Analysis
-
max time kernel
58s -
max time network
100s -
platform
windows7_x64 -
resource
win7 -
submitted
28-06-2020 23:58
Static task
static1
Behavioral task
behavioral1
Sample
Doc_43795379326436.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Doc_43795379326436.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Doc_43795379326436.exe
-
Size
327KB
-
MD5
24e5934191f08a725c5005adaf753d11
-
SHA1
21bb5c17690bb277422d855619f0ca7f20182019
-
SHA256
c95ca2828f96e70328cd9ac4dfddad25fb0dcddc2e265200401ce10eecf3c2a4
-
SHA512
b8592b9d07d10081f77acfb767d3f7c183a9ab7409d7b9266999e149ad41b83035e76240dcf6de1ab28df7418a57816e05f50614f27ac27238666b56c303278c
Score
10/10
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 10 IoCs
resource yara_rule behavioral1/memory/380-3-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/380-4-0x0000000000405A3D-mapping.dmp warzonerat behavioral1/memory/380-5-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/files/0x00050000000131c7-7.dat warzonerat behavioral1/files/0x00050000000131c7-9.dat warzonerat behavioral1/files/0x00050000000131c7-10.dat warzonerat behavioral1/memory/1576-18-0x0000000000405A3D-mapping.dmp warzonerat behavioral1/files/0x00050000000131c7-19.dat warzonerat behavioral1/memory/1576-20-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/1628-27-0x0000000000000000-mapping.dmp warzonerat -
Executes dropped EXE 2 IoCs
pid Process 1504 images.exe 1576 images.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat Doc_43795379326436.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start Doc_43795379326436.exe -
Loads dropped DLL 7 IoCs
pid Process 380 Doc_43795379326436.exe 1576 images.exe 1576 images.exe 1576 images.exe 1576 images.exe 1576 images.exe 1576 images.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" Doc_43795379326436.exe -
JavaScript code in executable 1 IoCs
resource yara_rule behavioral1/files/0x00030000000131d7-44.dat js -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1484 set thread context of 380 1484 Doc_43795379326436.exe 24 PID 1504 set thread context of 1576 1504 images.exe 28 -
NTFS ADS 1 IoCs
description ioc Process File created C:\ProgramData:ApplicationData Doc_43795379326436.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1484 Doc_43795379326436.exe 1484 Doc_43795379326436.exe 1484 Doc_43795379326436.exe 1504 images.exe 1088 powershell.exe 1088 powershell.exe 1504 images.exe 1504 images.exe 1596 powershell.exe 1596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1484 Doc_43795379326436.exe Token: SeDebugPrivilege 1504 images.exe Token: SeDebugPrivilege 1088 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1576 images.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1484 wrote to memory of 380 1484 Doc_43795379326436.exe 24 PID 1484 wrote to memory of 380 1484 Doc_43795379326436.exe 24 PID 1484 wrote to memory of 380 1484 Doc_43795379326436.exe 24 PID 1484 wrote to memory of 380 1484 Doc_43795379326436.exe 24 PID 1484 wrote to memory of 380 1484 Doc_43795379326436.exe 24 PID 1484 wrote to memory of 380 1484 Doc_43795379326436.exe 24 PID 1484 wrote to memory of 380 1484 Doc_43795379326436.exe 24 PID 1484 wrote to memory of 380 1484 Doc_43795379326436.exe 24 PID 1484 wrote to memory of 380 1484 Doc_43795379326436.exe 24 PID 1484 wrote to memory of 380 1484 Doc_43795379326436.exe 24 PID 1484 wrote to memory of 380 1484 Doc_43795379326436.exe 24 PID 1484 wrote to memory of 380 1484 Doc_43795379326436.exe 24 PID 380 wrote to memory of 1088 380 Doc_43795379326436.exe 25 PID 380 wrote to memory of 1088 380 Doc_43795379326436.exe 25 PID 380 wrote to memory of 1088 380 Doc_43795379326436.exe 25 PID 380 wrote to memory of 1088 380 Doc_43795379326436.exe 25 PID 380 wrote to memory of 1504 380 Doc_43795379326436.exe 27 PID 380 wrote to memory of 1504 380 Doc_43795379326436.exe 27 PID 380 wrote to memory of 1504 380 Doc_43795379326436.exe 27 PID 380 wrote to memory of 1504 380 Doc_43795379326436.exe 27 PID 1504 wrote to memory of 1576 1504 images.exe 28 PID 1504 wrote to memory of 1576 1504 images.exe 28 PID 1504 wrote to memory of 1576 1504 images.exe 28 PID 1504 wrote to memory of 1576 1504 images.exe 28 PID 1504 wrote to memory of 1576 1504 images.exe 28 PID 1504 wrote to memory of 1576 1504 images.exe 28 PID 1504 wrote to memory of 1576 1504 images.exe 28 PID 1504 wrote to memory of 1576 1504 images.exe 28 PID 1504 wrote to memory of 1576 1504 images.exe 28 PID 1504 wrote to memory of 1576 1504 images.exe 28 PID 1504 wrote to memory of 1576 1504 images.exe 28 PID 1504 wrote to memory of 1576 1504 images.exe 28 PID 1576 wrote to memory of 1596 1576 images.exe 29 PID 1576 wrote to memory of 1596 1576 images.exe 29 PID 1576 wrote to memory of 1596 1576 images.exe 29 PID 1576 wrote to memory of 1596 1576 images.exe 29 PID 1576 wrote to memory of 1628 1576 images.exe 30 PID 1576 wrote to memory of 1628 1576 images.exe 30 PID 1576 wrote to memory of 1628 1576 images.exe 30 PID 1576 wrote to memory of 1628 1576 images.exe 30 PID 1576 wrote to memory of 1628 1576 images.exe 30 PID 1576 wrote to memory of 1628 1576 images.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Doc_43795379326436.exe"C:\Users\Admin\AppData\Local\Temp\Doc_43795379326436.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\Doc_43795379326436.exe"C:\Users\Admin\AppData\Local\Temp\Doc_43795379326436.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵PID:1628
-
-
-
-