Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
-
submitted
25-07-2022 00:11
General
-
Target
f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe
-
Size
468KB
-
MD5
606529b46b36d5989d93440d0f9e85cf
-
SHA1
9dd95827086393300df86e724644038d014f7473
-
SHA256
f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3
-
SHA512
b97d2d3f46e769a33c2d05b5bd46e4cda845c3450d2f123fd9a4486e56b593ea79507d2d08f2add6f0449a677cd9d7bd3127f984c425e081cb7378b94ded2292
Malware Config
Extracted
warzonerat
wealthyme.warzonedns.com:5216
Signatures
-
NetWire RAT payload 1 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe"C:\Users\Admin\AppData\Local\Temp\f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe"C:\Users\Admin\AppData\Local\Temp\f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\directory\OneDrive.exe"C:\Users\Admin\directory\OneDrive.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\directory\OneDrive.exe"C:\Users\Admin\directory\OneDrive.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Warzonedns.exe"C:\Users\Admin\Warzonedns.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD50349cc83ad82303b698208de1d94a398
SHA1fc0d69a89b08de47f6f84ae598d63505c5855d9d
SHA2566b6ba8ede3ae7217dcc7fcbdd8806ae6cc707b5046da96406aa05df076675a55
SHA51245c554287a5f38c86e201d3d841e9e5b0e9973a26432b6d45965a9bb960614e12b23335965d9c13b0b92171cc81972a70919b9ff1e51b566aa368cb34ac9108a
-
Filesize
100KB
MD50349cc83ad82303b698208de1d94a398
SHA1fc0d69a89b08de47f6f84ae598d63505c5855d9d
SHA2566b6ba8ede3ae7217dcc7fcbdd8806ae6cc707b5046da96406aa05df076675a55
SHA51245c554287a5f38c86e201d3d841e9e5b0e9973a26432b6d45965a9bb960614e12b23335965d9c13b0b92171cc81972a70919b9ff1e51b566aa368cb34ac9108a
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD56d2f378e1018be13a4447ff56e35b8eb
SHA1f74b23c4cf3d3248530fd17ed6e91d32d7c7b264
SHA25686e5a13a63e152bcdea481f259b13b0b0b2e3eb145e32f1186f1496bf3716fc2
SHA512252c6986617be5eb2da4882db8fc2bd4d7314b8bbbd70db3d3cc9d2ea9d8a99829ba2e810eaefcb39bdfb9793d54a08e6a87fb6cfcd4632b8a92190b6eb6fd14
-
Filesize
100KB
MD50349cc83ad82303b698208de1d94a398
SHA1fc0d69a89b08de47f6f84ae598d63505c5855d9d
SHA2566b6ba8ede3ae7217dcc7fcbdd8806ae6cc707b5046da96406aa05df076675a55
SHA51245c554287a5f38c86e201d3d841e9e5b0e9973a26432b6d45965a9bb960614e12b23335965d9c13b0b92171cc81972a70919b9ff1e51b566aa368cb34ac9108a
-
Filesize
100KB
MD50349cc83ad82303b698208de1d94a398
SHA1fc0d69a89b08de47f6f84ae598d63505c5855d9d
SHA2566b6ba8ede3ae7217dcc7fcbdd8806ae6cc707b5046da96406aa05df076675a55
SHA51245c554287a5f38c86e201d3d841e9e5b0e9973a26432b6d45965a9bb960614e12b23335965d9c13b0b92171cc81972a70919b9ff1e51b566aa368cb34ac9108a
-
Filesize
468KB
MD5606529b46b36d5989d93440d0f9e85cf
SHA19dd95827086393300df86e724644038d014f7473
SHA256f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3
SHA512b97d2d3f46e769a33c2d05b5bd46e4cda845c3450d2f123fd9a4486e56b593ea79507d2d08f2add6f0449a677cd9d7bd3127f984c425e081cb7378b94ded2292
-
Filesize
468KB
MD5606529b46b36d5989d93440d0f9e85cf
SHA19dd95827086393300df86e724644038d014f7473
SHA256f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3
SHA512b97d2d3f46e769a33c2d05b5bd46e4cda845c3450d2f123fd9a4486e56b593ea79507d2d08f2add6f0449a677cd9d7bd3127f984c425e081cb7378b94ded2292
-
Filesize
468KB
MD5606529b46b36d5989d93440d0f9e85cf
SHA19dd95827086393300df86e724644038d014f7473
SHA256f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3
SHA512b97d2d3f46e769a33c2d05b5bd46e4cda845c3450d2f123fd9a4486e56b593ea79507d2d08f2add6f0449a677cd9d7bd3127f984c425e081cb7378b94ded2292
-
Filesize
123B
MD56bf517432f65eb7f0d18d574bf14124c
SHA15b9f37c1dd1318ebbec3bd2f07c109eb9d22c727
SHA2566e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46
SHA5127b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06
-
Filesize
123B
MD56bf517432f65eb7f0d18d574bf14124c
SHA15b9f37c1dd1318ebbec3bd2f07c109eb9d22c727
SHA2566e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46
SHA5127b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06
-
Filesize
123B
MD56bf517432f65eb7f0d18d574bf14124c
SHA15b9f37c1dd1318ebbec3bd2f07c109eb9d22c727
SHA2566e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46
SHA5127b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06
-
Filesize
1.6MB
-
Filesize
2.0MB
-
-
Filesize
1.6MB
-
Filesize
12KB
-
Filesize
1.6MB
-
Filesize
2.0MB
-
Filesize
12KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
12KB
-
Filesize
1.6MB
-
Filesize
12KB
-
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
136KB
-
Filesize
216KB
-
Filesize
32KB
-
Filesize
6.2MB
-
Filesize
56KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
408KB
-
-
-
-
-
Filesize
492KB
-
Filesize
12KB
-
Filesize
2.0MB
-
Filesize
1.1MB
-
-
Filesize
4KB