Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 09:08
Static task
static1
Behavioral task
behavioral1
Sample
PO#11-17012021,pdf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO#11-17012021,pdf.exe
Resource
win10v20201028
General
-
Target
PO#11-17012021,pdf.exe
-
Size
317KB
-
MD5
883f037f8db0d45f1dab5dbd539326d2
-
SHA1
ab9b5572188b37c10eed0b76163667494fb4cc57
-
SHA256
b6d76a6dd8898fcd223678eec6835de53da6b2af1fc84c90dc502082eb6d8729
-
SHA512
5336c34028c972118fe8f20ae6beee20ec92c5413450abfdef0a3033edb026ed714ed8bc19772440bc4184ec4385165382d5c8a1551abccebf79a2230349749f
Malware Config
Extracted
warzonerat
206.123.129.103:4565
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2768-6-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO#11-17012021,pdf.exedescription pid process target process PID 3084 set thread context of 2768 3084 PO#11-17012021,pdf.exe PO#11-17012021,pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
PO#11-17012021,pdf.exepid process 3084 PO#11-17012021,pdf.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
PO#11-17012021,pdf.execmd.exedescription pid process target process PID 3084 wrote to memory of 2752 3084 PO#11-17012021,pdf.exe cmd.exe PID 3084 wrote to memory of 2752 3084 PO#11-17012021,pdf.exe cmd.exe PID 3084 wrote to memory of 2752 3084 PO#11-17012021,pdf.exe cmd.exe PID 3084 wrote to memory of 2768 3084 PO#11-17012021,pdf.exe PO#11-17012021,pdf.exe PID 3084 wrote to memory of 2768 3084 PO#11-17012021,pdf.exe PO#11-17012021,pdf.exe PID 3084 wrote to memory of 2768 3084 PO#11-17012021,pdf.exe PO#11-17012021,pdf.exe PID 3084 wrote to memory of 2768 3084 PO#11-17012021,pdf.exe PO#11-17012021,pdf.exe PID 2752 wrote to memory of 3452 2752 cmd.exe schtasks.exe PID 2752 wrote to memory of 3452 2752 cmd.exe schtasks.exe PID 2752 wrote to memory of 3452 2752 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\c27cce5ac8d84c439ec7501fa8096513.xml"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\c27cce5ac8d84c439ec7501fa8096513.xml"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\c27cce5ac8d84c439ec7501fa8096513.xmlMD5
a36564afc14b3eb0849c01a3afdb9944
SHA14dcee9fae3fde4e46b08529bc0ba067150686f07
SHA2569d4342f763c5d62a06f69aa6fdcb1caa376ff2f2c0972f36b487f73b4d221996
SHA512782082aa36ae056734e90fc079c813dfef59420571a1b70cde4cf15eb6c870f85b2bfe0748ef4db9df3d010c08671bff744d78178ba75bf2ba02b665f044ae89
-
memory/2752-2-0x0000000000000000-mapping.dmp
-
memory/2768-3-0x0000000000405CE2-mapping.dmp
-
memory/2768-6-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/3452-4-0x0000000000000000-mapping.dmp