Analysis
-
max time kernel
131s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:54
Static task
static1
Behavioral task
behavioral1
Sample
ISF form == 20030316 M#EGLV003090032432.scr
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ISF form == 20030316 M#EGLV003090032432.scr
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Invoice & Packing list EGLV003090032432.scr
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Invoice & Packing list EGLV003090032432.scr
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
VGM ==#EGLV003090032432.scr
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
VGM ==#EGLV003090032432.scr
Resource
win10v2004-20220414-en
General
-
Target
Invoice & Packing list EGLV003090032432.scr
-
Size
571KB
-
MD5
165255e7fef985bb6a76cdd5dc0f3efe
-
SHA1
4d4f455814cb607ae530fa589c6d1d3ed9e4173d
-
SHA256
3266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207
-
SHA512
10bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Executes dropped EXE 2 IoCs
Processes:
images.exeimages.exepid process 1600 images.exe 112 images.exe -
Loads dropped DLL 2 IoCs
Processes:
Invoice & Packing list EGLV003090032432.scrpid process 1944 Invoice & Packing list EGLV003090032432.scr 1944 Invoice & Packing list EGLV003090032432.scr -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Invoice & Packing list EGLV003090032432.scrdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" Invoice & Packing list EGLV003090032432.scr -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Invoice & Packing list EGLV003090032432.scrimages.exedescription pid process target process PID 1312 set thread context of 1944 1312 Invoice & Packing list EGLV003090032432.scr Invoice & Packing list EGLV003090032432.scr PID 1600 set thread context of 112 1600 images.exe images.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Invoice & Packing list EGLV003090032432.scrimages.exepowershell.exepowershell.exepid process 1312 Invoice & Packing list EGLV003090032432.scr 1600 images.exe 1796 powershell.exe 1360 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Invoice & Packing list EGLV003090032432.scrimages.exepid process 1312 Invoice & Packing list EGLV003090032432.scr 1600 images.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1796 powershell.exe Token: SeDebugPrivilege 1360 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
Invoice & Packing list EGLV003090032432.scrInvoice & Packing list EGLV003090032432.scrimages.exeimages.exedescription pid process target process PID 1312 wrote to memory of 1944 1312 Invoice & Packing list EGLV003090032432.scr Invoice & Packing list EGLV003090032432.scr PID 1312 wrote to memory of 1944 1312 Invoice & Packing list EGLV003090032432.scr Invoice & Packing list EGLV003090032432.scr PID 1312 wrote to memory of 1944 1312 Invoice & Packing list EGLV003090032432.scr Invoice & Packing list EGLV003090032432.scr PID 1312 wrote to memory of 1944 1312 Invoice & Packing list EGLV003090032432.scr Invoice & Packing list EGLV003090032432.scr PID 1944 wrote to memory of 1796 1944 Invoice & Packing list EGLV003090032432.scr powershell.exe PID 1944 wrote to memory of 1796 1944 Invoice & Packing list EGLV003090032432.scr powershell.exe PID 1944 wrote to memory of 1796 1944 Invoice & Packing list EGLV003090032432.scr powershell.exe PID 1944 wrote to memory of 1796 1944 Invoice & Packing list EGLV003090032432.scr powershell.exe PID 1944 wrote to memory of 1600 1944 Invoice & Packing list EGLV003090032432.scr images.exe PID 1944 wrote to memory of 1600 1944 Invoice & Packing list EGLV003090032432.scr images.exe PID 1944 wrote to memory of 1600 1944 Invoice & Packing list EGLV003090032432.scr images.exe PID 1944 wrote to memory of 1600 1944 Invoice & Packing list EGLV003090032432.scr images.exe PID 1600 wrote to memory of 112 1600 images.exe images.exe PID 1600 wrote to memory of 112 1600 images.exe images.exe PID 1600 wrote to memory of 112 1600 images.exe images.exe PID 1600 wrote to memory of 112 1600 images.exe images.exe PID 112 wrote to memory of 1360 112 images.exe powershell.exe PID 112 wrote to memory of 1360 112 images.exe powershell.exe PID 112 wrote to memory of 1360 112 images.exe powershell.exe PID 112 wrote to memory of 1360 112 images.exe powershell.exe PID 112 wrote to memory of 476 112 images.exe cmd.exe PID 112 wrote to memory of 476 112 images.exe cmd.exe PID 112 wrote to memory of 476 112 images.exe cmd.exe PID 112 wrote to memory of 476 112 images.exe cmd.exe PID 112 wrote to memory of 476 112 images.exe cmd.exe PID 112 wrote to memory of 476 112 images.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice & Packing list EGLV003090032432.scr"C:\Users\Admin\AppData\Local\Temp\Invoice & Packing list EGLV003090032432.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice & Packing list EGLV003090032432.scr"C:\Users\Admin\AppData\Local\Temp\Invoice & Packing list EGLV003090032432.scr" /S2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\images.exeFilesize
571KB
MD5165255e7fef985bb6a76cdd5dc0f3efe
SHA14d4f455814cb607ae530fa589c6d1d3ed9e4173d
SHA2563266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207
SHA51210bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818
-
C:\ProgramData\images.exeFilesize
571KB
MD5165255e7fef985bb6a76cdd5dc0f3efe
SHA14d4f455814cb607ae530fa589c6d1d3ed9e4173d
SHA2563266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207
SHA51210bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818
-
C:\ProgramData\images.exeFilesize
571KB
MD5165255e7fef985bb6a76cdd5dc0f3efe
SHA14d4f455814cb607ae530fa589c6d1d3ed9e4173d
SHA2563266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207
SHA51210bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5ffed901eff6e5167adb3f640dea958ad
SHA1401e4e5f0e77f43e3d98fde4b863af1a13014313
SHA256712e8cf6dd4d7ec7c69bcd24ba0558f9c9b3a8fd6678b42d56d03b972b3cb8c4
SHA512177b994ede186f8b3f8c38a7844c38a0b13188e9e1c4a9ef3ef30c3abf741cbfde0307a0e9c42921c35a663db5a10cdc7cc5dd6bd6e83ac3d637e8f6cb96591d
-
\ProgramData\images.exeFilesize
571KB
MD5165255e7fef985bb6a76cdd5dc0f3efe
SHA14d4f455814cb607ae530fa589c6d1d3ed9e4173d
SHA2563266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207
SHA51210bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818
-
\ProgramData\images.exeFilesize
571KB
MD5165255e7fef985bb6a76cdd5dc0f3efe
SHA14d4f455814cb607ae530fa589c6d1d3ed9e4173d
SHA2563266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207
SHA51210bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818
-
memory/112-66-0x0000000000405907-mapping.dmp
-
memory/476-72-0x0000000000000000-mapping.dmp
-
memory/476-76-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/1312-56-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1312-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1360-71-0x0000000000000000-mapping.dmp
-
memory/1360-75-0x0000000074060000-0x000000007460B000-memory.dmpFilesize
5.7MB
-
memory/1600-69-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1600-61-0x0000000000000000-mapping.dmp
-
memory/1796-58-0x0000000000000000-mapping.dmp
-
memory/1796-70-0x0000000074040000-0x00000000745EB000-memory.dmpFilesize
5.7MB
-
memory/1944-55-0x0000000000405907-mapping.dmp