General

  • Target

    ddb25c6d3894be202a4ee4b061ce010d

  • Size

    893KB

  • Sample

    210915-hn8c8sdagn

  • MD5

    ddb25c6d3894be202a4ee4b061ce010d

  • SHA1

    5e87d177b7ca71c46f7c37d13a2de5e04b97549d

  • SHA256

    8035847afc188fc0c7f878b148ffae82d22f6594386539255cdfc4b5d5deb8c0

  • SHA512

    b8e5caeb723f259c30cb34f2049e4051e0b7f3b4b4cd599a8729501875adf97b0c600e694c811f0909d2af84eb240cd6f01fd55a368a698f70dced6f410d78f2

Malware Config

Extracted

Family

warzonerat

C2

severdops.ddns.net:3311

Targets

    • Target

      ddb25c6d3894be202a4ee4b061ce010d

    • Size

      893KB

    • MD5

      ddb25c6d3894be202a4ee4b061ce010d

    • SHA1

      5e87d177b7ca71c46f7c37d13a2de5e04b97549d

    • SHA256

      8035847afc188fc0c7f878b148ffae82d22f6594386539255cdfc4b5d5deb8c0

    • SHA512

      b8e5caeb723f259c30cb34f2049e4051e0b7f3b4b4cd599a8729501875adf97b0c600e694c811f0909d2af84eb240cd6f01fd55a368a698f70dced6f410d78f2

    • Modifies Windows Defender Real-time Protection settings

    • Turns off Windows Defender SpyNet reporting

    • UAC bypass

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Windows security bypass

    • Looks for VirtualBox Guest Additions in registry

    • Nirsoft

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

7
T1112

Disabling Security Tools

5
T1089

Bypass User Account Control

1
T1088

Virtualization/Sandbox Evasion

2
T1497

Scripting

1
T1064

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Tasks