c00809b8dc74bbea5a3f4e073b9bf6e5d263e4841f25
SHA51202f068e64bde6d398d9e4847ed25930b07b1dc01a2e18efa4df380bcf01824c32936c11ce58e3de3e5c9a4d2cb42e1c888f33dd065877cb753f4125a0528deba
-
Filesize
1.1MB
MD595a0dff56d70a7b7adcffa913f972068
SHA158ce4ea22d1f6a16a062748c163165f10ed9f4d5
SHA256957aea30bdec9201f6017668fd3dea7af4232a74da1e0316162acdd9f633eb8b
SHA51217c547f275a90dbf75ec84cd05eb5cde9effad970962ddb09b362a26ffa0aedc080ba4208cecb995ec9e0ffa5a64c503c5b89fe9e79adfd6cb0bb5eb165ea276