Analysis
-
max time kernel
132s -
max time network
175s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
05-10-2021 13:32
Static task
static1
Behavioral task
behavioral1
Sample
STATEMENT OF ACCOUNT_2021-10-04989829.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
STATEMENT OF ACCOUNT_2021-10-04989829.exe
Resource
win10-en-20210920
General
-
Target
STATEMENT OF ACCOUNT_2021-10-04989829.exe
-
Size
415KB
-
MD5
ba089fe4546d19803adad582ca6f2ec5
-
SHA1
32c00e95b5f398c7bb7261feb35290e34c59d21f
-
SHA256
014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228
-
SHA512
1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592
Malware Config
Extracted
warzonerat
176.126.86.243:2021
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1876-66-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/1876-67-0x0000000000405CE2-mapping.dmp warzonerat behavioral1/memory/1876-69-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/1620-84-0x0000000000405CE2-mapping.dmp warzonerat behavioral1/memory/1620-87-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Executes dropped EXE 3 IoCs
Processes:
microsoftupdate.exemicrosoftupdate.exemicrosoftupdate.exepid process 1236 microsoftupdate.exe 752 microsoftupdate.exe 1620 microsoftupdate.exe -
Sets DLL path for service in the registry 2 TTPs
-
Loads dropped DLL 4 IoCs
Processes:
STATEMENT OF ACCOUNT_2021-10-04989829.exemicrosoftupdate.exepid process 1876 STATEMENT OF ACCOUNT_2021-10-04989829.exe 1236 microsoftupdate.exe 1236 microsoftupdate.exe 2020 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
STATEMENT OF ACCOUNT_2021-10-04989829.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsdefender = "C:\\ProgramData\\microsoftupdate.exe" STATEMENT OF ACCOUNT_2021-10-04989829.exe -
Modifies WinLogon 2 TTPs 4 IoCs
Processes:
microsoftupdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList microsoftupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts microsoftupdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\EyJwmxk = "0" microsoftupdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" microsoftupdate.exe -
Drops file in System32 directory 1 IoCs
Processes:
microsoftupdate.exedescription ioc process File created C:\Windows\System32\rfxvmt.dll microsoftupdate.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
STATEMENT OF ACCOUNT_2021-10-04989829.exemicrosoftupdate.exedescription pid process target process PID 1104 set thread context of 1876 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe STATEMENT OF ACCOUNT_2021-10-04989829.exe PID 1236 set thread context of 1620 1236 microsoftupdate.exe microsoftupdate.exe -
Drops file in Program Files directory 2 IoCs
Processes:
microsoftupdate.exedescription ioc process File created C:\Program Files\Microsoft DN1\sqlmap.dll microsoftupdate.exe File created C:\Program Files\Microsoft DN1\rdpwrap.ini microsoftupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
STATEMENT OF ACCOUNT_2021-10-04989829.exemicrosoftupdate.exepid process 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe 1236 microsoftupdate.exe 1236 microsoftupdate.exe 1236 microsoftupdate.exe 1236 microsoftupdate.exe 1236 microsoftupdate.exe 1236 microsoftupdate.exe 1236 microsoftupdate.exe 1236 microsoftupdate.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 2020 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
STATEMENT OF ACCOUNT_2021-10-04989829.exemicrosoftupdate.exemicrosoftupdate.exedescription pid process Token: SeDebugPrivilege 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe Token: SeDebugPrivilege 1236 microsoftupdate.exe Token: SeDebugPrivilege 1620 microsoftupdate.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
STATEMENT OF ACCOUNT_2021-10-04989829.exeSTATEMENT OF ACCOUNT_2021-10-04989829.exemicrosoftupdate.exemicrosoftupdate.exedescription pid process target process PID 1104 wrote to memory of 1716 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe schtasks.exe PID 1104 wrote to memory of 1716 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe schtasks.exe PID 1104 wrote to memory of 1716 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe schtasks.exe PID 1104 wrote to memory of 1716 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe schtasks.exe PID 1104 wrote to memory of 1876 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe STATEMENT OF ACCOUNT_2021-10-04989829.exe PID 1104 wrote to memory of 1876 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe STATEMENT OF ACCOUNT_2021-10-04989829.exe PID 1104 wrote to memory of 1876 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe STATEMENT OF ACCOUNT_2021-10-04989829.exe PID 1104 wrote to memory of 1876 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe STATEMENT OF ACCOUNT_2021-10-04989829.exe PID 1104 wrote to memory of 1876 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe STATEMENT OF ACCOUNT_2021-10-04989829.exe PID 1104 wrote to memory of 1876 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe STATEMENT OF ACCOUNT_2021-10-04989829.exe PID 1104 wrote to memory of 1876 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe STATEMENT OF ACCOUNT_2021-10-04989829.exe PID 1104 wrote to memory of 1876 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe STATEMENT OF ACCOUNT_2021-10-04989829.exe PID 1104 wrote to memory of 1876 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe STATEMENT OF ACCOUNT_2021-10-04989829.exe PID 1104 wrote to memory of 1876 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe STATEMENT OF ACCOUNT_2021-10-04989829.exe PID 1104 wrote to memory of 1876 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe STATEMENT OF ACCOUNT_2021-10-04989829.exe PID 1104 wrote to memory of 1876 1104 STATEMENT OF ACCOUNT_2021-10-04989829.exe STATEMENT OF ACCOUNT_2021-10-04989829.exe PID 1876 wrote to memory of 1236 1876 STATEMENT OF ACCOUNT_2021-10-04989829.exe microsoftupdate.exe PID 1876 wrote to memory of 1236 1876 STATEMENT OF ACCOUNT_2021-10-04989829.exe microsoftupdate.exe PID 1876 wrote to memory of 1236 1876 STATEMENT OF ACCOUNT_2021-10-04989829.exe microsoftupdate.exe PID 1876 wrote to memory of 1236 1876 STATEMENT OF ACCOUNT_2021-10-04989829.exe microsoftupdate.exe PID 1876 wrote to memory of 1236 1876 STATEMENT OF ACCOUNT_2021-10-04989829.exe microsoftupdate.exe PID 1876 wrote to memory of 1236 1876 STATEMENT OF ACCOUNT_2021-10-04989829.exe microsoftupdate.exe PID 1876 wrote to memory of 1236 1876 STATEMENT OF ACCOUNT_2021-10-04989829.exe microsoftupdate.exe PID 1236 wrote to memory of 684 1236 microsoftupdate.exe schtasks.exe PID 1236 wrote to memory of 684 1236 microsoftupdate.exe schtasks.exe PID 1236 wrote to memory of 684 1236 microsoftupdate.exe schtasks.exe PID 1236 wrote to memory of 684 1236 microsoftupdate.exe schtasks.exe PID 1236 wrote to memory of 752 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 752 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 752 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 752 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 752 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 752 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 752 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 1620 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 1620 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 1620 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 1620 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 1620 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 1620 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 1620 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 1620 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 1620 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 1620 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 1620 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 1620 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 1620 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 1620 1236 microsoftupdate.exe microsoftupdate.exe PID 1236 wrote to memory of 1620 1236 microsoftupdate.exe microsoftupdate.exe PID 1620 wrote to memory of 1760 1620 microsoftupdate.exe cmd.exe PID 1620 wrote to memory of 1760 1620 microsoftupdate.exe cmd.exe PID 1620 wrote to memory of 1760 1620 microsoftupdate.exe cmd.exe PID 1620 wrote to memory of 1760 1620 microsoftupdate.exe cmd.exe PID 1620 wrote to memory of 1760 1620 microsoftupdate.exe cmd.exe PID 1620 wrote to memory of 1760 1620 microsoftupdate.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_2021-10-04989829.exe"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_2021-10-04989829.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ExzJZVEPzsavn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpADDB.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_2021-10-04989829.exe"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_2021-10-04989829.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\microsoftupdate.exe"C:\ProgramData\microsoftupdate.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ExzJZVEPzsavn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8E79.tmp"4⤵
- Creates scheduled task(s)
-
C:\ProgramData\microsoftupdate.exe"C:\ProgramData\microsoftupdate.exe"4⤵
- Executes dropped EXE
-
C:\ProgramData\microsoftupdate.exe"C:\ProgramData\microsoftupdate.exe"4⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\microsoftupdate.exeMD5
ba089fe4546d19803adad582ca6f2ec5
SHA132c00e95b5f398c7bb7261feb35290e34c59d21f
SHA256014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228
SHA5121b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592
-
C:\ProgramData\microsoftupdate.exeMD5
ba089fe4546d19803adad582ca6f2ec5
SHA132c00e95b5f398c7bb7261feb35290e34c59d21f
SHA256014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228
SHA5121b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592
-
C:\ProgramData\microsoftupdate.exeMD5
ba089fe4546d19803adad582ca6f2ec5
SHA132c00e95b5f398c7bb7261feb35290e34c59d21f
SHA256014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228
SHA5121b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592
-
C:\ProgramData\microsoftupdate.exeMD5
ba089fe4546d19803adad582ca6f2ec5
SHA132c00e95b5f398c7bb7261feb35290e34c59d21f
SHA256014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228
SHA5121b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592
-
\Program Files\Microsoft DN1\sqlmap.dllMD5
461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
\ProgramData\microsoftupdate.exeMD5
ba089fe4546d19803adad582ca6f2ec5
SHA132c00e95b5f398c7bb7261feb35290e34c59d21f
SHA256014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228
SHA5121b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592
-
\ProgramData\microsoftupdate.exeMD5
ba089fe4546d19803adad582ca6f2ec5
SHA132c00e95b5f398c7bb7261feb35290e34c59d21f
SHA256014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228
SHA5121b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592
-
\ProgramData\microsoftupdate.exeMD5
ba089fe4546d19803adad582ca6f2ec5
SHA132c00e95b5f398c7bb7261feb35290e34c59d21f
SHA256014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228
SHA5121b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592
-
memory/684-79-0x0000000000000000-mapping.dmp
-
memory/1104-63-0x00000000003D0000-0x00000000003DA000-memory.dmpFilesize
40KB
-
memory/1104-62-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/1104-60-0x0000000001260000-0x0000000001261000-memory.dmpFilesize
4KB
-
memory/1104-64-0x0000000000DA0000-0x0000000000DE1000-memory.dmpFilesize
260KB
-
memory/1236-74-0x0000000001150000-0x0000000001151000-memory.dmpFilesize
4KB
-
memory/1236-77-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/1236-71-0x0000000000000000-mapping.dmp
-
memory/1620-84-0x0000000000405CE2-mapping.dmp
-
memory/1620-87-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/1716-65-0x0000000000000000-mapping.dmp
-
memory/1760-88-0x0000000000000000-mapping.dmp
-
memory/1760-89-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1876-66-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/1876-67-0x0000000000405CE2-mapping.dmp
-
memory/1876-69-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/1876-68-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB