Analysis
-
max time kernel
126s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-01-2021 06:19
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Invoice.exe
Resource
win10v20201028
General
-
Target
Invoice.exe
-
Size
1.0MB
-
MD5
cb811a9a8764bc084413ae02590b7ac5
-
SHA1
00469c7c7cf8b1e6d68dcc045acc497ea5c1b6c3
-
SHA256
0558ff6208fe5bfa8bc488efaf0138cddeca218dcc915325ff50d65705093f83
-
SHA512
0df28c7994a5b8b1445cb2d2ceeae7f3bac4943f1e1f2684eb808fa7c6d368e4dce9a7ccc3d071f9addd59cb56c6ec9107ad86905a89c163b711710a710971fa
Malware Config
Extracted
warzonerat
maxlogs.webhop.me:1619
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4300-4-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/4300-5-0x0000000000405CE2-mapping.dmp warzonerat behavioral2/memory/4300-6-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Invoice.exedescription pid process target process PID 4732 set thread context of 4300 4732 Invoice.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4456 4300 WerFault.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Invoice.exeWerFault.exepid process 4732 Invoice.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Invoice.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4732 Invoice.exe Token: SeRestorePrivilege 4456 WerFault.exe Token: SeBackupPrivilege 4456 WerFault.exe Token: SeDebugPrivilege 4456 WerFault.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegSvcs.exepid process 4300 RegSvcs.exe 4300 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Invoice.exedescription pid process target process PID 4732 wrote to memory of 3240 4732 Invoice.exe schtasks.exe PID 4732 wrote to memory of 3240 4732 Invoice.exe schtasks.exe PID 4732 wrote to memory of 3240 4732 Invoice.exe schtasks.exe PID 4732 wrote to memory of 4300 4732 Invoice.exe RegSvcs.exe PID 4732 wrote to memory of 4300 4732 Invoice.exe RegSvcs.exe PID 4732 wrote to memory of 4300 4732 Invoice.exe RegSvcs.exe PID 4732 wrote to memory of 4300 4732 Invoice.exe RegSvcs.exe PID 4732 wrote to memory of 4300 4732 Invoice.exe RegSvcs.exe PID 4732 wrote to memory of 4300 4732 Invoice.exe RegSvcs.exe PID 4732 wrote to memory of 4300 4732 Invoice.exe RegSvcs.exe PID 4732 wrote to memory of 4300 4732 Invoice.exe RegSvcs.exe PID 4732 wrote to memory of 4300 4732 Invoice.exe RegSvcs.exe PID 4732 wrote to memory of 4300 4732 Invoice.exe RegSvcs.exe PID 4732 wrote to memory of 4300 4732 Invoice.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iwhNTPQY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp106C.tmp"2⤵
- Creates scheduled task(s)
PID:3240 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 14723⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp106C.tmpMD5
a5e49f30f2afcf0ca6bcaade79094b2a
SHA1947d0ba7667a63b1a61463451e7738f83f9bcc71
SHA256039e07c47c5aef7b6d8a2cc2be402fd3e2bacee0d8aff6e8c946370a866d0f7b
SHA5126f6b40affc24c3847153505b14f7ca82ab690897207ed6bef015bae36f8fc4a1e4d10855cc743fda59c261c127c7830ef3e5b2e0d220849a12958219b3b4c1cd
-
memory/3240-2-0x0000000000000000-mapping.dmp
-
memory/4300-4-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/4300-5-0x0000000000405CE2-mapping.dmp
-
memory/4300-6-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/4456-7-0x0000000004350000-0x0000000004351000-memory.dmpFilesize
4KB