Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
11-12-2021 20:10
General
-
Target
Perfectly Clear Workbench.exe
-
Size
22.7MB
-
MD5
07c8ab309a013e4786c9587db7a65bdf
-
SHA1
ef8ab1daf015590cf14ce47a350a99c82b71d125
-
SHA256
9f9f34da4353b46d4b59673ac0520cdf7bd5a513c0590dfde99363cf5f1db657
-
SHA512
ef392d50539d36eac9609ffcd76a68fa2e18b9fde03e2f8d4554a557e1bd093129aae302211b0ccd04f39b277feff7067cf0bf33b34604e0ab5a3f8d34dfadf2
Malware Config
Extracted
warzonerat
95.168.173.176:5200
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
WebMonitor Payload 2 IoCs
-
Executes dropped EXE 2 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 16 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Windows directory 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Perfectly Clear Workbench.exe"C:\Users\Admin\AppData\Local\Temp\Perfectly Clear Workbench.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IDMan.exeC:\Users\Admin\AppData\Local\Temp\IDMan.exe2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"2⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe-d 56007 TCP4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe-a 10.127.0.186 56007 56007 TCP4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe-d 56008 TCP4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe-a 10.127.0.186 56008 56008 TCP4⤵
-
C:\odt\212.exe"C:\odt\212.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IDMan.exeMD5
840f6ec78053bc2351083006c19eb6ec
SHA10ea47ee5f735b227e47228332a4349dbaf951a7c
SHA256973e4e3d6328c0fc06194b424ee902673831c894a70b1e34ef48f15e5ac916af
SHA5129dc8f809b7cbc9b1742111b7c3112ff07b9c2d4cb9e7369bfc0e556e740fbe46a06cbae465807ae995b1b34e5321cf6ec219d2237cb1a53b51d97a2190419d9e
-
C:\Users\Admin\AppData\Local\Temp\IDMan.exeMD5
840f6ec78053bc2351083006c19eb6ec
SHA10ea47ee5f735b227e47228332a4349dbaf951a7c
SHA256973e4e3d6328c0fc06194b424ee902673831c894a70b1e34ef48f15e5ac916af
SHA5129dc8f809b7cbc9b1742111b7c3112ff07b9c2d4cb9e7369bfc0e556e740fbe46a06cbae465807ae995b1b34e5321cf6ec219d2237cb1a53b51d97a2190419d9e
-
C:\odt\212.exeMD5
69186cd1d038acd299c51b68dd125676
SHA1a9b55efa30e946c46b24fcc17abf8c8f1988262c
SHA25613c410fd11e6a3d033d35a7e4ed7a531fe715f011c38b1768029b4e80669d1ec
SHA512d12fed2dfba83650033d61b564eb8fbcec7e5afba3d8bc37263299f46c3984d36358ebee389065c92b3f5c4882be514193b66bcf91e06f04e68f696ee5dd1b4c
-
C:\odt\212.exeMD5
69186cd1d038acd299c51b68dd125676
SHA1a9b55efa30e946c46b24fcc17abf8c8f1988262c
SHA25613c410fd11e6a3d033d35a7e4ed7a531fe715f011c38b1768029b4e80669d1ec
SHA512d12fed2dfba83650033d61b564eb8fbcec7e5afba3d8bc37263299f46c3984d36358ebee389065c92b3f5c4882be514193b66bcf91e06f04e68f696ee5dd1b4c
-
memory/916-169-0x0000000002B01000-0x0000000002B02000-memory.dmpFilesize
4KB
-
memory/916-164-0x000000000056927E-mapping.dmp
-
memory/916-166-0x0000000000400000-0x0000000000581000-memory.dmpFilesize
1.5MB
-
memory/916-167-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/916-168-0x0000000002B00000-0x0000000002B01000-memory.dmpFilesize
4KB
-
memory/916-170-0x0000000002B04000-0x0000000002B06000-memory.dmpFilesize
8KB
-
memory/1040-175-0x0000000002AE0000-0x0000000003AE0000-memory.dmpFilesize
16.0MB
-
memory/1040-171-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/1040-172-0x00000000005F5A70-mapping.dmp
-
memory/1040-173-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/1040-174-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/1504-185-0x0000000000418F40-mapping.dmp
-
memory/1860-136-0x0000000001D1E000-0x0000000001D20000-memory.dmpFilesize
8KB
-
memory/1860-131-0x0000000001D1E000-0x0000000001D20000-memory.dmpFilesize
8KB
-
memory/1860-142-0x0000000001D1E000-0x0000000001D20000-memory.dmpFilesize
8KB
-
memory/1860-143-0x0000000001D1E000-0x0000000001D20000-memory.dmpFilesize
8KB
-
memory/1860-144-0x0000000001D1B000-0x0000000001D1E000-memory.dmpFilesize
12KB
-
memory/1860-147-0x0000000001D1E000-0x0000000001D20000-memory.dmpFilesize
8KB
-
memory/1860-149-0x0000000001D1E000-0x0000000001D20000-memory.dmpFilesize
8KB
-
memory/1860-151-0x0000000001D1B000-0x0000000001D1E000-memory.dmpFilesize
12KB
-
memory/1860-155-0x0000000001D1E000-0x0000000001D20000-memory.dmpFilesize
8KB
-
memory/1860-121-0x0000000001D0D000-0x0000000001D0E000-memory.dmpFilesize
4KB
-
memory/1860-138-0x0000000001D1B000-0x0000000001D1E000-memory.dmpFilesize
12KB
-
memory/1860-137-0x0000000001D1E000-0x0000000001D20000-memory.dmpFilesize
8KB
-
memory/1860-160-0x0000000001B70000-0x0000000001CBA000-memory.dmpFilesize
1.3MB
-
memory/1860-161-0x0000000001D1B000-0x0000000001D1E000-memory.dmpFilesize
12KB
-
memory/1860-162-0x0000000001D1B000-0x0000000001D1E000-memory.dmpFilesize
12KB
-
memory/1860-163-0x0000000001D1E000-0x0000000001D20000-memory.dmpFilesize
8KB
-
memory/1860-120-0x0000000001D0D000-0x0000000001D0E000-memory.dmpFilesize
4KB
-
memory/1860-165-0x0000000001B70000-0x0000000001CBA000-memory.dmpFilesize
1.3MB
-
memory/1860-134-0x0000000001D1B000-0x0000000001D1E000-memory.dmpFilesize
12KB
-
memory/1860-133-0x0000000001D1B000-0x0000000001D1E000-memory.dmpFilesize
12KB
-
memory/1860-132-0x0000000001D1B000-0x0000000001D1E000-memory.dmpFilesize
12KB
-
memory/1860-141-0x0000000001D1E000-0x0000000001D20000-memory.dmpFilesize
8KB
-
memory/1860-130-0x0000000001D1E000-0x0000000001D20000-memory.dmpFilesize
8KB
-
memory/1860-129-0x0000000001D19000-0x0000000001D1B000-memory.dmpFilesize
8KB
-
memory/1860-127-0x0000000001D1B000-0x0000000001D1E000-memory.dmpFilesize
12KB
-
memory/1860-125-0x0000000001D19000-0x0000000001D1B000-memory.dmpFilesize
8KB
-
memory/1860-126-0x0000000001D0D000-0x0000000001D0E000-memory.dmpFilesize
4KB
-
memory/1860-124-0x0000000001D19000-0x0000000001D1B000-memory.dmpFilesize
8KB
-
memory/1860-122-0x0000000001D0D000-0x0000000001D0E000-memory.dmpFilesize
4KB
-
memory/1860-123-0x0000000001D0D000-0x0000000001D0E000-memory.dmpFilesize
4KB
-
memory/2104-179-0x0000000000418F40-mapping.dmp
-
memory/2212-194-0x0000000002BC4000-0x0000000002BC6000-memory.dmpFilesize
8KB
-
memory/2212-196-0x000000007E6C0000-0x000000007E81E000-memory.dmpFilesize
1.4MB
-
memory/2212-195-0x000000007E820000-0x000000007E821000-memory.dmpFilesize
4KB
-
memory/2212-189-0x0000000000000000-mapping.dmp
-
memory/2212-192-0x0000000002BC0000-0x0000000002BC1000-memory.dmpFilesize
4KB
-
memory/2212-193-0x0000000002BC1000-0x0000000002BC2000-memory.dmpFilesize
4KB
-
memory/2624-181-0x0000000000418F40-mapping.dmp
-
memory/2708-157-0x0000000000000000-mapping.dmp
-
memory/3060-177-0x0000000000418F40-mapping.dmp
-
memory/3060-176-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3060-188-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3060-183-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB