Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
25-06-2020 13:39
General
-
Target
DHL DOC No_SINI0068206497_PDF.exe
-
Size
2.0MB
-
MD5
aade658ec7f1e9aa00f25975c65f361c
-
SHA1
2e6901c0e9182e946a2499d0dce8d98a8837b011
-
SHA256
da8e89fa0cbec2f66ea695865de7a0eb7f9211c10aae3598490bbaec4f83ebfc
-
SHA512
0c3e6180202c777a0ed285e7304bb4e4c4ed9e2a35cbc8a66259386e0adb988cdf5e587f5e35bedcda5173e1821e99b0c2420659c482f481d4199451de9a8e6e
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
ServiceHost packer 12 IoCs
Detects ServiceHost packer used for .NET malware
-
Warzone RAT Payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL DOC No_SINI0068206497_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL DOC No_SINI0068206497_PDF.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 7043⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\intelx.exe"C:\ProgramData\intelx.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 7004⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\intelx.exeMD5
aade658ec7f1e9aa00f25975c65f361c
SHA12e6901c0e9182e946a2499d0dce8d98a8837b011
SHA256da8e89fa0cbec2f66ea695865de7a0eb7f9211c10aae3598490bbaec4f83ebfc
SHA5120c3e6180202c777a0ed285e7304bb4e4c4ed9e2a35cbc8a66259386e0adb988cdf5e587f5e35bedcda5173e1821e99b0c2420659c482f481d4199451de9a8e6e
-
C:\ProgramData\intelx.exeMD5
aade658ec7f1e9aa00f25975c65f361c
SHA12e6901c0e9182e946a2499d0dce8d98a8837b011
SHA256da8e89fa0cbec2f66ea695865de7a0eb7f9211c10aae3598490bbaec4f83ebfc
SHA5120c3e6180202c777a0ed285e7304bb4e4c4ed9e2a35cbc8a66259386e0adb988cdf5e587f5e35bedcda5173e1821e99b0c2420659c482f481d4199451de9a8e6e
-
memory/1320-24-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/1320-17-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/1356-0-0x0000000002FC0000-0x0000000003113000-memory.dmpFilesize
1.3MB
-
memory/2016-22-0x0000000000000000-mapping.dmp
-
memory/2016-15-0x0000000000000000-mapping.dmp
-
memory/2016-21-0x0000000000000000-mapping.dmp
-
memory/2016-20-0x0000000000000000-mapping.dmp
-
memory/2016-19-0x0000000000000000-mapping.dmp
-
memory/2016-18-0x0000000000000000-mapping.dmp
-
memory/2228-23-0x0000000000000000-mapping.dmp
-
memory/2228-16-0x0000000000000000-mapping.dmp
-
memory/2752-6-0x0000000000000000-mapping.dmp
-
memory/2752-11-0x0000000000000000-mapping.dmp
-
memory/2752-10-0x0000000000000000-mapping.dmp
-
memory/2752-8-0x0000000000000000-mapping.dmp
-
memory/2752-9-0x0000000000000000-mapping.dmp
-
memory/2752-7-0x0000000000000000-mapping.dmp
-
memory/2752-1-0x0000000000000000-mapping.dmp
-
memory/3384-13-0x00000000058C0000-0x00000000058C1000-memory.dmpFilesize
4KB
-
memory/3384-12-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/3384-5-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/3508-14-0x0000000000700000-0x0000000000853000-memory.dmpFilesize
1.3MB
-
memory/3508-2-0x0000000000000000-mapping.dmp