Analysis
-
max time kernel
4265086s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17-01-2022 18:09
General
-
Target
lionlee.exe
-
Size
113KB
-
MD5
3bd42085584a11f32b619102c57eba91
-
SHA1
6ece11c3efec83e33b4acc1458aa62953891c420
-
SHA256
6e0f7705c589e4fbfdd1b6c1431a675aa58b863a06448aaade026463f55024ff
-
SHA512
dba8345d5697bfe778c7737c2f8d23bcb7dc092be253055608eb32785a73d87acc49c649d633ba59eaa6bed313962838b23823fa928610e6aa65dacf451d71df
Score
10/10
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\lionlee.exe"C:\Users\Admin\AppData\Local\Temp\lionlee.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3420.0.2064712935\1618862006" -parentBuildID 20200403170909 -prefsHandle 1708 -prefMapHandle 1672 -prefsLen 1 -prefMapSize 219766 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3420 "\\.\pipe\gecko-crash-server-pipe.3420" 1808 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3420.3.987516435\1947579790" -childID 1 -isForBrowser -prefsHandle 2564 -prefMapHandle 2496 -prefsLen 78 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3420 "\\.\pipe\gecko-crash-server-pipe.3420" 1568 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3420.13.1503772868\1890967815" -childID 2 -isForBrowser -prefsHandle 3088 -prefMapHandle 3332 -prefsLen 6935 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3420 "\\.\pipe\gecko-crash-server-pipe.3420" 3344 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3420.20.1305996982\1822447223" -childID 3 -isForBrowser -prefsHandle 4820 -prefMapHandle 4800 -prefsLen 7797 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3420 "\\.\pipe\gecko-crash-server-pipe.3420" 4656 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3420.27.769320869\1403959081" -childID 4 -isForBrowser -prefsHandle 4588 -prefMapHandle 4580 -prefsLen 7863 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3420 "\\.\pipe\gecko-crash-server-pipe.3420" 4548 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/800-131-0x000001745C830000-0x000001745C832000-memory.dmpFilesize
8KB
-
memory/800-132-0x000001745C830000-0x000001745C832000-memory.dmpFilesize
8KB
-
memory/3404-130-0x0000000004120000-0x00000000042C0000-memory.dmpFilesize
1.6MB