Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-12-2020 16:10
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
-
Size
652KB
-
MD5
85063571eccad2a81103ea6603ba1e08
-
SHA1
c762c1e085a489b21c125e75e21683cd86e138c9
-
SHA256
f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4
-
SHA512
8a271d14190d2bf5cb9d4a62830b750b64954a9ed5d5ac803dca2ce9e9b38b6a69fd61518e0271dfbddeb20de383d686f6b0d9cfdf26be7ed394b244e41ca12f
Malware Config
Extracted
warzonerat
195.140.214.82:6703
Extracted
xpertrat
3.0.10
special X
zytriew.duckdns.org:4145
papertyy.duckdns.org:4145
ghytrty.duckdns.org:4145
A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
XpertRAT Core Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/280-15-0x0000000000400000-0x0000000000443000-memory.dmp xpertrat behavioral1/memory/280-16-0x0000000000401364-mapping.dmp xpertrat behavioral1/memory/280-17-0x0000000000400000-0x0000000000443000-memory.dmp xpertrat -
Warzone RAT Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/932-2-0x0000000002AA0000-0x0000000002BF4000-memory.dmp warzonerat -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1 = "C:\\Users\\Admin\\AppData\\Roaming\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe" iexplore.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
fmGfizuAc.exepid process 2024 fmGfizuAc.exe -
Sets DLL path for service in the registry 2 TTPs
-
Loads dropped DLL 11 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exefmGfizuAc.exepid process 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe 2024 fmGfizuAc.exe 2024 fmGfizuAc.exe 2024 fmGfizuAc.exe 672 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
fmGfizuAc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" fmGfizuAc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1 = "C:\\Users\\Admin\\AppData\\Roaming\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1 = "C:\\Users\\Admin\\AppData\\Roaming\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe" iexplore.exe -
Processes:
fmGfizuAc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fmGfizuAc.exe -
Modifies WinLogon 2 TTPs 4 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Jjbyi.m = "0" SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe -
Drops file in System32 directory 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exedescription ioc process File created C:\Windows\System32\rfxvmt.dll SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
fmGfizuAc.exedescription pid process target process PID 2024 set thread context of 1116 2024 fmGfizuAc.exe iexplore.exe PID 2024 set thread context of 280 2024 fmGfizuAc.exe iexplore.exe -
Drops file in Program Files directory 2 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exedescription ioc process File created C:\Program Files\Microsoft DN1\sqlmap.dll SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe File created C:\Program Files\Microsoft DN1\rdpwrap.ini SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
fmGfizuAc.exepid process 2024 fmGfizuAc.exe 2024 fmGfizuAc.exe 2024 fmGfizuAc.exe 2024 fmGfizuAc.exe 2024 fmGfizuAc.exe 2024 fmGfizuAc.exe -
Suspicious behavior: LoadsDriver 4 IoCs
Processes:
pid process 672 672 672 672 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
iexplore.exeSecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exedescription pid process Token: SeDebugPrivilege 280 iexplore.exe Token: SeDebugPrivilege 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
fmGfizuAc.exeiexplore.exepid process 2024 fmGfizuAc.exe 280 iexplore.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exefmGfizuAc.exedescription pid process target process PID 932 wrote to memory of 2024 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe fmGfizuAc.exe PID 932 wrote to memory of 2024 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe fmGfizuAc.exe PID 932 wrote to memory of 2024 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe fmGfizuAc.exe PID 932 wrote to memory of 2024 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe fmGfizuAc.exe PID 932 wrote to memory of 2024 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe fmGfizuAc.exe PID 932 wrote to memory of 2024 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe fmGfizuAc.exe PID 932 wrote to memory of 2024 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe fmGfizuAc.exe PID 2024 wrote to memory of 1116 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 1116 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 1116 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 1116 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 1116 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 1116 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 1116 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 1116 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 1116 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 1116 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 1116 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 1116 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 280 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 280 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 280 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 280 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 280 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 280 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 280 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 280 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 280 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 280 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 280 2024 fmGfizuAc.exe iexplore.exe PID 2024 wrote to memory of 280 2024 fmGfizuAc.exe iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
fmGfizuAc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fmGfizuAc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe"1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\fmGfizuAc.exe"C:\Users\Admin\AppData\Roaming\fmGfizuAc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Roaming\fmGfizuAc.exe3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Roaming\fmGfizuAc.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\fmGfizuAc.exeMD5
2e6f05e8245b62297355f070a6f966df
SHA17461222b5d34eb2328c7d50a75956f9dc78c32a3
SHA256f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
SHA51244302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
-
C:\Users\Admin\AppData\Roaming\fmGfizuAc.exeMD5
2e6f05e8245b62297355f070a6f966df
SHA17461222b5d34eb2328c7d50a75956f9dc78c32a3
SHA256f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
SHA51244302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
-
\Program Files\Microsoft DN1\sqlmap.dllMD5
461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
\Users\Admin\AppData\Roaming\fmGfizuAc.exeMD5
2e6f05e8245b62297355f070a6f966df
SHA17461222b5d34eb2328c7d50a75956f9dc78c32a3
SHA256f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
SHA51244302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
-
\Users\Admin\AppData\Roaming\fmGfizuAc.exeMD5
2e6f05e8245b62297355f070a6f966df
SHA17461222b5d34eb2328c7d50a75956f9dc78c32a3
SHA256f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
SHA51244302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
-
\Users\Admin\AppData\Roaming\fmGfizuAc.exeMD5
2e6f05e8245b62297355f070a6f966df
SHA17461222b5d34eb2328c7d50a75956f9dc78c32a3
SHA256f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
SHA51244302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
-
\Users\Admin\AppData\Roaming\fmGfizuAc.exeMD5
2e6f05e8245b62297355f070a6f966df
SHA17461222b5d34eb2328c7d50a75956f9dc78c32a3
SHA256f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
SHA51244302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
-
memory/280-15-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/280-16-0x0000000000401364-mapping.dmp
-
memory/280-17-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/432-3-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmpFilesize
2.5MB
-
memory/672-22-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmpFilesize
2.5MB
-
memory/932-2-0x0000000002AA0000-0x0000000002BF4000-memory.dmpFilesize
1.3MB
-
memory/1116-14-0x0000000000401364-mapping.dmp
-
memory/2024-5-0x0000000000000000-mapping.dmp
-
memory/2024-21-0x00000000028B0000-0x00000000028B4000-memory.dmpFilesize
16KB
-
memory/2024-20-0x0000000000380000-0x0000000000384000-memory.dmpFilesize
16KB