warzonerat | 895c00426f8a3de65c065104f4988f1db0f64b916b44d705ac95b27a7b049aea

General

Target

SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
Size

557KB
MD5

513d95f880ef4b0522a50c4374e40f1f
SHA1

b89d35ab5f89a5c984ea7d4a46ced8e1603a866b
SHA256

a28d456ec326f62b15dc6257859619c1a2dc6817f332adb9c87fbb146676dc00
SHA512

922d8d138fdf2dfb77770697c57def5973d07a4d64fe5d7effeee30987330dd2611b97cb9df8da78d0cb42a35673800224fd49b6fe44f4c4f0e38dd00a6eb750

Score

10^/10

warzonerat evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

warzonerat

C2

176.126.86.243:2021

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe	warzonerat
C:\ProgramData\microsoftupdate.exe	warzonerat
C:\ProgramData\microsoftupdate.exe	warzonerat

Executes dropped EXE 3 IoCs

Processes:

for 176.126.86.243.exeBTC STEALER.exemicrosoftupdate.exe

pid process

4388 for 176.126.86.243.exe
2760 BTC STEALER.exe
3880 microsoftupdate.exe
Drops startup file 1 IoCs

Processes:

BTC STEALER.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk BTC STEALER.exe

pid	process
4388	for 176.126.86.243.exe
2760	BTC STEALER.exe
3880	microsoftupdate.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk	BTC STEALER.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

for 176.126.86.243.exeBTC STEALER.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsdefender = "C:\\ProgramData\\microsoftupdate.exe"	for 176.126.86.243.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\BTC STEALER.exe\" .."	BTC STEALER.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

BTC STEALER.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BTC STEALER.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BTC STEALER.exe

Drops file in System32 directory 4 IoCs

Processes:

OfficeC2RClient.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-wal	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shm	OfficeC2RClient.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe

description	pid	process	target process
PID 3924 set thread context of 1436	3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1400 schtasks.exe

pid	process
1400	schtasks.exe

Modifies data under HKEY_USERS 23 IoCs

Processes:

OfficeC2RClient.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,17110988,7153487,39965824,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe

Modifies registry class 44 IoCs

Processes:

FileSyncConfig.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe

pid	process
3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe

description pid process

Token: SeDebugPrivilege 3924 SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OfficeC2RClient.exe

pid process

3168 OfficeC2RClient.exe

description	pid	process
Token: SeDebugPrivilege	3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe

pid	process
3168	OfficeC2RClient.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exeSECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exefor 176.126.86.243.exemicrosoftupdate.exe

description	pid	process	target process
PID 3924 wrote to memory of 1400	3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	schtasks.exe
PID 3924 wrote to memory of 1400	3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	schtasks.exe
PID 3924 wrote to memory of 1400	3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	schtasks.exe
PID 3924 wrote to memory of 1436	3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 3924 wrote to memory of 1436	3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 3924 wrote to memory of 1436	3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 3924 wrote to memory of 1436	3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 3924 wrote to memory of 1436	3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 3924 wrote to memory of 1436	3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 3924 wrote to memory of 1436	3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 3924 wrote to memory of 1436	3924	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
PID 1436 wrote to memory of 4388	1436	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	for 176.126.86.243.exe
PID 1436 wrote to memory of 4388	1436	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	for 176.126.86.243.exe
PID 1436 wrote to memory of 4388	1436	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	for 176.126.86.243.exe
PID 1436 wrote to memory of 2760	1436	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	BTC STEALER.exe
PID 1436 wrote to memory of 2760	1436	SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe	BTC STEALER.exe
PID 4388 wrote to memory of 3880	4388	for 176.126.86.243.exe	microsoftupdate.exe
PID 4388 wrote to memory of 3880	4388	for 176.126.86.243.exe	microsoftupdate.exe
PID 4388 wrote to memory of 3880	4388	for 176.126.86.243.exe	microsoftupdate.exe
PID 3880 wrote to memory of 3628	3880	microsoftupdate.exe	cmd.exe
PID 3880 wrote to memory of 3628	3880	microsoftupdate.exe	cmd.exe
PID 3880 wrote to memory of 3628	3880	microsoftupdate.exe	cmd.exe
PID 3880 wrote to memory of 3628	3880	microsoftupdate.exe	cmd.exe
PID 3880 wrote to memory of 3628	3880	microsoftupdate.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
"C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHBYWHQISskoYw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA535.tmp"
2⤵
- Creates scheduled task(s)
PID:1400

C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe
"C:\Users\Admin\AppData\Local\Temp\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe
"C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388

C:\ProgramData\microsoftupdate.exe
"C:\ProgramData\microsoftupdate.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\BTC STEALER.exe
"C:\Users\Admin\AppData\Local\Temp\BTC STEALER.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
PID:2760

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe"
1⤵
- Modifies registry class
PID:4988

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

2

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\microsoftupdate.exe
MD5
bd5f146a5f4796e27868d4ca83dae4ee

SHA1
cfa2a086c52c94d387c0ab19b514881b47ab4490

SHA256
066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860

SHA512
5f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4

Download Submit
C:\ProgramData\microsoftupdate.exe
MD5
bd5f146a5f4796e27868d4ca83dae4ee

SHA1
cfa2a086c52c94d387c0ab19b514881b47ab4490

SHA256
066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860

SHA512
5f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SECOND-STATEMENT OF ACCOUNT_2021-10-04989829.bat.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\BTC STEALER.exe
MD5
2c97c34c375bd1fe92a6ff4c272c2096

SHA1
af1b4c20af78ce0247d69a8bddaa6234a02692ef

SHA256
321c0146561f0448a08d290535bdcc7e8fb606648ab6b5be5330e7fdc2866427

SHA512
99b9599a27b151a5c8cf960feb9c1696312a8b3c4f1397744c6d6891af773fc5708acac9ddad8a968ef0badb7f5905eddd2a3c75d3d5170ad33bbf5012904235

Download Submit
C:\Users\Admin\AppData\Local\Temp\BTC STEALER.exe
MD5
2c97c34c375bd1fe92a6ff4c272c2096

SHA1
af1b4c20af78ce0247d69a8bddaa6234a02692ef

SHA256
321c0146561f0448a08d290535bdcc7e8fb606648ab6b5be5330e7fdc2866427

SHA512
99b9599a27b151a5c8cf960feb9c1696312a8b3c4f1397744c6d6891af773fc5708acac9ddad8a968ef0badb7f5905eddd2a3c75d3d5170ad33bbf5012904235

Download Submit
C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe
MD5
bd5f146a5f4796e27868d4ca83dae4ee

SHA1
cfa2a086c52c94d387c0ab19b514881b47ab4490

SHA256
066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860

SHA512
5f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\for 176.126.86.243.exe
MD5
bd5f146a5f4796e27868d4ca83dae4ee

SHA1
cfa2a086c52c94d387c0ab19b514881b47ab4490

SHA256
066c455fdfc44d36695e2e0a97c41c25e8d2d21a90576f649159b16af4ffd860

SHA512
5f2cfffde1a60fc3810330304611c39b8350fdc7b87e5e0e2a4186647ab8a68ca23cd5259bc3672db0c3505ff9fcccad5797f511531a7eabc6bc56b705e129a4

Download Submit
memory/1400-125-0x0000000000000000-mapping.dmp

Download
memory/1436-127-0x000000000042E77E-mapping.dmp

Download
memory/1436-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-132-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/2760-136-0x0000000000000000-mapping.dmp

Download
memory/2760-139-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/2760-144-0x00000000007E2000-0x00000000007E4000-memory.dmp

Filesize
8KB

Download
memory/3628-145-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/3628-143-0x0000000000000000-mapping.dmp

Download
memory/3880-140-0x0000000000000000-mapping.dmp

Download
memory/3924-123-0x0000000008080000-0x00000000080D3000-memory.dmp

Filesize
332KB

Download
memory/3924-115-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3924-119-0x0000000004FA0000-0x000000000549E000-memory.dmp

Filesize
5.0MB

Download
memory/3924-124-0x00000000083A0000-0x00000000083A1000-memory.dmp

Filesize
4KB

Download
memory/3924-122-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/3924-118-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/3924-117-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/3924-120-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/3924-121-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Filesize
4KB

Download
memory/4388-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads