Overview

overview

10

Static

static

Perfectly ...ch.exe

windows7_x64

10

Perfectly ...ch.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    11-12-2021 20:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Perfectly Clear Workbench.exe

  • Size

    22.7MB

  • MD5

    07c8ab309a013e4786c9587db7a65bdf

  • SHA1

    ef8ab1daf015590cf14ce47a350a99c82b71d125

  • SHA256

    9f9f34da4353b46d4b59673ac0520cdf7bd5a513c0590dfde99363cf5f1db657

  • SHA512

    ef392d50539d36eac9609ffcd76a68fa2e18b9fde03e2f8d4554a557e1bd093129aae302211b0ccd04f39b277feff7067cf0bf33b34604e0ab5a3f8d34dfadf2

Score
10/10
warzoneratwebmonitorbackdoorinfostealerpersistenceratupx

Malware Config

Extracted

Family

warzonerat

C2

95.168.173.176:5200

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • WebMonitor Payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Perfectly Clear Workbench.exe
    "C:\Users\Admin\AppData\Local\Temp\Perfectly Clear Workbench.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Users\Admin\AppData\Local\Temp\IDMan.exe
      C:\Users\Admin\AppData\Local\Temp\IDMan.exe
      2⤵
      • Executes dropped EXE
      PID:2708
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"
      2⤵
        PID:1540
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"
        2⤵
        • Modifies WinLogon for persistence
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:916
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
          3⤵
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1040
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            -d 56007 TCP
            4⤵
              PID:3060
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              -a 10.127.0.186 56007 56007 TCP
              4⤵
                PID:2104
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                -d 56008 TCP
                4⤵
                  PID:2624
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  -a 10.127.0.186 56008 56008 TCP
                  4⤵
                    PID:1504
                  • C:\odt\212.exe
                    "C:\odt\212.exe"
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2212
            • C:\Windows\system32\taskmgr.exe
              "C:\Windows\system32\taskmgr.exe" /4
              1⤵
              • Drops file in Windows directory
              • Checks SCSI registry key(s)
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:368
            • C:\Windows\System32\rundll32.exe
              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              1⤵
                PID:2116

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/916-169-0x0000000002B01000-0x0000000002B02000-memory.dmp

                Filesize

                4KB

                Download

              • memory/916-166-0x0000000000400000-0x0000000000581000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/916-167-0x00000000009B0000-0x00000000009B1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/916-168-0x0000000002B00000-0x0000000002B01000-memory.dmp

                Filesize

                4KB

                Download

              • memory/916-170-0x0000000002B04000-0x0000000002B06000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1040-175-0x0000000002AE0000-0x0000000003AE0000-memory.dmp

                Filesize

                16.0MB

                Download

              • memory/1040-171-0x0000000000400000-0x00000000005F7000-memory.dmp

                Filesize

                2.0MB

                Download

              • memory/1040-173-0x0000000000400000-0x00000000005F7000-memory.dmp

                Filesize

                2.0MB

                Download

              • memory/1040-174-0x0000000000400000-0x00000000005F7000-memory.dmp

                Filesize

                2.0MB

                Download

              • memory/1860-136-0x0000000001D1E000-0x0000000001D20000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1860-131-0x0000000001D1E000-0x0000000001D20000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1860-142-0x0000000001D1E000-0x0000000001D20000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1860-143-0x0000000001D1E000-0x0000000001D20000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1860-144-0x0000000001D1B000-0x0000000001D1E000-memory.dmp

                Filesize

                12KB

                Download

              • memory/1860-147-0x0000000001D1E000-0x0000000001D20000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1860-149-0x0000000001D1E000-0x0000000001D20000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1860-151-0x0000000001D1B000-0x0000000001D1E000-memory.dmp

                Filesize

                12KB

                Download

              • memory/1860-155-0x0000000001D1E000-0x0000000001D20000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1860-121-0x0000000001D0D000-0x0000000001D0E000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1860-138-0x0000000001D1B000-0x0000000001D1E000-memory.dmp

                Filesize

                12KB

                Download

              • memory/1860-137-0x0000000001D1E000-0x0000000001D20000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1860-160-0x0000000001B70000-0x0000000001CBA000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1860-161-0x0000000001D1B000-0x0000000001D1E000-memory.dmp

                Filesize

                12KB

                Download

              • memory/1860-162-0x0000000001D1B000-0x0000000001D1E000-memory.dmp

                Filesize

                12KB

                Download

              • memory/1860-163-0x0000000001D1E000-0x0000000001D20000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1860-120-0x0000000001D0D000-0x0000000001D0E000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1860-165-0x0000000001B70000-0x0000000001CBA000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1860-134-0x0000000001D1B000-0x0000000001D1E000-memory.dmp

                Filesize

                12KB

                Download

              • memory/1860-133-0x0000000001D1B000-0x0000000001D1E000-memory.dmp

                Filesize

                12KB

                Download

              • memory/1860-132-0x0000000001D1B000-0x0000000001D1E000-memory.dmp

                Filesize

                12KB

                Download

              • memory/1860-141-0x0000000001D1E000-0x0000000001D20000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1860-130-0x0000000001D1E000-0x0000000001D20000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1860-129-0x0000000001D19000-0x0000000001D1B000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1860-127-0x0000000001D1B000-0x0000000001D1E000-memory.dmp

                Filesize

                12KB

                Download

              • memory/1860-125-0x0000000001D19000-0x0000000001D1B000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1860-126-0x0000000001D0D000-0x0000000001D0E000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1860-124-0x0000000001D19000-0x0000000001D1B000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1860-122-0x0000000001D0D000-0x0000000001D0E000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1860-123-0x0000000001D0D000-0x0000000001D0E000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2212-194-0x0000000002BC4000-0x0000000002BC6000-memory.dmp

                Filesize

                8KB

                Download

              • memory/2212-196-0x000000007E6C0000-0x000000007E81E000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2212-195-0x000000007E820000-0x000000007E821000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2212-192-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2212-193-0x0000000002BC1000-0x0000000002BC2000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3060-176-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

                Download

              • memory/3060-188-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

                Download

              • memory/3060-183-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

                Download