Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 02:32

General

  • Target

    2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe

  • Size

    113KB

  • MD5

    00345de133a4d119eacc29fb87f648e9

  • SHA1

    63b3f141071e71d39866d7a4bd204b2b8615080d

  • SHA256

    2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242

  • SHA512

    f44554716ca9b88ef9823508947b9756774c93888308fc4aad892db99cc3373e45013f7ad6d188fef608404a9d94e22c79c6dad6021ae3c7c3c6bcb21db3824a

  • SSDEEP

    1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE01:K1VmhaH8EFvW+0OVE0

Malware Config

Extracted

Family

warzonerat

C2

chromedata.accesscam.org:5221

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzonerat family
  • Warzone RAT payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe
    "C:\Users\Admin\AppData\Local\Temp\2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\images.exe

    Filesize

    113KB

    MD5

    00345de133a4d119eacc29fb87f648e9

    SHA1

    63b3f141071e71d39866d7a4bd204b2b8615080d

    SHA256

    2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242

    SHA512

    f44554716ca9b88ef9823508947b9756774c93888308fc4aad892db99cc3373e45013f7ad6d188fef608404a9d94e22c79c6dad6021ae3c7c3c6bcb21db3824a