Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 09:08
Static task
static1
Behavioral task
behavioral1
Sample
PO#11-17012021,pdf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO#11-17012021,pdf.exe
Resource
win10v20201028
General
-
Target
PO#11-17012021,pdf.exe
-
Size
317KB
-
MD5
883f037f8db0d45f1dab5dbd539326d2
-
SHA1
ab9b5572188b37c10eed0b76163667494fb4cc57
-
SHA256
b6d76a6dd8898fcd223678eec6835de53da6b2af1fc84c90dc502082eb6d8729
-
SHA512
5336c34028c972118fe8f20ae6beee20ec92c5413450abfdef0a3033edb026ed714ed8bc19772440bc4184ec4385165382d5c8a1551abccebf79a2230349749f
Malware Config
Extracted
warzonerat
206.123.129.103:4565
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1896-8-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO#11-17012021,pdf.exedescription pid process target process PID 2044 set thread context of 1896 2044 PO#11-17012021,pdf.exe PO#11-17012021,pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
PO#11-17012021,pdf.exepid process 2044 PO#11-17012021,pdf.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
PO#11-17012021,pdf.execmd.exedescription pid process target process PID 2044 wrote to memory of 488 2044 PO#11-17012021,pdf.exe cmd.exe PID 2044 wrote to memory of 488 2044 PO#11-17012021,pdf.exe cmd.exe PID 2044 wrote to memory of 488 2044 PO#11-17012021,pdf.exe cmd.exe PID 2044 wrote to memory of 488 2044 PO#11-17012021,pdf.exe cmd.exe PID 2044 wrote to memory of 1896 2044 PO#11-17012021,pdf.exe PO#11-17012021,pdf.exe PID 2044 wrote to memory of 1896 2044 PO#11-17012021,pdf.exe PO#11-17012021,pdf.exe PID 2044 wrote to memory of 1896 2044 PO#11-17012021,pdf.exe PO#11-17012021,pdf.exe PID 2044 wrote to memory of 1896 2044 PO#11-17012021,pdf.exe PO#11-17012021,pdf.exe PID 2044 wrote to memory of 1896 2044 PO#11-17012021,pdf.exe PO#11-17012021,pdf.exe PID 488 wrote to memory of 1796 488 cmd.exe schtasks.exe PID 488 wrote to memory of 1796 488 cmd.exe schtasks.exe PID 488 wrote to memory of 1796 488 cmd.exe schtasks.exe PID 488 wrote to memory of 1796 488 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\c27cce5ac8d84c439ec7501fa8096513.xml"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\c27cce5ac8d84c439ec7501fa8096513.xml"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\c27cce5ac8d84c439ec7501fa8096513.xmlMD5
a035055e1c80bc652520df45650c690f
SHA137b8364ad46e17199eb5a7ee89bb506bba384adb
SHA2562b9948d34674d0fc0f9cb290da8298441b56205f6e341e3cfa1954df42c2b655
SHA512678279d1bfc8a71c27a5a2c3afa5fd266882a62610863a3e4ebc2489f17827ed4c680c89e6b8b52621320500294d2df9888259ccdc5d38def43e739c1f325fc1
-
memory/488-3-0x0000000000000000-mapping.dmp
-
memory/1796-6-0x0000000000000000-mapping.dmp
-
memory/1896-4-0x0000000000405CE2-mapping.dmp
-
memory/1896-8-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/2044-2-0x0000000075251000-0x0000000075253000-memory.dmpFilesize
8KB