Analysis
-
max time kernel
154s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-10-2021 17:05
Static task
static1
Behavioral task
behavioral1
Sample
SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
Resource
win10-en-20210920
General
-
Target
SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
-
Size
557KB
-
MD5
513d95f880ef4b0522a50c4374e40f1f
-
SHA1
b89d35ab5f89a5c984ea7d4a46ced8e1603a866b
-
SHA256
a28d456ec326f62b15dc6257859619c1a2dc6817f332adb9c87fbb146676dc00
-
SHA512
922d8d138fdf2dfb77770697c57def5973d07a4d64fe5d7effeee30987330dd2611b97cb9df8da78d0cb42a35673800224fd49b6fe44f4c4f0e38dd00a6eb750
Malware Config
Extracted
warzonerat
176.126.86.243:2021
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 10 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe warzonerat \Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe warzonerat C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe warzonerat C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe warzonerat \ProgramData\microsoftupdate.exe warzonerat C:\ProgramData\microsoftupdate.exe warzonerat C:\ProgramData\microsoftupdate.exe warzonerat \ProgramData\microsoftupdate.exe warzonerat \ProgramData\microsoftupdate.exe warzonerat \ProgramData\microsoftupdate.exe warzonerat -
Executes dropped EXE 3 IoCs
Processes:
for 176.126.86.243.exeBTC STEALER.exemicrosoftupdate.exepid process 556 for 176.126.86.243.exe 1128 BTC STEALER.exe 1340 microsoftupdate.exe -
Drops startup file 1 IoCs
Processes:
BTC STEALER.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk BTC STEALER.exe -
Loads dropped DLL 7 IoCs
Processes:
SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exefor 176.126.86.243.exemicrosoftupdate.exepid process 1600 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe 1600 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe 1600 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe 556 for 176.126.86.243.exe 1340 microsoftupdate.exe 1340 microsoftupdate.exe 1340 microsoftupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
for 176.126.86.243.exeBTC STEALER.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsdefender = "C:\\ProgramData\\microsoftupdate.exe" for 176.126.86.243.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\BTC STEALER.exe\" .." BTC STEALER.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exedescription pid process target process PID 1628 set thread context of 1600 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exepid process 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exedescription pid process Token: SeDebugPrivilege 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exeSECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exefor 176.126.86.243.exemicrosoftupdate.exedescription pid process target process PID 1628 wrote to memory of 1616 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe schtasks.exe PID 1628 wrote to memory of 1616 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe schtasks.exe PID 1628 wrote to memory of 1616 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe schtasks.exe PID 1628 wrote to memory of 1616 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe schtasks.exe PID 1628 wrote to memory of 1504 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe PID 1628 wrote to memory of 1504 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe PID 1628 wrote to memory of 1504 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe PID 1628 wrote to memory of 1504 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe PID 1628 wrote to memory of 1600 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe PID 1628 wrote to memory of 1600 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe PID 1628 wrote to memory of 1600 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe PID 1628 wrote to memory of 1600 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe PID 1628 wrote to memory of 1600 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe PID 1628 wrote to memory of 1600 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe PID 1628 wrote to memory of 1600 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe PID 1628 wrote to memory of 1600 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe PID 1628 wrote to memory of 1600 1628 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe PID 1600 wrote to memory of 556 1600 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe for 176.126.86.243.exe PID 1600 wrote to memory of 556 1600 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe for 176.126.86.243.exe PID 1600 wrote to memory of 556 1600 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe for 176.126.86.243.exe PID 1600 wrote to memory of 556 1600 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe for 176.126.86.243.exe PID 1600 wrote to memory of 1128 1600 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe BTC STEALER.exe PID 1600 wrote to memory of 1128 1600 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe BTC STEALER.exe PID 1600 wrote to memory of 1128 1600 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe BTC STEALER.exe PID 1600 wrote to memory of 1128 1600 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe BTC STEALER.exe PID 556 wrote to memory of 1340 556 for 176.126.86.243.exe microsoftupdate.exe PID 556 wrote to memory of 1340 556 for 176.126.86.243.exe microsoftupdate.exe PID 556 wrote to memory of 1340 556 for 176.126.86.243.exe microsoftupdate.exe PID 556 wrote to memory of 1340 556 for 176.126.86.243.exe microsoftupdate.exe PID 556 wrote to memory of 1340 556 for 176.126.86.243.exe microsoftupdate.exe PID 556 wrote to memory of 1340 556 for 176.126.86.243.exe microsoftupdate.exe PID 556 wrote to memory of 1340 556 for 176.126.86.243.exe microsoftupdate.exe PID 1340 wrote to memory of 1660 1340 microsoftupdate.exe cmd.exe PID 1340 wrote to memory of 1660 1340 microsoftupdate.exe cmd.exe PID 1340 wrote to memory of 1660 1340 microsoftupdate.exe cmd.exe PID 1340 wrote to memory of 1660 1340 microsoftupdate.exe cmd.exe PID 1340 wrote to memory of 1660 1340 microsoftupdate.exe cmd.exe PID 1340 wrote to memory of 1660 1340 microsoftupdate.exe cmd.exe PID 1340 wrote to memory of 1660 1340 microsoftupdate.exe cmd.exe PID 1340 wrote to memory of 1660 1340 microsoftupdate.exe cmd.exe PID 1340 wrote to memory of 1660 1340 microsoftupdate.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe"C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHBYWHQISskoYw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A14.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe"C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe"C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe"C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\microsoftupdate.exe"C:\ProgramData\microsoftupdate.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\BTC STEALER.exe"C:\Users\Admin\AppData\Local\Temp\BTC STEALER.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\microsoftupdate.exeMD5
bd5f146a5f4796e27868d4ca83dae4ee
SHA1cfa2a086c52c94d387c0ab19b514881b47ab4490
SHA256066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860
SHA5125f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4
-
C:\ProgramData\microsoftupdate.exeMD5
bd5f146a5f4796e27868d4ca83dae4ee
SHA1cfa2a086c52c94d387c0ab19b514881b47ab4490
SHA256066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860
SHA5125f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4
-
C:\Users\Admin\AppData\Local\Temp\BTC STEALER.exeMD5
2c97c34c375bd1fe92a6ff4c272c2096
SHA1af1b4c20af78ce0247d69a8bddaa6234a02692ef
SHA256321c0146561f0448a08d290535bdcc7e8fb606648ab6b5be5330e7fdc2866427
SHA51299b9599a27b151a5c8cf960feb9c1696312a8b3c4f1397744c6d6891af773fc5708acac9ddad8a968ef0badb7f5905eddd2a3c75d3d5170ad33bbf5012904235
-
C:\Users\Admin\AppData\Local\Temp\BTC STEALER.exeMD5
2c97c34c375bd1fe92a6ff4c272c2096
SHA1af1b4c20af78ce0247d69a8bddaa6234a02692ef
SHA256321c0146561f0448a08d290535bdcc7e8fb606648ab6b5be5330e7fdc2866427
SHA51299b9599a27b151a5c8cf960feb9c1696312a8b3c4f1397744c6d6891af773fc5708acac9ddad8a968ef0badb7f5905eddd2a3c75d3d5170ad33bbf5012904235
-
C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exeMD5
bd5f146a5f4796e27868d4ca83dae4ee
SHA1cfa2a086c52c94d387c0ab19b514881b47ab4490
SHA256066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860
SHA5125f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4
-
C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exeMD5
bd5f146a5f4796e27868d4ca83dae4ee
SHA1cfa2a086c52c94d387c0ab19b514881b47ab4490
SHA256066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860
SHA5125f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4
-
\ProgramData\microsoftupdate.exeMD5
bd5f146a5f4796e27868d4ca83dae4ee
SHA1cfa2a086c52c94d387c0ab19b514881b47ab4490
SHA256066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860
SHA5125f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4
-
\ProgramData\microsoftupdate.exeMD5
bd5f146a5f4796e27868d4ca83dae4ee
SHA1cfa2a086c52c94d387c0ab19b514881b47ab4490
SHA256066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860
SHA5125f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4
-
\ProgramData\microsoftupdate.exeMD5
bd5f146a5f4796e27868d4ca83dae4ee
SHA1cfa2a086c52c94d387c0ab19b514881b47ab4490
SHA256066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860
SHA5125f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4
-
\ProgramData\microsoftupdate.exeMD5
bd5f146a5f4796e27868d4ca83dae4ee
SHA1cfa2a086c52c94d387c0ab19b514881b47ab4490
SHA256066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860
SHA5125f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4
-
\Users\Admin\AppData\Local\Temp\BTC STEALER.exeMD5
2c97c34c375bd1fe92a6ff4c272c2096
SHA1af1b4c20af78ce0247d69a8bddaa6234a02692ef
SHA256321c0146561f0448a08d290535bdcc7e8fb606648ab6b5be5330e7fdc2866427
SHA51299b9599a27b151a5c8cf960feb9c1696312a8b3c4f1397744c6d6891af773fc5708acac9ddad8a968ef0badb7f5905eddd2a3c75d3d5170ad33bbf5012904235
-
\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exeMD5
bd5f146a5f4796e27868d4ca83dae4ee
SHA1cfa2a086c52c94d387c0ab19b514881b47ab4490
SHA256066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860
SHA5125f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4
-
\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exeMD5
bd5f146a5f4796e27868d4ca83dae4ee
SHA1cfa2a086c52c94d387c0ab19b514881b47ab4490
SHA256066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860
SHA5125f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4
-
memory/556-77-0x0000000000000000-mapping.dmp
-
memory/1128-85-0x0000000001ED0000-0x0000000001ED2000-memory.dmpFilesize
8KB
-
memory/1128-98-0x0000000001ED6000-0x0000000001EF5000-memory.dmpFilesize
124KB
-
memory/1128-81-0x0000000000000000-mapping.dmp
-
memory/1128-86-0x000007FEF2910000-0x000007FEF39A6000-memory.dmpFilesize
16.6MB
-
memory/1340-89-0x0000000000000000-mapping.dmp
-
memory/1600-68-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1600-70-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1600-84-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/1600-69-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1600-72-0x000000000042E77E-mapping.dmp
-
memory/1600-73-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1600-67-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1600-71-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1616-66-0x0000000000000000-mapping.dmp
-
memory/1628-65-0x0000000004F50000-0x0000000004FA3000-memory.dmpFilesize
332KB
-
memory/1628-64-0x0000000000410000-0x000000000041A000-memory.dmpFilesize
40KB
-
memory/1628-63-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/1628-62-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/1628-60-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/1660-96-0x0000000000000000-mapping.dmp
-
memory/1660-99-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/1660-100-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/1660-102-0x00000000001D0000-0x000000000021C000-memory.dmpFilesize
304KB