Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 02:32
Behavioral task
behavioral1
Sample
2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe
Resource
win10v2004-20241007-en
General
-
Target
2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe
-
Size
113KB
-
MD5
00345de133a4d119eacc29fb87f648e9
-
SHA1
63b3f141071e71d39866d7a4bd204b2b8615080d
-
SHA256
2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242
-
SHA512
f44554716ca9b88ef9823508947b9756774c93888308fc4aad892db99cc3373e45013f7ad6d188fef608404a9d94e22c79c6dad6021ae3c7c3c6bcb21db3824a
-
SSDEEP
1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE01:K1VmhaH8EFvW+0OVE0
Malware Config
Extracted
warzonerat
chromedata.accesscam.org:5221
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0009000000015689-7.dat warzonerat -
Executes dropped EXE 1 IoCs
Processes:
images.exepid Process 2352 images.exe -
Loads dropped DLL 2 IoCs
Processes:
2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exepid Process 2684 2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe 2684 2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exeimages.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language images.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exedescription pid Process procid_target PID 2684 wrote to memory of 2352 2684 2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe 30 PID 2684 wrote to memory of 2352 2684 2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe 30 PID 2684 wrote to memory of 2352 2684 2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe 30 PID 2684 wrote to memory of 2352 2684 2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe"C:\Users\Admin\AppData\Local\Temp\2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2352
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD500345de133a4d119eacc29fb87f648e9
SHA163b3f141071e71d39866d7a4bd204b2b8615080d
SHA2562b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242
SHA512f44554716ca9b88ef9823508947b9756774c93888308fc4aad892db99cc3373e45013f7ad6d188fef608404a9d94e22c79c6dad6021ae3c7c3c6bcb21db3824a