Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02/03/2025, 12:49
General
-
Target
ezzzzzzzzzzzz.exe
-
Size
132KB
-
MD5
416f744073072d41c1cc491f86a139e6
-
SHA1
b08163f44ede1b36c41d2e661793ac092ab6c199
-
SHA256
b9b1fc57b2ff8a6410c214b7959020f5d9b75aec91f323346695b589c32fe186
-
SHA512
5f1edeccc94584fb08bb746f8a3236a30274d721e2b964e9ad6ffe1f49e12cfba41ad4213a45ec6714ab720f46299e17dd887149b3c58647c8a0fade41ef9060
-
SSDEEP
3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a
Malware Config
Extracted
warzonerat
0.tcp.ngrok.io:18696
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ezzzzzzzzzzzz.exe"C:\Users\Admin\AppData\Local\Temp\ezzzzzzzzzzzz.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\images.exe"C:\Users\Admin\Documents\images.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5b8450ccede5fdf2b6fbcf7d360621f7d
SHA11a0e8ce660dee1b2796ed2f56322f89903c5db08
SHA25653b5e363d7e158c1c3af3aa7825d6d3136690d433118e9ddeec1d0668ee316a7
SHA51250fc9b8437c464dce829d35d9f8a272f76c574a9fdba25e0c2a151542ba95d01c516e0851353c3fd8f486e09b1deb95da2ff66543ba9c3a1ab14ab129192d4a1
-
Filesize
132KB
MD5416f744073072d41c1cc491f86a139e6
SHA1b08163f44ede1b36c41d2e661793ac092ab6c199
SHA256b9b1fc57b2ff8a6410c214b7959020f5d9b75aec91f323346695b589c32fe186
SHA5125f1edeccc94584fb08bb746f8a3236a30274d721e2b964e9ad6ffe1f49e12cfba41ad4213a45ec6714ab720f46299e17dd887149b3c58647c8a0fade41ef9060
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
4KB