Analysis
-
max time kernel
134s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 13:52
Static task
static1
Behavioral task
behavioral1
Sample
invoice-2013790008755.bat.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
invoice-2013790008755.bat.exe
Resource
win10-en-20210920
General
-
Target
invoice-2013790008755.bat.exe
-
Size
269KB
-
MD5
c37e3d75cffedf5dfd2710d0741012b8
-
SHA1
e0ef0f784d7be7b19d1ebe3f37bc0380061d24eb
-
SHA256
82572bb673e848ff6622ce079dd07a8434290e44499846952ddda1819d315db3
-
SHA512
c03f377264a544b2b3116b0a4036030e814b907050abd784ebe2ea9170b31c08cb0c253d077495e0b1e1266e6f02299b39d2defa7487d07af15434c9c5d90a1b
Malware Config
Extracted
warzonerat
176.126.86.243:2021
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2816-125-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/2816-126-0x0000000000405CE2-mapping.dmp warzonerat behavioral2/memory/2816-127-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/1452-142-0x0000000000405CE2-mapping.dmp warzonerat behavioral2/memory/1452-144-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Executes dropped EXE 2 IoCs
Processes:
microsoftupdate.exemicrosoftupdate.exepid process 1140 microsoftupdate.exe 1452 microsoftupdate.exe -
Sets DLL path for service in the registry 2 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 2172 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
invoice-2013790008755.bat.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsdefender = "C:\\ProgramData\\microsoftupdate.exe" invoice-2013790008755.bat.exe -
Modifies WinLogon 2 TTPs 4 IoCs
Processes:
microsoftupdate.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" microsoftupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList microsoftupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts microsoftupdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\AwtlkFj = "0" microsoftupdate.exe -
Drops file in System32 directory 2 IoCs
Processes:
microsoftupdate.exedescription ioc process File created C:\Windows\System32\rfxvmt.dll microsoftupdate.exe File opened for modification C:\Windows\System32\rfxvmt.dll microsoftupdate.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
invoice-2013790008755.bat.exemicrosoftupdate.exedescription pid process target process PID 2428 set thread context of 2816 2428 invoice-2013790008755.bat.exe invoice-2013790008755.bat.exe PID 1140 set thread context of 1452 1140 microsoftupdate.exe microsoftupdate.exe -
Drops file in Program Files directory 2 IoCs
Processes:
microsoftupdate.exedescription ioc process File created C:\Program Files\Microsoft DN1\sqlmap.dll microsoftupdate.exe File created C:\Program Files\Microsoft DN1\rdpwrap.ini microsoftupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2284 schtasks.exe 1264 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
invoice-2013790008755.bat.exemicrosoftupdate.exesvchost.exepid process 2428 invoice-2013790008755.bat.exe 2428 invoice-2013790008755.bat.exe 2428 invoice-2013790008755.bat.exe 2428 invoice-2013790008755.bat.exe 2428 invoice-2013790008755.bat.exe 2428 invoice-2013790008755.bat.exe 2428 invoice-2013790008755.bat.exe 2428 invoice-2013790008755.bat.exe 2428 invoice-2013790008755.bat.exe 1140 microsoftupdate.exe 1140 microsoftupdate.exe 1140 microsoftupdate.exe 1140 microsoftupdate.exe 1140 microsoftupdate.exe 1140 microsoftupdate.exe 1140 microsoftupdate.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 624 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
invoice-2013790008755.bat.exemicrosoftupdate.exemicrosoftupdate.exesvchost.exedescription pid process Token: SeDebugPrivilege 2428 invoice-2013790008755.bat.exe Token: SeDebugPrivilege 1140 microsoftupdate.exe Token: SeDebugPrivilege 1452 microsoftupdate.exe Token: SeAuditPrivilege 2172 svchost.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
invoice-2013790008755.bat.exeinvoice-2013790008755.bat.exemicrosoftupdate.exemicrosoftupdate.exedescription pid process target process PID 2428 wrote to memory of 2284 2428 invoice-2013790008755.bat.exe schtasks.exe PID 2428 wrote to memory of 2284 2428 invoice-2013790008755.bat.exe schtasks.exe PID 2428 wrote to memory of 2284 2428 invoice-2013790008755.bat.exe schtasks.exe PID 2428 wrote to memory of 2084 2428 invoice-2013790008755.bat.exe invoice-2013790008755.bat.exe PID 2428 wrote to memory of 2084 2428 invoice-2013790008755.bat.exe invoice-2013790008755.bat.exe PID 2428 wrote to memory of 2084 2428 invoice-2013790008755.bat.exe invoice-2013790008755.bat.exe PID 2428 wrote to memory of 2816 2428 invoice-2013790008755.bat.exe invoice-2013790008755.bat.exe PID 2428 wrote to memory of 2816 2428 invoice-2013790008755.bat.exe invoice-2013790008755.bat.exe PID 2428 wrote to memory of 2816 2428 invoice-2013790008755.bat.exe invoice-2013790008755.bat.exe PID 2428 wrote to memory of 2816 2428 invoice-2013790008755.bat.exe invoice-2013790008755.bat.exe PID 2428 wrote to memory of 2816 2428 invoice-2013790008755.bat.exe invoice-2013790008755.bat.exe PID 2428 wrote to memory of 2816 2428 invoice-2013790008755.bat.exe invoice-2013790008755.bat.exe PID 2428 wrote to memory of 2816 2428 invoice-2013790008755.bat.exe invoice-2013790008755.bat.exe PID 2428 wrote to memory of 2816 2428 invoice-2013790008755.bat.exe invoice-2013790008755.bat.exe PID 2428 wrote to memory of 2816 2428 invoice-2013790008755.bat.exe invoice-2013790008755.bat.exe PID 2428 wrote to memory of 2816 2428 invoice-2013790008755.bat.exe invoice-2013790008755.bat.exe PID 2428 wrote to memory of 2816 2428 invoice-2013790008755.bat.exe invoice-2013790008755.bat.exe PID 2816 wrote to memory of 1140 2816 invoice-2013790008755.bat.exe microsoftupdate.exe PID 2816 wrote to memory of 1140 2816 invoice-2013790008755.bat.exe microsoftupdate.exe PID 2816 wrote to memory of 1140 2816 invoice-2013790008755.bat.exe microsoftupdate.exe PID 1140 wrote to memory of 1264 1140 microsoftupdate.exe schtasks.exe PID 1140 wrote to memory of 1264 1140 microsoftupdate.exe schtasks.exe PID 1140 wrote to memory of 1264 1140 microsoftupdate.exe schtasks.exe PID 1140 wrote to memory of 1452 1140 microsoftupdate.exe microsoftupdate.exe PID 1140 wrote to memory of 1452 1140 microsoftupdate.exe microsoftupdate.exe PID 1140 wrote to memory of 1452 1140 microsoftupdate.exe microsoftupdate.exe PID 1140 wrote to memory of 1452 1140 microsoftupdate.exe microsoftupdate.exe PID 1140 wrote to memory of 1452 1140 microsoftupdate.exe microsoftupdate.exe PID 1140 wrote to memory of 1452 1140 microsoftupdate.exe microsoftupdate.exe PID 1140 wrote to memory of 1452 1140 microsoftupdate.exe microsoftupdate.exe PID 1140 wrote to memory of 1452 1140 microsoftupdate.exe microsoftupdate.exe PID 1140 wrote to memory of 1452 1140 microsoftupdate.exe microsoftupdate.exe PID 1140 wrote to memory of 1452 1140 microsoftupdate.exe microsoftupdate.exe PID 1140 wrote to memory of 1452 1140 microsoftupdate.exe microsoftupdate.exe PID 1452 wrote to memory of 2064 1452 microsoftupdate.exe cmd.exe PID 1452 wrote to memory of 2064 1452 microsoftupdate.exe cmd.exe PID 1452 wrote to memory of 2064 1452 microsoftupdate.exe cmd.exe PID 1452 wrote to memory of 2064 1452 microsoftupdate.exe cmd.exe PID 1452 wrote to memory of 2064 1452 microsoftupdate.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe"C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\stXLEjB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5427.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe"C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe"C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\microsoftupdate.exe"C:\ProgramData\microsoftupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\stXLEjB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp310A.tmp"4⤵
- Creates scheduled task(s)
-
C:\ProgramData\microsoftupdate.exe"C:\ProgramData\microsoftupdate.exe"4⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\microsoftupdate.exeMD5
c37e3d75cffedf5dfd2710d0741012b8
SHA1e0ef0f784d7be7b19d1ebe3f37bc0380061d24eb
SHA25682572bb673e848ff6622ce079dd07a8434290e44499846952ddda1819d315db3
SHA512c03f377264a544b2b3116b0a4036030e814b907050abd784ebe2ea9170b31c08cb0c253d077495e0b1e1266e6f02299b39d2defa7487d07af15434c9c5d90a1b
-
C:\ProgramData\microsoftupdate.exeMD5
c37e3d75cffedf5dfd2710d0741012b8
SHA1e0ef0f784d7be7b19d1ebe3f37bc0380061d24eb
SHA25682572bb673e848ff6622ce079dd07a8434290e44499846952ddda1819d315db3
SHA512c03f377264a544b2b3116b0a4036030e814b907050abd784ebe2ea9170b31c08cb0c253d077495e0b1e1266e6f02299b39d2defa7487d07af15434c9c5d90a1b
-
C:\ProgramData\microsoftupdate.exeMD5
c37e3d75cffedf5dfd2710d0741012b8
SHA1e0ef0f784d7be7b19d1ebe3f37bc0380061d24eb
SHA25682572bb673e848ff6622ce079dd07a8434290e44499846952ddda1819d315db3
SHA512c03f377264a544b2b3116b0a4036030e814b907050abd784ebe2ea9170b31c08cb0c253d077495e0b1e1266e6f02299b39d2defa7487d07af15434c9c5d90a1b
-
\??\c:\program files\microsoft dn1\rdpwrap.iniMD5
dddd741ab677bdac8dcd4fa0dda05da2
SHA169d328c70046029a1866fd440c3e4a63563200f9
SHA2567d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668
SHA5126106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec
-
\??\c:\program files\microsoft dn1\sqlmap.dllMD5
461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
\Program Files\Microsoft DN1\sqlmap.dllMD5
461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
memory/1140-128-0x0000000000000000-mapping.dmp
-
memory/1140-137-0x0000000002AC0000-0x0000000002B52000-memory.dmpFilesize
584KB
-
memory/1264-140-0x0000000000000000-mapping.dmp
-
memory/1452-144-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/1452-142-0x0000000000405CE2-mapping.dmp
-
memory/2064-146-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/2064-145-0x0000000000000000-mapping.dmp
-
memory/2284-124-0x0000000000000000-mapping.dmp
-
memory/2428-122-0x0000000006F50000-0x0000000006F51000-memory.dmpFilesize
4KB
-
memory/2428-121-0x0000000004970000-0x0000000004971000-memory.dmpFilesize
4KB
-
memory/2428-120-0x0000000006400000-0x0000000006405000-memory.dmpFilesize
20KB
-
memory/2428-123-0x00000000066E0000-0x000000000671E000-memory.dmpFilesize
248KB
-
memory/2428-115-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/2428-119-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/2428-118-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/2428-117-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/2816-125-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/2816-126-0x0000000000405CE2-mapping.dmp
-
memory/2816-127-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB