Analysis
-
max time kernel
94s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-07-2021 09:25
Static task
static1
Behavioral task
behavioral1
Sample
pdf file.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
pdf file.exe
Resource
win10v20210410
General
-
Target
pdf file.exe
-
Size
1.1MB
-
MD5
3cbd781f564cf84ffef48e204f447b2d
-
SHA1
62a79b0bde60d2b46ceb204bd127065d64c66d3d
-
SHA256
686f4b4a55d410762e893e7caccfe000ff0b927339a4da65b3076ac932d8b409
-
SHA512
5ae28a6458f9368ce0a5f08b189903171372514b3aeb218a21affd4448d4c4d97e382dd6153e63e1bfbde0d675438544125153f9530f234198a783d6e6d027ac
Malware Config
Extracted
warzonerat
185.157.160.215:2211
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3280-128-0x0000000000405CE2-mapping.dmp warzonerat behavioral2/memory/3280-127-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/3280-129-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pdf file.exedescription pid process target process PID 3540 set thread context of 3280 3540 pdf file.exe pdf file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
pdf file.exepid process 3540 pdf file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pdf file.exedescription pid process Token: SeDebugPrivilege 3540 pdf file.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
pdf file.exedescription pid process target process PID 3540 wrote to memory of 1468 3540 pdf file.exe schtasks.exe PID 3540 wrote to memory of 1468 3540 pdf file.exe schtasks.exe PID 3540 wrote to memory of 1468 3540 pdf file.exe schtasks.exe PID 3540 wrote to memory of 3280 3540 pdf file.exe pdf file.exe PID 3540 wrote to memory of 3280 3540 pdf file.exe pdf file.exe PID 3540 wrote to memory of 3280 3540 pdf file.exe pdf file.exe PID 3540 wrote to memory of 3280 3540 pdf file.exe pdf file.exe PID 3540 wrote to memory of 3280 3540 pdf file.exe pdf file.exe PID 3540 wrote to memory of 3280 3540 pdf file.exe pdf file.exe PID 3540 wrote to memory of 3280 3540 pdf file.exe pdf file.exe PID 3540 wrote to memory of 3280 3540 pdf file.exe pdf file.exe PID 3540 wrote to memory of 3280 3540 pdf file.exe pdf file.exe PID 3540 wrote to memory of 3280 3540 pdf file.exe pdf file.exe PID 3540 wrote to memory of 3280 3540 pdf file.exe pdf file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pdf file.exe"C:\Users\Admin\AppData\Local\Temp\pdf file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZsTxZSAorIA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC351.tmp"2⤵
- Creates scheduled task(s)
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\pdf file.exe"C:\Users\Admin\AppData\Local\Temp\pdf file.exe"2⤵PID:3280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
60280c8412cd707d9bce0cf7dcf80f1c
SHA1078cf2320b2f6fee49aa43ec59e1cfc87a15f07d
SHA256bfb21b1ea4c760f8e954fefb8a275b9e2cc30847197643c8dbe82d12d8af1776
SHA512f440260e9967546ed1a8dfc58bf91f43fa829d99b761d947c2557f7d2349e48d46b4094b4864ab73f9c46598e5c17a427753acefd4c1f1e6602912aa5bc106e4