Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
25-06-2020 13:39
Static task
static1
Behavioral task
behavioral1
Sample
DHL DOC No_SINI0068206497_PDF.exe
Resource
win7
Behavioral task
behavioral2
Sample
DHL DOC No_SINI0068206497_PDF.exe
Resource
win10v200430
General
-
Target
DHL DOC No_SINI0068206497_PDF.exe
-
Size
2.0MB
-
MD5
aade658ec7f1e9aa00f25975c65f361c
-
SHA1
2e6901c0e9182e946a2499d0dce8d98a8837b011
-
SHA256
da8e89fa0cbec2f66ea695865de7a0eb7f9211c10aae3598490bbaec4f83ebfc
-
SHA512
0c3e6180202c777a0ed285e7304bb4e4c4ed9e2a35cbc8a66259386e0adb988cdf5e587f5e35bedcda5173e1821e99b0c2420659c482f481d4199451de9a8e6e
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
ServiceHost packer 12 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/2752-6-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2752-7-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2752-9-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2752-8-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2752-10-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2752-11-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2016-18-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2016-19-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2016-20-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2016-21-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2016-22-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/2228-23-0x0000000000000000-mapping.dmp servicehost -
Warzone RAT Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1356-0-0x0000000002FC0000-0x0000000003113000-memory.dmp warzonerat behavioral2/memory/3508-14-0x0000000000700000-0x0000000000853000-memory.dmp warzonerat -
Executes dropped EXE 1 IoCs
Processes:
intelx.exepid Process 3508 intelx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DHL DOC No_SINI0068206497_PDF.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\intelx = "C:\\ProgramData\\intelx.exe" DHL DOC No_SINI0068206497_PDF.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 3384 2752 WerFault.exe 73 1320 2016 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
WerFault.exeWerFault.exepid Process 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WerFault.exeWerFault.exedescription pid Process Token: SeRestorePrivilege 3384 WerFault.exe Token: SeBackupPrivilege 3384 WerFault.exe Token: SeDebugPrivilege 3384 WerFault.exe Token: SeDebugPrivilege 1320 WerFault.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
DHL DOC No_SINI0068206497_PDF.exeintelx.exedescription pid Process procid_target PID 1356 wrote to memory of 2752 1356 DHL DOC No_SINI0068206497_PDF.exe 73 PID 1356 wrote to memory of 2752 1356 DHL DOC No_SINI0068206497_PDF.exe 73 PID 1356 wrote to memory of 2752 1356 DHL DOC No_SINI0068206497_PDF.exe 73 PID 1356 wrote to memory of 3508 1356 DHL DOC No_SINI0068206497_PDF.exe 75 PID 1356 wrote to memory of 3508 1356 DHL DOC No_SINI0068206497_PDF.exe 75 PID 1356 wrote to memory of 3508 1356 DHL DOC No_SINI0068206497_PDF.exe 75 PID 3508 wrote to memory of 2016 3508 intelx.exe 79 PID 3508 wrote to memory of 2016 3508 intelx.exe 79 PID 3508 wrote to memory of 2016 3508 intelx.exe 79 PID 3508 wrote to memory of 2228 3508 intelx.exe 81 PID 3508 wrote to memory of 2228 3508 intelx.exe 81 PID 3508 wrote to memory of 2228 3508 intelx.exe 81 PID 3508 wrote to memory of 2228 3508 intelx.exe 81 PID 3508 wrote to memory of 2228 3508 intelx.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL DOC No_SINI0068206497_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL DOC No_SINI0068206497_PDF.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵PID:2752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 7043⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3384
-
-
-
C:\ProgramData\intelx.exe"C:\ProgramData\intelx.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵PID:2016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 7004⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2228
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
aade658ec7f1e9aa00f25975c65f361c
SHA12e6901c0e9182e946a2499d0dce8d98a8837b011
SHA256da8e89fa0cbec2f66ea695865de7a0eb7f9211c10aae3598490bbaec4f83ebfc
SHA5120c3e6180202c777a0ed285e7304bb4e4c4ed9e2a35cbc8a66259386e0adb988cdf5e587f5e35bedcda5173e1821e99b0c2420659c482f481d4199451de9a8e6e
-
MD5
aade658ec7f1e9aa00f25975c65f361c
SHA12e6901c0e9182e946a2499d0dce8d98a8837b011
SHA256da8e89fa0cbec2f66ea695865de7a0eb7f9211c10aae3598490bbaec4f83ebfc
SHA5120c3e6180202c777a0ed285e7304bb4e4c4ed9e2a35cbc8a66259386e0adb988cdf5e587f5e35bedcda5173e1821e99b0c2420659c482f481d4199451de9a8e6e