Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 05:30
Static task
static1
Behavioral task
behavioral1
Sample
3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe
Resource
win10v20201028
General
-
Target
3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe
-
Size
375KB
-
MD5
dbfa10be9e078d321c708bcd38bbebf0
-
SHA1
66e50bbf28ce0f776acb439bb218a115e3451738
-
SHA256
3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b
-
SHA512
d9d2df5b3e8ba720f0202447c7ae505db5c65ca702565512cc15b618846d86674b13eb7166881917a9dbaa01cd18b0fd117a47f09ce25474ce2a9f14d26d3144
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exeimages.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Npx75Eq6UJM6EOry\\yguqlBprkJrz.exe\",explorer.exe" 3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Npx75Eq6UJM6EOry\\swl6zQ5P2Xps.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\Npx75Eq6UJM6EOry\\yguqlBprkJrz.exe\",explorer.exe" images.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 1220 images.exe -
Drops startup file 2 IoCs
Processes:
3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat 3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start 3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe -
Loads dropped DLL 1 IoCs
Processes:
3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exepid process 932 3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" 3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe -
NTFS ADS 1 IoCs
Processes:
3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exedescription ioc process File created C:\ProgramData:ApplicationData 3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exeimages.exedescription pid process Token: SeDebugPrivilege 932 3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe Token: SeDebugPrivilege 1220 images.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exeimages.exedescription pid process target process PID 932 wrote to memory of 1220 932 3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe images.exe PID 932 wrote to memory of 1220 932 3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe images.exe PID 932 wrote to memory of 1220 932 3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe images.exe PID 932 wrote to memory of 1220 932 3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe images.exe PID 1220 wrote to memory of 920 1220 images.exe cmd.exe PID 1220 wrote to memory of 920 1220 images.exe cmd.exe PID 1220 wrote to memory of 920 1220 images.exe cmd.exe PID 1220 wrote to memory of 920 1220 images.exe cmd.exe PID 1220 wrote to memory of 920 1220 images.exe cmd.exe PID 1220 wrote to memory of 920 1220 images.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe"C:\Users\Admin\AppData\Local\Temp\3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\images.exeMD5
dbfa10be9e078d321c708bcd38bbebf0
SHA166e50bbf28ce0f776acb439bb218a115e3451738
SHA2563f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b
SHA512d9d2df5b3e8ba720f0202447c7ae505db5c65ca702565512cc15b618846d86674b13eb7166881917a9dbaa01cd18b0fd117a47f09ce25474ce2a9f14d26d3144
-
C:\ProgramData\images.exeMD5
dbfa10be9e078d321c708bcd38bbebf0
SHA166e50bbf28ce0f776acb439bb218a115e3451738
SHA2563f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b
SHA512d9d2df5b3e8ba720f0202447c7ae505db5c65ca702565512cc15b618846d86674b13eb7166881917a9dbaa01cd18b0fd117a47f09ce25474ce2a9f14d26d3144
-
\ProgramData\images.exeMD5
dbfa10be9e078d321c708bcd38bbebf0
SHA166e50bbf28ce0f776acb439bb218a115e3451738
SHA2563f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b
SHA512d9d2df5b3e8ba720f0202447c7ae505db5c65ca702565512cc15b618846d86674b13eb7166881917a9dbaa01cd18b0fd117a47f09ce25474ce2a9f14d26d3144
-
memory/920-7-0x0000000000000000-mapping.dmp
-
memory/920-8-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/920-9-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1220-3-0x0000000000000000-mapping.dmp