Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en -
submitted
12-09-2021 14:26
Static task
static1
Behavioral task
behavioral1
Sample
d38a592a34803dd43fec1722a4467822.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
d38a592a34803dd43fec1722a4467822.exe
Resource
win10-en
General
-
Target
d38a592a34803dd43fec1722a4467822.exe
-
Size
438KB
-
MD5
d38a592a34803dd43fec1722a4467822
-
SHA1
2fa62ad88fe9ed8ff915087692020ea0b84f56ae
-
SHA256
d01e5dc3618708c0affe1be008e9d356fe7d113289dc68bc832d556788adeba1
-
SHA512
d85d6783fbc10399f808b1667848c4d46571da9b271dfa7deebff08703d3a90d2eba2e932a692a672aa4d9809f39bb73ab8b44dc7e12bb6afe4065da04a120a3
Malware Config
Extracted
warzonerat
pubg.ddns.net:5201
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
x1x1x1x1x1
pubg.ddns.net:147
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Warzone RAT Payload 4 IoCs
Processes:
resource yara_rule C:\Windows\windll.exe warzonerat C:\Windows\windll.exe warzonerat C:\ProgramData\imagesghr.exe warzonerat C:\ProgramData\imagesghr.exe warzonerat -
Executes dropped EXE 5 IoCs
Processes:
win.exewindll.exeTVTools_AlterID.exeimagesghr.exeFixWindowsUpdate.exepid process 4020 win.exe 3264 windll.exe 3148 TVTools_AlterID.exe 652 imagesghr.exe 1328 FixWindowsUpdate.exe -
Drops startup file 4 IoCs
Processes:
windll.exeFixWindowsUpdate.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat windll.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start windll.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe FixWindowsUpdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.exe FixWindowsUpdate.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
windll.exeFixWindowsUpdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Imagesaf = "C:\\ProgramData\\imagesghr.exe" windll.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\FixWindowsUpdate.exe\" .." FixWindowsUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\FixWindowsUpdate.exe\" .." FixWindowsUpdate.exe -
Drops file in Windows directory 7 IoCs
Processes:
d38a592a34803dd43fec1722a4467822.exedescription ioc process File created C:\Windows\win.exe d38a592a34803dd43fec1722a4467822.exe File opened for modification C:\Windows\win.exe d38a592a34803dd43fec1722a4467822.exe File created C:\Windows\windll.exe d38a592a34803dd43fec1722a4467822.exe File opened for modification C:\Windows\windll.exe d38a592a34803dd43fec1722a4467822.exe File created C:\Windows\TVTools_AlterID.exe d38a592a34803dd43fec1722a4467822.exe File opened for modification C:\Windows\TVTools_AlterID.exe d38a592a34803dd43fec1722a4467822.exe File created C:\Windows\__tmp_rar_sfx_access_check_259263343 d38a592a34803dd43fec1722a4467822.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
TVTools_AlterID.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance TVTools_AlterID.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance TVTools_AlterID.exe -
NTFS ADS 1 IoCs
Processes:
windll.exedescription ioc process File created C:\ProgramData:ApplicationData windll.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
TVTools_AlterID.exepowershell.exepowershell.exepid process 3148 TVTools_AlterID.exe 3148 TVTools_AlterID.exe 1604 powershell.exe 1604 powershell.exe 948 powershell.exe 1604 powershell.exe 948 powershell.exe 948 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
win.exeFixWindowsUpdate.exepid process 4020 win.exe 1328 FixWindowsUpdate.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
powershell.exepowershell.exeFixWindowsUpdate.exedescription pid process Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 1328 FixWindowsUpdate.exe Token: 33 1328 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1328 FixWindowsUpdate.exe Token: 33 1328 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1328 FixWindowsUpdate.exe Token: 33 1328 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1328 FixWindowsUpdate.exe Token: 33 1328 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1328 FixWindowsUpdate.exe Token: 33 1328 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1328 FixWindowsUpdate.exe Token: 33 1328 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1328 FixWindowsUpdate.exe Token: 33 1328 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1328 FixWindowsUpdate.exe Token: 33 1328 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1328 FixWindowsUpdate.exe Token: 33 1328 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1328 FixWindowsUpdate.exe Token: 33 1328 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1328 FixWindowsUpdate.exe Token: 33 1328 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1328 FixWindowsUpdate.exe Token: 33 1328 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1328 FixWindowsUpdate.exe Token: 33 1328 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1328 FixWindowsUpdate.exe Token: 33 1328 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1328 FixWindowsUpdate.exe Token: 33 1328 FixWindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1328 FixWindowsUpdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TVTools_AlterID.exepid process 3148 TVTools_AlterID.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
d38a592a34803dd43fec1722a4467822.exewindll.exeimagesghr.exewin.exedescription pid process target process PID 3652 wrote to memory of 4020 3652 d38a592a34803dd43fec1722a4467822.exe win.exe PID 3652 wrote to memory of 4020 3652 d38a592a34803dd43fec1722a4467822.exe win.exe PID 3652 wrote to memory of 3264 3652 d38a592a34803dd43fec1722a4467822.exe windll.exe PID 3652 wrote to memory of 3264 3652 d38a592a34803dd43fec1722a4467822.exe windll.exe PID 3652 wrote to memory of 3264 3652 d38a592a34803dd43fec1722a4467822.exe windll.exe PID 3652 wrote to memory of 3148 3652 d38a592a34803dd43fec1722a4467822.exe TVTools_AlterID.exe PID 3652 wrote to memory of 3148 3652 d38a592a34803dd43fec1722a4467822.exe TVTools_AlterID.exe PID 3652 wrote to memory of 3148 3652 d38a592a34803dd43fec1722a4467822.exe TVTools_AlterID.exe PID 3264 wrote to memory of 1604 3264 windll.exe powershell.exe PID 3264 wrote to memory of 1604 3264 windll.exe powershell.exe PID 3264 wrote to memory of 1604 3264 windll.exe powershell.exe PID 3264 wrote to memory of 652 3264 windll.exe imagesghr.exe PID 3264 wrote to memory of 652 3264 windll.exe imagesghr.exe PID 3264 wrote to memory of 652 3264 windll.exe imagesghr.exe PID 652 wrote to memory of 948 652 imagesghr.exe powershell.exe PID 652 wrote to memory of 948 652 imagesghr.exe powershell.exe PID 652 wrote to memory of 948 652 imagesghr.exe powershell.exe PID 4020 wrote to memory of 1328 4020 win.exe FixWindowsUpdate.exe PID 4020 wrote to memory of 1328 4020 win.exe FixWindowsUpdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d38a592a34803dd43fec1722a4467822.exe"C:\Users\Admin\AppData\Local\Temp\d38a592a34803dd43fec1722a4467822.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\win.exe"C:\Windows\win.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\FixWindowsUpdate.exe"C:\Users\Admin\AppData\Roaming\FixWindowsUpdate.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\windll.exe"C:\Windows\windll.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\imagesghr.exe"C:\ProgramData\imagesghr.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TVTools_AlterID.exe"C:\Windows\TVTools_AlterID.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\imagesghr.exeMD5
fb71890d51bc97d78aa496135d570c0d
SHA13990c26cd19057f5adf7096a8eb140bb76264945
SHA256320d6dcf82a4e24763691ad53989ea12a68c3e97eb2ba822807eea377895a058
SHA512e42c4fb03075d9448238606900874cdc4898154e887be3e580551bd017d650533685ac07ac574e9746ee5d4c2e7e8001d2573b1c5d4c9876733044aad56eb196
-
C:\ProgramData\imagesghr.exeMD5
fb71890d51bc97d78aa496135d570c0d
SHA13990c26cd19057f5adf7096a8eb140bb76264945
SHA256320d6dcf82a4e24763691ad53989ea12a68c3e97eb2ba822807eea377895a058
SHA512e42c4fb03075d9448238606900874cdc4898154e887be3e580551bd017d650533685ac07ac574e9746ee5d4c2e7e8001d2573b1c5d4c9876733044aad56eb196
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
dccd076e0982c474fd6f7732fadad6b2
SHA1e52be27a2dbcaa0f8236e5492f97d01416f890d5
SHA256e44accd474e56924a6ee28765ec93d38e78c367b063c018a03a0a780b9c32054
SHA512a99a435149ec78d872b390d2da57cc1e050b4d7f57c46d9c4a40174a873cf88f5565fd3bde33881fa40df4d401eb206b17fbd81089e87fc388654a422120828b
-
C:\Users\Admin\AppData\Roaming\FixWindowsUpdate.exeMD5
bc4fd52445b7f27f293790e7f04aa289
SHA112d6a1e9306634298c8e38339946015dfb3ad36d
SHA25694ac5551c02b9ccc42aef28922a1045f6a5411852a464087ca1cb98a7b835c51
SHA5129caf521dbc1c6ce300909d34d6544ee4493d9773196554c4bec3f9ceab04293ec37f7d30fd6012fee4e6c5292f76efd0f07955eb9ce7f564f39c37c55a8e9ed5
-
C:\Users\Admin\AppData\Roaming\FixWindowsUpdate.exeMD5
bc4fd52445b7f27f293790e7f04aa289
SHA112d6a1e9306634298c8e38339946015dfb3ad36d
SHA25694ac5551c02b9ccc42aef28922a1045f6a5411852a464087ca1cb98a7b835c51
SHA5129caf521dbc1c6ce300909d34d6544ee4493d9773196554c4bec3f9ceab04293ec37f7d30fd6012fee4e6c5292f76efd0f07955eb9ce7f564f39c37c55a8e9ed5
-
C:\Windows\TVTools_AlterID.exeMD5
290d2267039a01322b590592cbf0c13c
SHA1188996bfb808374f09a6f5a087d47f4fc450d668
SHA25616fdf499c06543dedab6f17279fdf1fabb29779f54cb1f4cc2e61fdb6961ed33
SHA512cc17869703a6c875b507bf6bb4d7a11d4ee1ebdff8a0c2e7aa0483a89f03252904c596d92be75ccacc40ac025d9d8917d3ec9a7d4546e54bfca3c3816a5fafd4
-
C:\Windows\TVTools_AlterID.exeMD5
290d2267039a01322b590592cbf0c13c
SHA1188996bfb808374f09a6f5a087d47f4fc450d668
SHA25616fdf499c06543dedab6f17279fdf1fabb29779f54cb1f4cc2e61fdb6961ed33
SHA512cc17869703a6c875b507bf6bb4d7a11d4ee1ebdff8a0c2e7aa0483a89f03252904c596d92be75ccacc40ac025d9d8917d3ec9a7d4546e54bfca3c3816a5fafd4
-
C:\Windows\win.exeMD5
bc4fd52445b7f27f293790e7f04aa289
SHA112d6a1e9306634298c8e38339946015dfb3ad36d
SHA25694ac5551c02b9ccc42aef28922a1045f6a5411852a464087ca1cb98a7b835c51
SHA5129caf521dbc1c6ce300909d34d6544ee4493d9773196554c4bec3f9ceab04293ec37f7d30fd6012fee4e6c5292f76efd0f07955eb9ce7f564f39c37c55a8e9ed5
-
C:\Windows\win.exeMD5
bc4fd52445b7f27f293790e7f04aa289
SHA112d6a1e9306634298c8e38339946015dfb3ad36d
SHA25694ac5551c02b9ccc42aef28922a1045f6a5411852a464087ca1cb98a7b835c51
SHA5129caf521dbc1c6ce300909d34d6544ee4493d9773196554c4bec3f9ceab04293ec37f7d30fd6012fee4e6c5292f76efd0f07955eb9ce7f564f39c37c55a8e9ed5
-
C:\Windows\windll.exeMD5
fb71890d51bc97d78aa496135d570c0d
SHA13990c26cd19057f5adf7096a8eb140bb76264945
SHA256320d6dcf82a4e24763691ad53989ea12a68c3e97eb2ba822807eea377895a058
SHA512e42c4fb03075d9448238606900874cdc4898154e887be3e580551bd017d650533685ac07ac574e9746ee5d4c2e7e8001d2573b1c5d4c9876733044aad56eb196
-
C:\Windows\windll.exeMD5
fb71890d51bc97d78aa496135d570c0d
SHA13990c26cd19057f5adf7096a8eb140bb76264945
SHA256320d6dcf82a4e24763691ad53989ea12a68c3e97eb2ba822807eea377895a058
SHA512e42c4fb03075d9448238606900874cdc4898154e887be3e580551bd017d650533685ac07ac574e9746ee5d4c2e7e8001d2573b1c5d4c9876733044aad56eb196
-
memory/652-129-0x0000000000000000-mapping.dmp
-
memory/948-189-0x000000007ED60000-0x000000007ED61000-memory.dmpFilesize
4KB
-
memory/948-145-0x0000000000000000-mapping.dmp
-
memory/948-598-0x00000000092D0000-0x00000000092D1000-memory.dmpFilesize
4KB
-
memory/948-218-0x0000000004573000-0x0000000004574000-memory.dmpFilesize
4KB
-
memory/948-155-0x0000000004570000-0x0000000004571000-memory.dmpFilesize
4KB
-
memory/948-157-0x0000000004572000-0x0000000004573000-memory.dmpFilesize
4KB
-
memory/1328-281-0x0000000001070000-0x0000000001072000-memory.dmpFilesize
8KB
-
memory/1328-204-0x0000000000000000-mapping.dmp
-
memory/1604-170-0x0000000009670000-0x00000000096A3000-memory.dmpFilesize
204KB
-
memory/1604-195-0x00000000097A0000-0x00000000097A1000-memory.dmpFilesize
4KB
-
memory/1604-143-0x0000000008050000-0x0000000008051000-memory.dmpFilesize
4KB
-
memory/1604-141-0x0000000007DF0000-0x0000000007DF1000-memory.dmpFilesize
4KB
-
memory/1604-146-0x0000000008750000-0x0000000008751000-memory.dmpFilesize
4KB
-
memory/1604-144-0x0000000007F60000-0x0000000007F61000-memory.dmpFilesize
4KB
-
memory/1604-150-0x00000000087A0000-0x00000000087A1000-memory.dmpFilesize
4KB
-
memory/1604-140-0x0000000007C50000-0x0000000007C51000-memory.dmpFilesize
4KB
-
memory/1604-138-0x0000000006FE0000-0x0000000006FE1000-memory.dmpFilesize
4KB
-
memory/1604-610-0x0000000009870000-0x0000000009871000-memory.dmpFilesize
4KB
-
memory/1604-182-0x0000000009450000-0x0000000009451000-memory.dmpFilesize
4KB
-
memory/1604-186-0x000000007EEC0000-0x000000007EEC1000-memory.dmpFilesize
4KB
-
memory/1604-128-0x0000000000000000-mapping.dmp
-
memory/1604-142-0x0000000007ED0000-0x0000000007ED1000-memory.dmpFilesize
4KB
-
memory/1604-203-0x00000000099A0000-0x00000000099A1000-memory.dmpFilesize
4KB
-
memory/1604-139-0x0000000006FE2000-0x0000000006FE3000-memory.dmpFilesize
4KB
-
memory/1604-135-0x0000000006F30000-0x0000000006F31000-memory.dmpFilesize
4KB
-
memory/1604-136-0x0000000007620000-0x0000000007621000-memory.dmpFilesize
4KB
-
memory/1604-215-0x0000000006FE3000-0x0000000006FE4000-memory.dmpFilesize
4KB
-
memory/3148-125-0x0000000000000000-mapping.dmp
-
memory/3264-120-0x0000000000000000-mapping.dmp
-
memory/4020-137-0x000000001BC60000-0x000000001BC62000-memory.dmpFilesize
8KB
-
memory/4020-123-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/4020-134-0x0000000001560000-0x000000000156B000-memory.dmpFilesize
44KB
-
memory/4020-117-0x0000000000000000-mapping.dmp