Analysis
-
max time kernel
137s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 12:02
Static task
static1
Behavioral task
behavioral1
Sample
RFQ2022-7-5F3435.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ2022-7-5F3435.exe
Resource
win10v2004-20220414-en
General
-
Target
RFQ2022-7-5F3435.exe
-
Size
135KB
-
MD5
583fd649413705044c36439ffa27afe0
-
SHA1
37ccdfbf77338199a059840827a0a0bfb31cc095
-
SHA256
39169117bfbe15a6b58f91a5dd98809ba251cef0f103656ba9d2168baf9052e2
-
SHA512
4bb4dd3ea197fa2dcfe153fe83b21141989fd90d6b377c480e4229540f079722ec5f32fb2549f527edc322400eaa2624e4ff5e40237b36472c11a28c771b1d30
Malware Config
Extracted
warzonerat
76.8.53.133:443
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3148-130-0x0000000000660000-0x00000000006BA000-memory.dmp family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\NKECHI.EXE family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\NKECHI.EXE family_snakekeylogger behavioral2/memory/3148-137-0x0000000000660000-0x00000000006BA000-memory.dmp family_snakekeylogger behavioral2/memory/2368-138-0x0000000000C10000-0x0000000000C36000-memory.dmp family_snakekeylogger -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Executes dropped EXE 3 IoCs
Processes:
NKECHI.EXENOW.EXEimages.exepid process 2368 NKECHI.EXE 4368 NOW.EXE 4116 images.exe -
Processes:
resource yara_rule behavioral2/memory/3148-130-0x0000000000660000-0x00000000006BA000-memory.dmp upx behavioral2/memory/3148-137-0x0000000000660000-0x00000000006BA000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RFQ2022-7-5F3435.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation RFQ2022-7-5F3435.exe -
Drops startup file 2 IoCs
Processes:
NOW.EXEdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat NOW.EXE File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start NOW.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
NKECHI.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NKECHI.EXE Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NKECHI.EXE Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NKECHI.EXE -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
Processes:
NOW.EXEdescription ioc process File created C:\ProgramData:ApplicationData NOW.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
NKECHI.EXEpowershell.exepowershell.exepid process 2368 NKECHI.EXE 3168 powershell.exe 3168 powershell.exe 2260 powershell.exe 2260 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
NKECHI.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2368 NKECHI.EXE Token: SeDebugPrivilege 3168 powershell.exe Token: SeDebugPrivilege 2260 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
RFQ2022-7-5F3435.exeNOW.EXEcmd.exeimages.exedescription pid process target process PID 3148 wrote to memory of 2368 3148 RFQ2022-7-5F3435.exe NKECHI.EXE PID 3148 wrote to memory of 2368 3148 RFQ2022-7-5F3435.exe NKECHI.EXE PID 3148 wrote to memory of 2368 3148 RFQ2022-7-5F3435.exe NKECHI.EXE PID 3148 wrote to memory of 4368 3148 RFQ2022-7-5F3435.exe NOW.EXE PID 3148 wrote to memory of 4368 3148 RFQ2022-7-5F3435.exe NOW.EXE PID 3148 wrote to memory of 4368 3148 RFQ2022-7-5F3435.exe NOW.EXE PID 4368 wrote to memory of 3168 4368 NOW.EXE powershell.exe PID 4368 wrote to memory of 3168 4368 NOW.EXE powershell.exe PID 4368 wrote to memory of 3168 4368 NOW.EXE powershell.exe PID 4368 wrote to memory of 4028 4368 NOW.EXE cmd.exe PID 4368 wrote to memory of 4028 4368 NOW.EXE cmd.exe PID 4368 wrote to memory of 4028 4368 NOW.EXE cmd.exe PID 4368 wrote to memory of 4116 4368 NOW.EXE images.exe PID 4368 wrote to memory of 4116 4368 NOW.EXE images.exe PID 4368 wrote to memory of 4116 4368 NOW.EXE images.exe PID 4028 wrote to memory of 3508 4028 cmd.exe reg.exe PID 4028 wrote to memory of 3508 4028 cmd.exe reg.exe PID 4028 wrote to memory of 3508 4028 cmd.exe reg.exe PID 4116 wrote to memory of 2260 4116 images.exe powershell.exe PID 4116 wrote to memory of 2260 4116 images.exe powershell.exe PID 4116 wrote to memory of 2260 4116 images.exe powershell.exe PID 4116 wrote to memory of 1328 4116 images.exe cmd.exe PID 4116 wrote to memory of 1328 4116 images.exe cmd.exe PID 4116 wrote to memory of 1328 4116 images.exe cmd.exe PID 4116 wrote to memory of 1328 4116 images.exe cmd.exe PID 4116 wrote to memory of 1328 4116 images.exe cmd.exe -
outlook_office_path 1 IoCs
Processes:
NKECHI.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NKECHI.EXE -
outlook_win_path 1 IoCs
Processes:
NKECHI.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NKECHI.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ2022-7-5F3435.exe"C:\Users\Admin\AppData\Local\Temp\RFQ2022-7-5F3435.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NKECHI.EXE"C:\Users\Admin\AppData\Local\Temp\NKECHI.EXE"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\NOW.EXE"C:\Users\Admin\AppData\Local\Temp\NOW.EXE"2⤵
- Executes dropped EXE
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"4⤵
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\images.exeFilesize
152KB
MD560e722a4557ef4f8e1fef473a0c93069
SHA1d3bced98c0f2c70da11812b6459de9bb047c100b
SHA256225acd3495e4a646d89eded5da13d17ea0275d5ab64bb4d02ce555317fa11c1e
SHA5121ad00e32686c7b80f7edd5743510cc2e897ed0adfb89760b3ce1340ee218d6280df78ed7bb38e2ddd051782a69044372b31b060496514a860a54719b87951127
-
C:\ProgramData\images.exeFilesize
152KB
MD560e722a4557ef4f8e1fef473a0c93069
SHA1d3bced98c0f2c70da11812b6459de9bb047c100b
SHA256225acd3495e4a646d89eded5da13d17ea0275d5ab64bb4d02ce555317fa11c1e
SHA5121ad00e32686c7b80f7edd5743510cc2e897ed0adfb89760b3ce1340ee218d6280df78ed7bb38e2ddd051782a69044372b31b060496514a860a54719b87951127
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5033440019410265afc2710c1dee8e90b
SHA18349478547befa44e30d362b84ba6e5991a1aceb
SHA25622609ded3c248e4be06df2ec6edb978fcaa5513b00620c66869aac682853cd79
SHA512e9ca2bdab74d07e8b12e19febffa583ea4841c4cd4b49d7ac8f199c3a485c2b8ccb8353e018f8102592d84018e78cd2dd7a0c34b4352b978f99f0741a8036c7e
-
C:\Users\Admin\AppData\Local\Temp\NKECHI.EXEFilesize
126KB
MD55b64a6d15cd34ba72ac8d6138998ce5f
SHA1c386ca8ee2d19555aeeef47c333fb23715261422
SHA256d959565da818ec61a894f8952de90f39f7fc9f6b4f525052736c4c976bc17f67
SHA51232acad2d6fdb10de7c8527b145a6c834932b342e69f1b86ae70056d4fdfd50f7e7284bfa2ae10ad62ec825ab963eb34692244588669bd96ef818a39519cc9972
-
C:\Users\Admin\AppData\Local\Temp\NKECHI.EXEFilesize
126KB
MD55b64a6d15cd34ba72ac8d6138998ce5f
SHA1c386ca8ee2d19555aeeef47c333fb23715261422
SHA256d959565da818ec61a894f8952de90f39f7fc9f6b4f525052736c4c976bc17f67
SHA51232acad2d6fdb10de7c8527b145a6c834932b342e69f1b86ae70056d4fdfd50f7e7284bfa2ae10ad62ec825ab963eb34692244588669bd96ef818a39519cc9972
-
C:\Users\Admin\AppData\Local\Temp\NOW.EXEFilesize
152KB
MD560e722a4557ef4f8e1fef473a0c93069
SHA1d3bced98c0f2c70da11812b6459de9bb047c100b
SHA256225acd3495e4a646d89eded5da13d17ea0275d5ab64bb4d02ce555317fa11c1e
SHA5121ad00e32686c7b80f7edd5743510cc2e897ed0adfb89760b3ce1340ee218d6280df78ed7bb38e2ddd051782a69044372b31b060496514a860a54719b87951127
-
C:\Users\Admin\AppData\Local\Temp\NOW.EXEFilesize
152KB
MD560e722a4557ef4f8e1fef473a0c93069
SHA1d3bced98c0f2c70da11812b6459de9bb047c100b
SHA256225acd3495e4a646d89eded5da13d17ea0275d5ab64bb4d02ce555317fa11c1e
SHA5121ad00e32686c7b80f7edd5743510cc2e897ed0adfb89760b3ce1340ee218d6280df78ed7bb38e2ddd051782a69044372b31b060496514a860a54719b87951127
-
memory/1328-157-0x0000000000000000-mapping.dmp
-
memory/1328-158-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/2260-156-0x0000000000000000-mapping.dmp
-
memory/2260-169-0x0000000007B40000-0x0000000007B48000-memory.dmpFilesize
32KB
-
memory/2260-168-0x0000000007B60000-0x0000000007B7A000-memory.dmpFilesize
104KB
-
memory/2260-165-0x000000006FC10000-0x000000006FC5C000-memory.dmpFilesize
304KB
-
memory/2368-140-0x00000000054E0000-0x000000000557C000-memory.dmpFilesize
624KB
-
memory/2368-139-0x00000000059F0000-0x0000000005F94000-memory.dmpFilesize
5.6MB
-
memory/2368-131-0x0000000000000000-mapping.dmp
-
memory/2368-138-0x0000000000C10000-0x0000000000C36000-memory.dmpFilesize
152KB
-
memory/2368-154-0x0000000006760000-0x000000000676A000-memory.dmpFilesize
40KB
-
memory/2368-150-0x00000000067E0000-0x00000000069A2000-memory.dmpFilesize
1.8MB
-
memory/2368-153-0x00000000069B0000-0x0000000006A42000-memory.dmpFilesize
584KB
-
memory/3148-137-0x0000000000660000-0x00000000006BA000-memory.dmpFilesize
360KB
-
memory/3148-130-0x0000000000660000-0x00000000006BA000-memory.dmpFilesize
360KB
-
memory/3168-151-0x00000000057C0000-0x0000000005826000-memory.dmpFilesize
408KB
-
memory/3168-162-0x00000000077D0000-0x0000000007E4A000-memory.dmpFilesize
6.5MB
-
memory/3168-155-0x0000000005E80000-0x0000000005E9E000-memory.dmpFilesize
120KB
-
memory/3168-149-0x0000000004FC0000-0x0000000004FE2000-memory.dmpFilesize
136KB
-
memory/3168-148-0x0000000005020000-0x0000000005648000-memory.dmpFilesize
6.2MB
-
memory/3168-147-0x0000000002560000-0x0000000002596000-memory.dmpFilesize
216KB
-
memory/3168-159-0x0000000006450000-0x0000000006482000-memory.dmpFilesize
200KB
-
memory/3168-160-0x000000006FC10000-0x000000006FC5C000-memory.dmpFilesize
304KB
-
memory/3168-161-0x0000000006430000-0x000000000644E000-memory.dmpFilesize
120KB
-
memory/3168-152-0x00000000058A0000-0x0000000005906000-memory.dmpFilesize
408KB
-
memory/3168-163-0x0000000007190000-0x00000000071AA000-memory.dmpFilesize
104KB
-
memory/3168-164-0x0000000007200000-0x000000000720A000-memory.dmpFilesize
40KB
-
memory/3168-141-0x0000000000000000-mapping.dmp
-
memory/3168-166-0x0000000007410000-0x00000000074A6000-memory.dmpFilesize
600KB
-
memory/3168-167-0x00000000073C0000-0x00000000073CE000-memory.dmpFilesize
56KB
-
memory/3508-146-0x0000000000000000-mapping.dmp
-
memory/4028-142-0x0000000000000000-mapping.dmp
-
memory/4116-143-0x0000000000000000-mapping.dmp
-
memory/4368-134-0x0000000000000000-mapping.dmp