Analysis
-
max time kernel
77s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 11:15
Static task
static1
Behavioral task
behavioral1
Sample
Symptomaticshon5.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Symptomaticshon5.exe
Resource
win10v20201028
General
-
Target
Symptomaticshon5.exe
-
Size
108KB
-
MD5
09b6c8f169567f8557b2d96d9f6d3644
-
SHA1
f37977654300daf97df6eea1235bac7ac706cc11
-
SHA256
b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590
-
SHA512
478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa
Malware Config
Extracted
warzonerat
185.239.242.145:4442
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2620-8-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/2100-39-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 1 IoCs
Processes:
rundll.exepid process 2844 rundll.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll.exepid process 2100 rundll.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Symptomaticshon5.exerundll.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce Symptomaticshon5.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\SENGEHES = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ydretslletspiru7\\Outsingi7.vbs" Symptomaticshon5.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce rundll.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\SENGEHES = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ydretslletspiru7\\Outsingi7.vbs" rundll.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
Symptomaticshon5.exeSymptomaticshon5.exerundll.exerundll.exepid process 648 Symptomaticshon5.exe 2620 Symptomaticshon5.exe 2620 Symptomaticshon5.exe 2844 rundll.exe 2100 rundll.exe 2100 rundll.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Symptomaticshon5.exerundll.exedescription pid process target process PID 648 set thread context of 2620 648 Symptomaticshon5.exe Symptomaticshon5.exe PID 2844 set thread context of 2100 2844 rundll.exe rundll.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Symptomaticshon5.exerundll.exepid process 648 Symptomaticshon5.exe 2844 rundll.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Symptomaticshon5.exerundll.exepid process 648 Symptomaticshon5.exe 2844 rundll.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Symptomaticshon5.exeSymptomaticshon5.exerundll.exerundll.exedescription pid process target process PID 648 wrote to memory of 2620 648 Symptomaticshon5.exe Symptomaticshon5.exe PID 648 wrote to memory of 2620 648 Symptomaticshon5.exe Symptomaticshon5.exe PID 648 wrote to memory of 2620 648 Symptomaticshon5.exe Symptomaticshon5.exe PID 648 wrote to memory of 2620 648 Symptomaticshon5.exe Symptomaticshon5.exe PID 2620 wrote to memory of 2844 2620 Symptomaticshon5.exe rundll.exe PID 2620 wrote to memory of 2844 2620 Symptomaticshon5.exe rundll.exe PID 2620 wrote to memory of 2844 2620 Symptomaticshon5.exe rundll.exe PID 2844 wrote to memory of 2100 2844 rundll.exe rundll.exe PID 2844 wrote to memory of 2100 2844 rundll.exe rundll.exe PID 2844 wrote to memory of 2100 2844 rundll.exe rundll.exe PID 2844 wrote to memory of 2100 2844 rundll.exe rundll.exe PID 2100 wrote to memory of 2280 2100 rundll.exe cmd.exe PID 2100 wrote to memory of 2280 2100 rundll.exe cmd.exe PID 2100 wrote to memory of 2280 2100 rundll.exe cmd.exe PID 2100 wrote to memory of 2280 2100 rundll.exe cmd.exe PID 2100 wrote to memory of 2280 2100 rundll.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Symptomaticshon5.exe"C:\Users\Admin\AppData\Local\Temp\Symptomaticshon5.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Symptomaticshon5.exe"C:\Users\Admin\AppData\Local\Temp\Symptomaticshon5.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\rundll.exe"C:\ProgramData\rundll.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\rundll.exe"C:\ProgramData\rundll.exe"4⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\rundll.exeMD5
09b6c8f169567f8557b2d96d9f6d3644
SHA1f37977654300daf97df6eea1235bac7ac706cc11
SHA256b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590
SHA512478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa
-
C:\ProgramData\rundll.exeMD5
09b6c8f169567f8557b2d96d9f6d3644
SHA1f37977654300daf97df6eea1235bac7ac706cc11
SHA256b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590
SHA512478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa
-
C:\ProgramData\rundll.exeMD5
09b6c8f169567f8557b2d96d9f6d3644
SHA1f37977654300daf97df6eea1235bac7ac706cc11
SHA256b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590
SHA512478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1E698CCB2C296D265AC1A253974E09FD_507D8E76B9B181409C8E098B073B8415MD5
6ebbb510377546e225f6685aaff2c218
SHA100f53a4aac745b22f226e0d7a23c264deed39dfc
SHA2561d417324ee61821e9cf65cf397c541d67937e5b34fc476be67413c2fd9c0e935
SHA5121b1041662485832706fec350eb882500d6bc4221e756cc6095edcc569787552c8dfb845f28eec7527bd3b3e1b61d4f4e9c686b94a690e1cd0673b437a1c17051
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_EE9DB89C3D6A328B5FEAFF0ED3C77874MD5
3ffa5aba7f7f77909ad0659b5ae79c59
SHA14d66b8b58982c28a5e6fff022435c6d7c1eccc1f
SHA2562fac2cf4fb7a432fa30ee0f22e38bc8bc0881576bb6162afdb871f1cee898256
SHA5128a76f1c1a480079628710537684ceac8505e693e05c8b317ca9f22ffd2cee98caa32b62a6c84d3b6ed7b10e97a71ff9065037a2d034f602c2a2384d7a1eeaa1e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619MD5
4daa63f1e1d59ae80936bd76cf9fa744
SHA10173e19a900bc4e8493514f47944241796740387
SHA256c122ecc975b6c44ed6db67ec276e1c55f55aa8ce31e381d044c41ee8278eca27
SHA512f2f738ac635a5392a54b47fd5993b763429c783336692b65251f783384e858b34b3279cbe4ec4b0c75e3285e22b24ce32fbcd234b2fca6904dab7248ff4e7513
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1E698CCB2C296D265AC1A253974E09FD_507D8E76B9B181409C8E098B073B8415MD5
fe6913b586ef0fb7ed9f0b2071d22b2d
SHA1e6697f3afd4f66edf333f881c231c0e99e67a2eb
SHA2567251f780a5078f0aef0224f1e56b88b85e5b3f406e690d72ed43cab95e490c68
SHA5121f7817be6f8b61d4ccefcf232aed7104445bd856fcbff7af79f94db1692bae6fe82557ed4eeb143087df52f25b6d99dd40313f2cbc27b9f39fe4bdfa87bfe05f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_EE9DB89C3D6A328B5FEAFF0ED3C77874MD5
9fc3fd3b6b2a7072ceccca835168eb05
SHA15ecb718d2a34f7abbf85fd40d15a93e0e1cc28f6
SHA256449821953c454230601e765ae02d48c2fb36f338af600a9f030319f86abec026
SHA51274a3ffdb0f37829628b7a57348f81c8c69e68f6370219fe1fc6fd950063d95a331a1f061b555fd43ccb18da3a9dfeaeae3f65aafe4dce6f1a3e940c19c94226e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619MD5
115b69d23bd0057e00d1c5b722a2eebf
SHA11262c1b6a662b3aa54f840e4e4e069ced216b486
SHA25654617716b7d63abb3b3ed8607ef192e80642dca41e4fd63c728c1599055f6fc6
SHA5126d8da0a763f64296a56afcb8826140a19a5a68892d66165fc378848859a71135563e8b82e0ba794979fe4969e861ed719be6c44bd90945c6b789a101ff6d28ca
-
C:\Users\Admin\AppData\Local\Temp\Ydretslletspiru7\Outsingi7.exeMD5
09b6c8f169567f8557b2d96d9f6d3644
SHA1f37977654300daf97df6eea1235bac7ac706cc11
SHA256b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590
SHA512478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa
-
C:\Users\Admin\AppData\Local\Temp\Ydretslletspiru7\Outsingi7.vbsMD5
c814e9cd20864913ac2aba6eda254b80
SHA10e5ad1325bf6890548850b51faa6f99a618fa8ae
SHA25694a6f90b3880c06ce3de5d782e722b1006c167138e94a50ba75b97aeeb27d167
SHA512dd1acb2d6bc34da5df7bfc086c95b787ca681c11c259b022638ff9c023029bc78958b4e4e0e59e5dabb02cde2a435658b50b958bbe91c19cd9e64638df681c0e
-
memory/648-4-0x0000000002240000-0x000000000224E000-memory.dmpFilesize
56KB
-
memory/2100-27-0x000000000040117C-mapping.dmp
-
memory/2100-39-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2100-30-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/2100-54-0x0000000000406000-0x0000000000407000-memory.dmpFilesize
4KB
-
memory/2280-43-0x0000000000000000-mapping.dmp
-
memory/2280-53-0x0000000002FE0000-0x0000000002FE1000-memory.dmpFilesize
4KB
-
memory/2620-15-0x0000000000401000-0x0000000000402000-memory.dmpFilesize
4KB
-
memory/2620-17-0x000000000040D000-0x000000000040E000-memory.dmpFilesize
4KB
-
memory/2620-25-0x0000000000404000-0x0000000000405000-memory.dmpFilesize
4KB
-
memory/2620-24-0x000000000040C000-0x000000000040D000-memory.dmpFilesize
4KB
-
memory/2620-23-0x000000000040E000-0x000000000040F000-memory.dmpFilesize
4KB
-
memory/2620-22-0x0000000000408000-0x0000000000409000-memory.dmpFilesize
4KB
-
memory/2620-21-0x000000000040B000-0x000000000040C000-memory.dmpFilesize
4KB
-
memory/2620-19-0x0000000000402000-0x0000000000403000-memory.dmpFilesize
4KB
-
memory/2620-18-0x0000000000410000-0x0000000000411000-memory.dmpFilesize
4KB
-
memory/2620-20-0x0000000000403000-0x0000000000404000-memory.dmpFilesize
4KB
-
memory/2620-16-0x000000000040F000-0x0000000000410000-memory.dmpFilesize
4KB
-
memory/2620-14-0x0000000000405000-0x0000000000406000-memory.dmpFilesize
4KB
-
memory/2620-5-0x000000000040117C-mapping.dmp
-
memory/2620-8-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2620-7-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/2620-6-0x0000000000401000-0x00000000004FD000-memory.dmpFilesize
1008KB
-
memory/2844-9-0x0000000000000000-mapping.dmp