Overview

overview

10

Static

static

10

SecuriteIn...77.exe

windows7_x64

3

SecuriteIn...77.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-07-2022 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Tedy.123517.9877.exe

  • Size

    1.8MB

  • MD5

    212b1e774e310dbe4e92b01854f31d53

  • SHA1

    635349bf28642a2a4b32155fe2864f6dfd51a483

  • SHA256

    d22de2ac8939c185e56867b691702abd0304adf75c2b62dbff801228bdcf0dbe

  • SHA512

    3c7be7251079c9610ddd5923307d4887746d6f43c8dcf81d82e2696726000cf8912be1530f1a388cd4520289bf0722dc270defbe23a631771a83befc2d9f689e

Score
10/10
warzoneratevasioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

warzonerat

C2

workstation2022.ddns.net:5254

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Windows security bypass 2 TTPs 3 IoCs
    evasiontrojan
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Warzone RAT Payload 4 IoCs
    rat
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.123517.9877.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.123517.9877.exe"
    1⤵
    • Windows security bypass
    • Checks BIOS information in registry
    • Checks computer location settings
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3124
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.123517.9877.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4624
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add
        3⤵
          PID:4972
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3272
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 localgroup administrators ADMIN~1 /add
          3⤵
            PID:1592
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\system32\net.exe" localgroup users "Admin" /add
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4976
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 localgroup users "Admin" /add
            3⤵
              PID:4940
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\system32\net.exe" localgroup administrators "Admin" /del
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3320
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 localgroup administrators "Admin" /del
              3⤵
                PID:4692
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
              2⤵
                PID:308
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\Boehorse\svchost.exe" -Force
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1452
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\Boehorse\svchost.exe" -Force
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3684
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.123517.9877.exe" -Force
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2848
              • C:\Windows\SysWOW64\regedt32.exe
                "C:\Windows\SysWOW64\regedt32.exe"
                2⤵
                  PID:1128

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Account Manipulation

              1
              T1098

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              Disabling Security Tools

              2
              T1089

              Modify Registry

              3
              T1112

              Credential Access

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              3
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                968cb9309758126772781b83adb8a28f

                SHA1

                8da30e71accf186b2ba11da1797cf67f8f78b47c

                SHA256

                92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                SHA512

                4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                18KB

                MD5

                5cd9282083a95352b2ae8bbcf5c0bfec

                SHA1

                898d8e87993a8a18bef68343a8894e730d6e06c7

                SHA256

                a124d40522e39a5cc156bfec06036558561c15d764abdeb57dcae94ef83b0332

                SHA512

                dce15e171c9d5194b8e89b155b20519bd3ee6ee5038345eecb284b867e5de3f80a27808d09af1919383d5d07538056f5b3d5b189dc99049b5095a710e1634f63

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                18KB

                MD5

                6577418d00fa4f23e47266413ae9a751

                SHA1

                5473635edce6870e2c1cb51c3b9f845545008ce7

                SHA256

                efa81d820e6ba5a1eceabcf1292652ac114119e11981d933cab1c37e754f890d

                SHA512

                5e64f99497cdd64d80d829d94d9ec7478acc899616f0715c010cf13a94594e7027bd2eb23e4977a40d027a4e4152da0b622f26dbe4e2f38b19fc17d359352f93

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                5KB

                MD5

                63bdde4fb53099c413400d589cc220e6

                SHA1

                c88bdb29dfd3a1bb7ff3f0f7ddb89b88fb2a2a4a

                SHA256

                0ed6cce2ef27bb349b02b90fa50924d20157b8071a53cda75830b1ec3c302205

                SHA512

                c42b13e87ef043e3d1932dd5cce23b8d2062ee336c22ab389b7ea2a5b0c251c18118dac6b848b9770c4c64280eada87369975a9e5f9bd78184c9ba2c0d3bd11e

                Download Submit
              • memory/308-148-0x0000000000000000-mapping.dmp
                Download
              • memory/1128-157-0x0000000000400000-0x0000000000555000-memory.dmp
                Filesize

                1.3MB

                Download
              • memory/1128-163-0x0000000000400000-0x0000000000555000-memory.dmp
                Filesize

                1.3MB

                Download
              • memory/1128-176-0x0000000000400000-0x0000000000555000-memory.dmp
                Filesize

                1.3MB

                Download
              • memory/1128-154-0x0000000000000000-mapping.dmp
                Download
              • memory/1128-155-0x0000000000400000-0x0000000000555000-memory.dmp
                Filesize

                1.3MB

                Download
              • memory/1452-149-0x0000000000000000-mapping.dmp
                Download
              • memory/1452-166-0x0000000070AF0000-0x0000000070B3C000-memory.dmp
                Filesize

                304KB

                Download
              • memory/1592-142-0x0000000000000000-mapping.dmp
                Download
              • memory/2432-138-0x0000000000000000-mapping.dmp
                Download
              • memory/2848-168-0x0000000070AF0000-0x0000000070B3C000-memory.dmp
                Filesize

                304KB

                Download
              • memory/2848-151-0x0000000000000000-mapping.dmp
                Download
              • memory/3124-152-0x00000000092F0000-0x0000000009382000-memory.dmp
                Filesize

                584KB

                Download
              • memory/3124-130-0x0000000000DE0000-0x0000000000FBA000-memory.dmp
                Filesize

                1.9MB

                Download
              • memory/3124-134-0x0000000008260000-0x00000000082C6000-memory.dmp
                Filesize

                408KB

                Download
              • memory/3124-131-0x0000000005A30000-0x0000000005ACC000-memory.dmp
                Filesize

                624KB

                Download
              • memory/3124-132-0x00000000087A0000-0x0000000008D44000-memory.dmp
                Filesize

                5.6MB

                Download
              • memory/3124-153-0x0000000008420000-0x000000000842A000-memory.dmp
                Filesize

                40KB

                Download
              • memory/3272-141-0x0000000000000000-mapping.dmp
                Download
              • memory/3320-146-0x0000000000000000-mapping.dmp
                Download
              • memory/3684-150-0x0000000000000000-mapping.dmp
                Download
              • memory/3684-167-0x0000000070AF0000-0x0000000070B3C000-memory.dmp
                Filesize

                304KB

                Download
              • memory/4624-164-0x0000000006FB0000-0x0000000006FBA000-memory.dmp
                Filesize

                40KB

                Download
              • memory/4624-170-0x0000000007280000-0x000000000729A000-memory.dmp
                Filesize

                104KB

                Download
              • memory/4624-159-0x0000000070AF0000-0x0000000070B3C000-memory.dmp
                Filesize

                304KB

                Download
              • memory/4624-160-0x00000000061E0000-0x00000000061FE000-memory.dmp
                Filesize

                120KB

                Download
              • memory/4624-161-0x0000000007580000-0x0000000007BFA000-memory.dmp
                Filesize

                6.5MB

                Download
              • memory/4624-162-0x0000000006F40000-0x0000000006F5A000-memory.dmp
                Filesize

                104KB

                Download
              • memory/4624-133-0x0000000000000000-mapping.dmp
                Download
              • memory/4624-145-0x0000000005C30000-0x0000000005C4E000-memory.dmp
                Filesize

                120KB

                Download
              • memory/4624-165-0x00000000071C0000-0x0000000007256000-memory.dmp
                Filesize

                600KB

                Download
              • memory/4624-135-0x0000000000E00000-0x0000000000E36000-memory.dmp
                Filesize

                216KB

                Download
              • memory/4624-136-0x0000000004E30000-0x0000000005458000-memory.dmp
                Filesize

                6.2MB

                Download
              • memory/4624-137-0x0000000004BD0000-0x0000000004BF2000-memory.dmp
                Filesize

                136KB

                Download
              • memory/4624-169-0x0000000007170000-0x000000000717E000-memory.dmp
                Filesize

                56KB

                Download
              • memory/4624-158-0x0000000006200000-0x0000000006232000-memory.dmp
                Filesize

                200KB

                Download
              • memory/4624-171-0x0000000007260000-0x0000000007268000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4624-139-0x00000000054D0000-0x0000000005536000-memory.dmp
                Filesize

                408KB

                Download
              • memory/4692-147-0x0000000000000000-mapping.dmp
                Download
              • memory/4940-144-0x0000000000000000-mapping.dmp
                Download
              • memory/4972-140-0x0000000000000000-mapping.dmp
                Download
              • memory/4976-143-0x0000000000000000-mapping.dmp
                Download