Analysis
-
max time kernel
4265086s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17-01-2022 18:09
Static task
static1
Behavioral task
behavioral1
Sample
lionlee.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
lionlee.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
lionlee.exe
-
Size
113KB
-
MD5
3bd42085584a11f32b619102c57eba91
-
SHA1
6ece11c3efec83e33b4acc1458aa62953891c420
-
SHA256
6e0f7705c589e4fbfdd1b6c1431a675aa58b863a06448aaade026463f55024ff
-
SHA512
dba8345d5697bfe778c7737c2f8d23bcb7dc092be253055608eb32785a73d87acc49c649d633ba59eaa6bed313962838b23823fa928610e6aa65dacf451d71df
Score
10/10
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exeMusNotification.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
MusNotification.exefirefox.exedescription pid process Token: SeShutdownPrivilege 2472 MusNotification.exe Token: SeCreatePagefilePrivilege 2472 MusNotification.exe Token: SeDebugPrivilege 3420 firefox.exe Token: SeDebugPrivilege 3420 firefox.exe Token: SeDebugPrivilege 3420 firefox.exe Token: SeDebugPrivilege 3420 firefox.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
firefox.exepid process 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
firefox.exepid process 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
lionlee.exefirefox.exeTextInputHost.exepid process 3404 lionlee.exe 3420 firefox.exe 800 TextInputHost.exe 800 TextInputHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exefirefox.exedescription pid process target process PID 2928 wrote to memory of 3420 2928 firefox.exe firefox.exe PID 2928 wrote to memory of 3420 2928 firefox.exe firefox.exe PID 2928 wrote to memory of 3420 2928 firefox.exe firefox.exe PID 2928 wrote to memory of 3420 2928 firefox.exe firefox.exe PID 2928 wrote to memory of 3420 2928 firefox.exe firefox.exe PID 2928 wrote to memory of 3420 2928 firefox.exe firefox.exe PID 2928 wrote to memory of 3420 2928 firefox.exe firefox.exe PID 2928 wrote to memory of 3420 2928 firefox.exe firefox.exe PID 2928 wrote to memory of 3420 2928 firefox.exe firefox.exe PID 3420 wrote to memory of 2992 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 2992 3420 firefox.exe firefox.exe PID 4056 wrote to memory of 3860 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3860 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3860 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3860 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3860 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3860 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3860 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3860 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3860 4056 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3816 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 3688 3420 firefox.exe firefox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lionlee.exe"C:\Users\Admin\AppData\Local\Temp\lionlee.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3420.0.2064712935\1618862006" -parentBuildID 20200403170909 -prefsHandle 1708 -prefMapHandle 1672 -prefsLen 1 -prefMapSize 219766 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3420 "\\.\pipe\gecko-crash-server-pipe.3420" 1808 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3420.3.987516435\1947579790" -childID 1 -isForBrowser -prefsHandle 2564 -prefMapHandle 2496 -prefsLen 78 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3420 "\\.\pipe\gecko-crash-server-pipe.3420" 1568 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3420.13.1503772868\1890967815" -childID 2 -isForBrowser -prefsHandle 3088 -prefMapHandle 3332 -prefsLen 6935 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3420 "\\.\pipe\gecko-crash-server-pipe.3420" 3344 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3420.20.1305996982\1822447223" -childID 3 -isForBrowser -prefsHandle 4820 -prefMapHandle 4800 -prefsLen 7797 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3420 "\\.\pipe\gecko-crash-server-pipe.3420" 4656 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3420.27.769320869\1403959081" -childID 4 -isForBrowser -prefsHandle 4588 -prefMapHandle 4580 -prefsLen 7863 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3420 "\\.\pipe\gecko-crash-server-pipe.3420" 4548 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
- Suspicious use of SetWindowsHookEx