Analysis
-
max time kernel
724s -
max time network
1246s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-07-2021 18:46
Static task
static1
Behavioral task
behavioral1
Sample
PO_00130721.xlsx
Resource
win7v20210410
General
-
Target
PO_00130721.xlsx
-
Size
674KB
-
MD5
a0287f52a42bec7b8756fef7fdb37be5
-
SHA1
788f23cba38a6780a1bb0f26f7eedeebfcdff089
-
SHA256
86cb4f209e01280e5e290d87427a19a09d77e28a42c08f805d2443f17db26706
-
SHA512
9d0afe0e3fd5a01871794fb4b42a7be4e624997dccf980785600c00ada0e762291dee991d66ac6ae9dc82eeb66cf2c57df424d38447d82c8f7aa551ba609baa8
Malware Config
Extracted
warzonerat
taker1234.hopto.org:5032
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/924-72-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 316 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
tybghhju.exetybghhju.exepid process 1144 tybghhju.exe 924 tybghhju.exe -
Loads dropped DLL 14 IoCs
Processes:
EQNEDT32.EXEtybghhju.exetybghhju.exepid process 316 EQNEDT32.EXE 1144 tybghhju.exe 924 tybghhju.exe 924 tybghhju.exe 924 tybghhju.exe 924 tybghhju.exe 924 tybghhju.exe 924 tybghhju.exe 924 tybghhju.exe 924 tybghhju.exe 924 tybghhju.exe 924 tybghhju.exe 924 tybghhju.exe 924 tybghhju.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tybghhju.exedescription pid process target process PID 1144 set thread context of 924 1144 tybghhju.exe tybghhju.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 8 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\tybghhju.exe nsis_installer_1 \Users\Admin\AppData\Roaming\tybghhju.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\tybghhju.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\tybghhju.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\tybghhju.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\tybghhju.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\tybghhju.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\tybghhju.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1056 EXCEL.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
EXCEL.EXEpid process 1056 EXCEL.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
tybghhju.exepid process 1144 tybghhju.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
EXCEL.EXEdescription pid process Token: SeShutdownPrivilege 1056 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
EXCEL.EXEpid process 1056 EXCEL.EXE 1056 EXCEL.EXE 1056 EXCEL.EXE 1056 EXCEL.EXE 1056 EXCEL.EXE 1056 EXCEL.EXE 1056 EXCEL.EXE 1056 EXCEL.EXE 1056 EXCEL.EXE 1056 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
EQNEDT32.EXEtybghhju.exedescription pid process target process PID 316 wrote to memory of 1144 316 EQNEDT32.EXE tybghhju.exe PID 316 wrote to memory of 1144 316 EQNEDT32.EXE tybghhju.exe PID 316 wrote to memory of 1144 316 EQNEDT32.EXE tybghhju.exe PID 316 wrote to memory of 1144 316 EQNEDT32.EXE tybghhju.exe PID 1144 wrote to memory of 924 1144 tybghhju.exe tybghhju.exe PID 1144 wrote to memory of 924 1144 tybghhju.exe tybghhju.exe PID 1144 wrote to memory of 924 1144 tybghhju.exe tybghhju.exe PID 1144 wrote to memory of 924 1144 tybghhju.exe tybghhju.exe PID 1144 wrote to memory of 924 1144 tybghhju.exe tybghhju.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO_00130721.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tybghhju.exeC:\Users\Admin\AppData\Roaming\tybghhju.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tybghhju.exeC:\Users\Admin\AppData\Roaming\tybghhju.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\tybghhju.exeMD5
3762cbb31e873b26f8aad4c630369425
SHA1e4985cf0bf98a409cb874e02373f102deea78327
SHA256533c95efa1684d0b2496bbc7f579dd67ff646a6ca5dea085383ca1209e9b3f54
SHA512a0d2296987d51c2cdc823f1ab348cf17bc8b8dc1534e1d07deabae3a0db431db2a759c84d6032d6b7738b6f15c862348cd73e3137a61d3bc7fb48434febb7b96
-
C:\Users\Admin\AppData\Roaming\tybghhju.exeMD5
3762cbb31e873b26f8aad4c630369425
SHA1e4985cf0bf98a409cb874e02373f102deea78327
SHA256533c95efa1684d0b2496bbc7f579dd67ff646a6ca5dea085383ca1209e9b3f54
SHA512a0d2296987d51c2cdc823f1ab348cf17bc8b8dc1534e1d07deabae3a0db431db2a759c84d6032d6b7738b6f15c862348cd73e3137a61d3bc7fb48434febb7b96
-
C:\Users\Admin\AppData\Roaming\tybghhju.exeMD5
3762cbb31e873b26f8aad4c630369425
SHA1e4985cf0bf98a409cb874e02373f102deea78327
SHA256533c95efa1684d0b2496bbc7f579dd67ff646a6ca5dea085383ca1209e9b3f54
SHA512a0d2296987d51c2cdc823f1ab348cf17bc8b8dc1534e1d07deabae3a0db431db2a759c84d6032d6b7738b6f15c862348cd73e3137a61d3bc7fb48434febb7b96
-
\Users\Admin\AppData\Local\Temp\freebl3.dllMD5
ef12ab9d0b231b8f898067b2114b1bc0
SHA16d90f27b2105945f9bb77039e8b892070a5f9442
SHA2562b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA5122aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193
-
\Users\Admin\AppData\Local\Temp\freebl3.dllMD5
ef12ab9d0b231b8f898067b2114b1bc0
SHA16d90f27b2105945f9bb77039e8b892070a5f9442
SHA2562b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA5122aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193
-
\Users\Admin\AppData\Local\Temp\mozglue.dllMD5
75f8cc548cabf0cc800c25047e4d3124
SHA1602676768f9faecd35b48c38a0632781dfbde10c
SHA256fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f
-
\Users\Admin\AppData\Local\Temp\mozglue.dllMD5
75f8cc548cabf0cc800c25047e4d3124
SHA1602676768f9faecd35b48c38a0632781dfbde10c
SHA256fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f
-
\Users\Admin\AppData\Local\Temp\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\Users\Admin\AppData\Local\Temp\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\Users\Admin\AppData\Local\Temp\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\Users\Admin\AppData\Local\Temp\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\Users\Admin\AppData\Local\Temp\nss3.dllMD5
99cdf4f57217acee504875e7d92251e7
SHA18397e3ef3b6bb838b35cb639daad8f1fef99d73a
SHA256281437eae83246327a79bf2c10f6b6be3362d536fbc1ce12f73aab838344a291
SHA512e703349fa0b71dc28dbb422a1b45435fae8bac765a5b4d524345bb60e09da5cec99e93abf19853858c1a87000d483377f74d1a7b1c973a90888563ee300adf0b
-
\Users\Admin\AppData\Local\Temp\nss3.dllMD5
99cdf4f57217acee504875e7d92251e7
SHA18397e3ef3b6bb838b35cb639daad8f1fef99d73a
SHA256281437eae83246327a79bf2c10f6b6be3362d536fbc1ce12f73aab838344a291
SHA512e703349fa0b71dc28dbb422a1b45435fae8bac765a5b4d524345bb60e09da5cec99e93abf19853858c1a87000d483377f74d1a7b1c973a90888563ee300adf0b
-
\Users\Admin\AppData\Local\Temp\nss3.dllMD5
99cdf4f57217acee504875e7d92251e7
SHA18397e3ef3b6bb838b35cb639daad8f1fef99d73a
SHA256281437eae83246327a79bf2c10f6b6be3362d536fbc1ce12f73aab838344a291
SHA512e703349fa0b71dc28dbb422a1b45435fae8bac765a5b4d524345bb60e09da5cec99e93abf19853858c1a87000d483377f74d1a7b1c973a90888563ee300adf0b
-
\Users\Admin\AppData\Local\Temp\nss3.dllMD5
99cdf4f57217acee504875e7d92251e7
SHA18397e3ef3b6bb838b35cb639daad8f1fef99d73a
SHA256281437eae83246327a79bf2c10f6b6be3362d536fbc1ce12f73aab838344a291
SHA512e703349fa0b71dc28dbb422a1b45435fae8bac765a5b4d524345bb60e09da5cec99e93abf19853858c1a87000d483377f74d1a7b1c973a90888563ee300adf0b
-
\Users\Admin\AppData\Local\Temp\yoeohrl.dllMD5
a06f93ae835f108b287e4b36a7cc7a50
SHA12b2cefaacd35a064a523476961877b1087206f47
SHA256f20d5db2348d918287dd69e893353670b97fd47e5e5788f34acb48befa806de9
SHA5124e6082efeaf4dc394db713cb94212b48ee9ee892765034e017c93d002ead1b408cc351d4779a16ec44b80868ed47c86e84b4e48ce748d7382bb739ad9a5acf0f
-
\Users\Admin\AppData\Roaming\tybghhju.exeMD5
3762cbb31e873b26f8aad4c630369425
SHA1e4985cf0bf98a409cb874e02373f102deea78327
SHA256533c95efa1684d0b2496bbc7f579dd67ff646a6ca5dea085383ca1209e9b3f54
SHA512a0d2296987d51c2cdc823f1ab348cf17bc8b8dc1534e1d07deabae3a0db431db2a759c84d6032d6b7738b6f15c862348cd73e3137a61d3bc7fb48434febb7b96
-
memory/316-62-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/924-74-0x0000000004070000-0x00000000040F4000-memory.dmpFilesize
528KB
-
memory/924-73-0x0000000003790000-0x0000000003814000-memory.dmpFilesize
528KB
-
memory/924-72-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/924-69-0x0000000000405CE2-mapping.dmp
-
memory/1056-59-0x000000002F671000-0x000000002F674000-memory.dmpFilesize
12KB
-
memory/1056-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1056-60-0x0000000070E41000-0x0000000070E43000-memory.dmpFilesize
8KB
-
memory/1144-64-0x0000000000000000-mapping.dmp