Overview

overview

10

Static

static

New Order.exe

windows7_x64

10

New Order.exe

windows10-2004_x64

10
General
Target

New Order.exe

Filesize

1MB

Completed

21-05-2022 18:41

Task

behavioral2

Score
10/10
MD5

fb5b35716632d1ec30f13ea6c1c8ac69

SHA1

c4a066ecb0e73b431561eb5f209af51e361f0467

SHA256

a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578

SHA512

c1028ab4f4830c1166ba393ac1fff986e6c6cb9ada84af54c707998342005297e3abb16129368c2420cecebd4877d11edc9dca1ed118eabe349521e58139245b

Malware Config

Extracted

Family

warzonerat
C2

79.134.225.40:5200
Signatures 9

Filter: none

Defense Evasion
Persistence
  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    Tags

  • Warzone RAT Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2052-130-0x0000000000BB0000-0x0000000000D03000-memory.dmpwarzonerat
    behavioral2/memory/2052-132-0x0000000000AB0000-0x0000000000BB0000-memory.dmpwarzonerat
    behavioral2/memory/4484-157-0x0000000001030000-0x0000000001183000-memory.dmpwarzonerat
  • Executes dropped EXE
    images.exe

    Reported IOCs

    pidprocess
    4484images.exe
  • Drops startup file
    New Order.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:startNew Order.exe
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.batNew Order.exe
  • Adds Run key to start application
    New Order.exe

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"New Order.exe
  • NTFS ADS
    New Order.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\ProgramData:ApplicationDataNew Order.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exepowershell.exe

    Reported IOCs

    pidprocess
    828powershell.exe
    828powershell.exe
    3976powershell.exe
    3976powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege828powershell.exe
    Token: SeDebugPrivilege3976powershell.exe
  • Suspicious use of WriteProcessMemory
    New Order.exeimages.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2052 wrote to memory of 8282052New Order.exepowershell.exe
    PID 2052 wrote to memory of 8282052New Order.exepowershell.exe
    PID 2052 wrote to memory of 8282052New Order.exepowershell.exe
    PID 2052 wrote to memory of 44842052New Order.exeimages.exe
    PID 2052 wrote to memory of 44842052New Order.exeimages.exe
    PID 2052 wrote to memory of 44842052New Order.exeimages.exe
    PID 4484 wrote to memory of 39764484images.exepowershell.exe
    PID 4484 wrote to memory of 39764484images.exepowershell.exe
    PID 4484 wrote to memory of 39764484images.exepowershell.exe
    PID 4484 wrote to memory of 43084484images.execmd.exe
    PID 4484 wrote to memory of 43084484images.execmd.exe
    PID 4484 wrote to memory of 43084484images.execmd.exe
    PID 4484 wrote to memory of 43084484images.execmd.exe
    PID 4484 wrote to memory of 43084484images.execmd.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\New Order.exe
    "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
    Drops startup file
    Adds Run key to start application
    NTFS ADS
    Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:828
    • C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:3976
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        PID:4308
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads

                      • C:\ProgramData\images.exe

                        MD5

                        fb5b35716632d1ec30f13ea6c1c8ac69

                        SHA1

                        c4a066ecb0e73b431561eb5f209af51e361f0467

                        SHA256

                        a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578

                        SHA512

                        c1028ab4f4830c1166ba393ac1fff986e6c6cb9ada84af54c707998342005297e3abb16129368c2420cecebd4877d11edc9dca1ed118eabe349521e58139245b

                        Download Submit

                      • C:\ProgramData\images.exe

                        MD5

                        fb5b35716632d1ec30f13ea6c1c8ac69

                        SHA1

                        c4a066ecb0e73b431561eb5f209af51e361f0467

                        SHA256

                        a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578

                        SHA512

                        c1028ab4f4830c1166ba393ac1fff986e6c6cb9ada84af54c707998342005297e3abb16129368c2420cecebd4877d11edc9dca1ed118eabe349521e58139245b

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                        MD5

                        968cb9309758126772781b83adb8a28f

                        SHA1

                        8da30e71accf186b2ba11da1797cf67f8f78b47c

                        SHA256

                        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                        SHA512

                        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        MD5

                        b0a5824f88e32f364473ce6987c15d59

                        SHA1

                        00b2951c5c593e61ce112f08acd15acb6c2f97e0

                        SHA256

                        f448c6a7498d2559174f3cb71d0291e70380276fd7421fd7b4bf03f76736fe34

                        SHA512

                        f8f58d2275dfbfe8cc06ba35a0e777906422f6afbe20cf10dbc62c5cbc0fcdd35ab6a81eba11d7e750a813d567f91c773e94dd48068f6b115e4e14af5f4d1157

                        Download Submit

                      • memory/828-146-0x00000000061D0000-0x00000000061EE000-memory.dmp

                        Download

                      • memory/828-137-0x0000000000000000-mapping.dmp

                        Download

                      • memory/828-141-0x00000000028A0000-0x00000000028D6000-memory.dmp

                        Download

                      • memory/828-142-0x00000000053E0000-0x0000000005A08000-memory.dmp

                        Download

                      • memory/828-143-0x0000000005320000-0x0000000005342000-memory.dmp

                        Download

                      • memory/828-144-0x0000000005B00000-0x0000000005B66000-memory.dmp

                        Download

                      • memory/828-145-0x0000000005BE0000-0x0000000005C46000-memory.dmp

                        Download

                      • memory/828-155-0x0000000007810000-0x000000000782A000-memory.dmp

                        Download

                      • memory/828-147-0x00000000067A0000-0x00000000067D2000-memory.dmp

                        Download

                      • memory/828-148-0x00000000707A0000-0x00000000707EC000-memory.dmp

                        Download

                      • memory/828-149-0x0000000006780000-0x000000000679E000-memory.dmp

                        Download

                      • memory/828-150-0x0000000007B20000-0x000000000819A000-memory.dmp

                        Download

                      • memory/828-151-0x00000000074D0000-0x00000000074EA000-memory.dmp

                        Download

                      • memory/828-152-0x0000000007540000-0x000000000754A000-memory.dmp

                        Download

                      • memory/828-153-0x0000000007750000-0x00000000077E6000-memory.dmp

                        Download

                      • memory/828-154-0x0000000007700000-0x000000000770E000-memory.dmp

                        Download

                      • memory/828-156-0x00000000077F0000-0x00000000077F8000-memory.dmp

                        Download

                      • memory/2052-132-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

                        Download

                      • memory/2052-130-0x0000000000BB0000-0x0000000000D03000-memory.dmp

                        Download

                      • memory/3976-163-0x0000000000000000-mapping.dmp

                        Download

                      • memory/3976-167-0x0000000070620000-0x000000007066C000-memory.dmp

                        Download

                      • memory/4308-166-0x0000000000000000-mapping.dmp

                        Download

                      • memory/4308-168-0x00000000009F0000-0x00000000009F1000-memory.dmp

                        Download

                      • memory/4484-157-0x0000000001030000-0x0000000001183000-memory.dmp

                        Download

                      • memory/4484-138-0x0000000000000000-mapping.dmp

                        Download