Analysis
-
max time kernel
114s -
max time network
101s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-10-2021 13:39
Static task
static1
Behavioral task
behavioral1
Sample
New Order.xls.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
New Order.xls.exe
Resource
win10-en-20211014
General
-
Target
New Order.xls.exe
-
Size
361KB
-
MD5
0f3af49aed9b20bc69abe9f3c5b36364
-
SHA1
73e825d30b8666d15b5d229e8a1f96c435bd8f9f
-
SHA256
396cf03c5637b57c3b391d5bb7b8c05fce62d23ee9df51f99669268c5be28742
-
SHA512
c70e515a227571eede0072316ce28180c8883c27ea469b6fb04101253b6e1b4a6e0ffb155c87a7a869f7aedeec7240ec1416f5f5b419612117e9ff7bba9f8274
Malware Config
Extracted
warzonerat
alliedofficewarz.ddns.net:6060
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1072-56-0x0000000000000000-mapping.dmp warzonerat behavioral1/memory/1072-57-0x00000000001C0000-0x0000000000314000-memory.dmp warzonerat behavioral1/memory/1072-62-0x00000000001C0000-0x0000000000314000-memory.dmp warzonerat behavioral1/memory/1072-68-0x00000000001C0000-0x0000000000314000-memory.dmp warzonerat -
Loads dropped DLL 1 IoCs
Processes:
New Order.xls.exepid process 1592 New Order.xls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1896 1072 WerFault.exe New Order.xls.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1896 WerFault.exe 1896 WerFault.exe 1896 WerFault.exe 1896 WerFault.exe 1896 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1896 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1896 WerFault.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
New Order.xls.exeNew Order.xls.exedescription pid process target process PID 1592 wrote to memory of 1072 1592 New Order.xls.exe New Order.xls.exe PID 1592 wrote to memory of 1072 1592 New Order.xls.exe New Order.xls.exe PID 1592 wrote to memory of 1072 1592 New Order.xls.exe New Order.xls.exe PID 1592 wrote to memory of 1072 1592 New Order.xls.exe New Order.xls.exe PID 1592 wrote to memory of 1072 1592 New Order.xls.exe New Order.xls.exe PID 1592 wrote to memory of 1072 1592 New Order.xls.exe New Order.xls.exe PID 1592 wrote to memory of 1072 1592 New Order.xls.exe New Order.xls.exe PID 1592 wrote to memory of 1072 1592 New Order.xls.exe New Order.xls.exe PID 1592 wrote to memory of 1072 1592 New Order.xls.exe New Order.xls.exe PID 1592 wrote to memory of 1072 1592 New Order.xls.exe New Order.xls.exe PID 1592 wrote to memory of 1072 1592 New Order.xls.exe New Order.xls.exe PID 1592 wrote to memory of 1072 1592 New Order.xls.exe New Order.xls.exe PID 1072 wrote to memory of 1896 1072 New Order.xls.exe WerFault.exe PID 1072 wrote to memory of 1896 1072 New Order.xls.exe WerFault.exe PID 1072 wrote to memory of 1896 1072 New Order.xls.exe WerFault.exe PID 1072 wrote to memory of 1896 1072 New Order.xls.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order.xls.exe"C:\Users\Admin\AppData\Local\Temp\New Order.xls.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New Order.xls.exe"C:\Users\Admin\AppData\Local\Temp\New Order.xls.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 2003⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsd540A.tmp\sczlg.dllMD5
050c40e88dc3bd1657dc0f35058a95ad
SHA1dcc74c0fbb382cf0eb0cc3177b17d9190635e753
SHA256b50a1bae00a83af133e834a25fd298f561aaf8d6f3b5e2d79622305afdeb6977
SHA5129e2e8e6e9c39a8af67cfa66fc4ada5f559f4e6e82abb45d8fc4e49b284fa2728fe205ba85705448e8a02bd802c0922b3d8edccfd0cb42c7273bef2bcd5b918c9
-
memory/1072-56-0x0000000000000000-mapping.dmp
-
memory/1072-57-0x00000000001C0000-0x0000000000314000-memory.dmpFilesize
1.3MB
-
memory/1072-62-0x00000000001C0000-0x0000000000314000-memory.dmpFilesize
1.3MB
-
memory/1072-68-0x00000000001C0000-0x0000000000314000-memory.dmpFilesize
1.3MB
-
memory/1592-54-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB
-
memory/1896-69-0x0000000000000000-mapping.dmp
-
memory/1896-70-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB