Analysis
-
max time kernel
136s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 05:11
Static task
static1
Behavioral task
behavioral1
Sample
79f4ef61d09cc28818a90ffdd80d338f.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
79f4ef61d09cc28818a90ffdd80d338f.exe
Resource
win10v2004-20220721-en
General
-
Target
79f4ef61d09cc28818a90ffdd80d338f.exe
-
Size
700KB
-
MD5
79f4ef61d09cc28818a90ffdd80d338f
-
SHA1
f3de2ce04168a7e894dcd9a3e234819b9aba21e3
-
SHA256
e616c9cb9911bcc75db23046f1b0f6a9248114c64d25c1ab5971041c0dd11798
-
SHA512
f874382fa12f0b9dc01fd842131df40b4db77c80aaf968ff5dfa523af5a627003f2431715eea52934f1dac6ff45b38420d7f93dfc705eedb0b8b7ccf25f382ee
Malware Config
Extracted
warzonerat
76.8.53.133:1198
Extracted
redline
IYKE
76.8.53.133:30308
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\build.exe family_redline C:\Users\Admin\AppData\Local\Temp\build.exe family_redline C:\Users\Admin\AppData\Local\Temp\build.exe family_redline behavioral1/memory/872-86-0x0000000000990000-0x00000000009AE000-memory.dmp family_redline -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
-
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
-
Warzone RAT payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\new warzone file.exe warzonerat C:\Users\Admin\AppData\Local\Temp\new warzone file.exe warzonerat \Users\Admin\AppData\Local\Temp\new warzone file.exe warzonerat C:\Users\Admin\AppData\Local\Temp\new warzone file.exe warzonerat -
Executes dropped EXE 2 IoCs
Processes:
new warzone file.exebuild.exepid process 1136 new warzone file.exe 872 build.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
new warzone file.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" new warzone file.exe -
Loads dropped DLL 4 IoCs
Processes:
79f4ef61d09cc28818a90ffdd80d338f.exepid process 980 79f4ef61d09cc28818a90ffdd80d338f.exe 980 79f4ef61d09cc28818a90ffdd80d338f.exe 980 79f4ef61d09cc28818a90ffdd80d338f.exe 1696 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Modifies WinLogon 2 TTPs 4 IoCs
Processes:
new warzone file.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList new warzone file.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts new warzone file.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\dGi..Gt = "0" new warzone file.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" new warzone file.exe -
Drops file in System32 directory 1 IoCs
Processes:
new warzone file.exedescription ioc process File created C:\Windows\System32\rfxvmt.dll new warzone file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
79f4ef61d09cc28818a90ffdd80d338f.exedescription pid process target process PID 1412 set thread context of 980 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 79f4ef61d09cc28818a90ffdd80d338f.exe -
Drops file in Program Files directory 2 IoCs
Processes:
new warzone file.exedescription ioc process File created C:\Program Files\Microsoft DN1\sqlmap.dll new warzone file.exe File created C:\Program Files\Microsoft DN1\rdpwrap.ini new warzone file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
79f4ef61d09cc28818a90ffdd80d338f.exepowershell.exebuild.exepowershell.exepid process 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 1704 powershell.exe 872 build.exe 872 build.exe 1740 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 1696 -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
79f4ef61d09cc28818a90ffdd80d338f.exepowershell.exebuild.exepowershell.exenew warzone file.exedescription pid process Token: SeDebugPrivilege 1412 79f4ef61d09cc28818a90ffdd80d338f.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 872 build.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 1136 new warzone file.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
new warzone file.exepid process 1136 new warzone file.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
79f4ef61d09cc28818a90ffdd80d338f.exe79f4ef61d09cc28818a90ffdd80d338f.exenew warzone file.exedescription pid process target process PID 1412 wrote to memory of 1704 1412 79f4ef61d09cc28818a90ffdd80d338f.exe powershell.exe PID 1412 wrote to memory of 1704 1412 79f4ef61d09cc28818a90ffdd80d338f.exe powershell.exe PID 1412 wrote to memory of 1704 1412 79f4ef61d09cc28818a90ffdd80d338f.exe powershell.exe PID 1412 wrote to memory of 1704 1412 79f4ef61d09cc28818a90ffdd80d338f.exe powershell.exe PID 1412 wrote to memory of 1364 1412 79f4ef61d09cc28818a90ffdd80d338f.exe schtasks.exe PID 1412 wrote to memory of 1364 1412 79f4ef61d09cc28818a90ffdd80d338f.exe schtasks.exe PID 1412 wrote to memory of 1364 1412 79f4ef61d09cc28818a90ffdd80d338f.exe schtasks.exe PID 1412 wrote to memory of 1364 1412 79f4ef61d09cc28818a90ffdd80d338f.exe schtasks.exe PID 1412 wrote to memory of 980 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 79f4ef61d09cc28818a90ffdd80d338f.exe PID 1412 wrote to memory of 980 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 79f4ef61d09cc28818a90ffdd80d338f.exe PID 1412 wrote to memory of 980 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 79f4ef61d09cc28818a90ffdd80d338f.exe PID 1412 wrote to memory of 980 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 79f4ef61d09cc28818a90ffdd80d338f.exe PID 1412 wrote to memory of 980 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 79f4ef61d09cc28818a90ffdd80d338f.exe PID 1412 wrote to memory of 980 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 79f4ef61d09cc28818a90ffdd80d338f.exe PID 1412 wrote to memory of 980 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 79f4ef61d09cc28818a90ffdd80d338f.exe PID 1412 wrote to memory of 980 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 79f4ef61d09cc28818a90ffdd80d338f.exe PID 1412 wrote to memory of 980 1412 79f4ef61d09cc28818a90ffdd80d338f.exe 79f4ef61d09cc28818a90ffdd80d338f.exe PID 980 wrote to memory of 1136 980 79f4ef61d09cc28818a90ffdd80d338f.exe new warzone file.exe PID 980 wrote to memory of 1136 980 79f4ef61d09cc28818a90ffdd80d338f.exe new warzone file.exe PID 980 wrote to memory of 1136 980 79f4ef61d09cc28818a90ffdd80d338f.exe new warzone file.exe PID 980 wrote to memory of 1136 980 79f4ef61d09cc28818a90ffdd80d338f.exe new warzone file.exe PID 980 wrote to memory of 872 980 79f4ef61d09cc28818a90ffdd80d338f.exe build.exe PID 980 wrote to memory of 872 980 79f4ef61d09cc28818a90ffdd80d338f.exe build.exe PID 980 wrote to memory of 872 980 79f4ef61d09cc28818a90ffdd80d338f.exe build.exe PID 980 wrote to memory of 872 980 79f4ef61d09cc28818a90ffdd80d338f.exe build.exe PID 1136 wrote to memory of 1740 1136 new warzone file.exe powershell.exe PID 1136 wrote to memory of 1740 1136 new warzone file.exe powershell.exe PID 1136 wrote to memory of 1740 1136 new warzone file.exe powershell.exe PID 1136 wrote to memory of 1740 1136 new warzone file.exe powershell.exe PID 1136 wrote to memory of 1560 1136 new warzone file.exe cmd.exe PID 1136 wrote to memory of 1560 1136 new warzone file.exe cmd.exe PID 1136 wrote to memory of 1560 1136 new warzone file.exe cmd.exe PID 1136 wrote to memory of 1560 1136 new warzone file.exe cmd.exe PID 1136 wrote to memory of 1560 1136 new warzone file.exe cmd.exe PID 1136 wrote to memory of 1560 1136 new warzone file.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79f4ef61d09cc28818a90ffdd80d338f.exe"C:\Users\Admin\AppData\Local\Temp\79f4ef61d09cc28818a90ffdd80d338f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IcpBSP.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IcpBSP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEED2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\79f4ef61d09cc28818a90ffdd80d338f.exe"C:\Users\Admin\AppData\Local\Temp\79f4ef61d09cc28818a90ffdd80d338f.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\new warzone file.exe"C:\Users\Admin\AppData\Local\Temp\new warzone file.exe"3⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
95KB
MD5aeb7863b737358d6917750bf34d6bfaf
SHA16fb9f75797adaf6d4745415d740946301c0fefc1
SHA2560653031df30643ea5efa30506bc0bff8ce88fc4a589f69c0260381e982e9e1d5
SHA512c774614f96417748a766147ab03acce9e15d168fa601f84e4ed642073500f483d3d0156d17cbc8382d837b72e7042ac5ec6f2fe1e91a3105672289c299a8a2ea
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
95KB
MD5aeb7863b737358d6917750bf34d6bfaf
SHA16fb9f75797adaf6d4745415d740946301c0fefc1
SHA2560653031df30643ea5efa30506bc0bff8ce88fc4a589f69c0260381e982e9e1d5
SHA512c774614f96417748a766147ab03acce9e15d168fa601f84e4ed642073500f483d3d0156d17cbc8382d837b72e7042ac5ec6f2fe1e91a3105672289c299a8a2ea
-
C:\Users\Admin\AppData\Local\Temp\new warzone file.exeFilesize
113KB
MD54c87cc90157de9ee0ded52059b79b402
SHA1c9b439950937b47c3b1b3c71c09f82215089c5b2
SHA256a27087a5e852d409af70e117cfe6beab449556581876daca7ed6169e27e8ddea
SHA5128880bc3d8ab285481f701bb5f61a43c2933e5fe09183a1414bde07817036be4302e53b48f6ccdd360e940513fb2052014856b310504218e19aea472078d68a79
-
C:\Users\Admin\AppData\Local\Temp\new warzone file.exeFilesize
113KB
MD54c87cc90157de9ee0ded52059b79b402
SHA1c9b439950937b47c3b1b3c71c09f82215089c5b2
SHA256a27087a5e852d409af70e117cfe6beab449556581876daca7ed6169e27e8ddea
SHA5128880bc3d8ab285481f701bb5f61a43c2933e5fe09183a1414bde07817036be4302e53b48f6ccdd360e940513fb2052014856b310504218e19aea472078d68a79
-
C:\Users\Admin\AppData\Local\Temp\tmpEED2.tmpFilesize
1KB
MD5a57015f08c3ca425520cb91a7b3d4d8b
SHA17eb281c9a7fd5eb74a7821cb37c19139f05fc580
SHA256bed1cd7e653ebfee015d1cc7525b9e1d1d6318b876eadc74e929ff663a8c5015
SHA5121f538c745edc15fa041770508a22e86e31766bad1f24bfef2272378a20088595b460aee6f00fff70c9f227549fc86d1a0c1e3e7fa755f8608f885d1672ed840d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD52e601776e4a466ba8b4b697f096d1d00
SHA189e28066e04fc69a9f1063777d92a677312195a0
SHA2561cd06ae40fc9b1bb48b3e3847e4265e13b9cb235b3feb2b47f8b70d5ec496a60
SHA512088b25e69902badd66792a8032f0f38d5b4cad1987c2b140304e61ead098971e5470160e467e36e4f39ad1ffe7ba59a7dcb789c8a07a1a7b33b05988f45a7ebb
-
\Program Files\Microsoft DN1\sqlmap.dllFilesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
\Users\Admin\AppData\Local\Temp\build.exeFilesize
95KB
MD5aeb7863b737358d6917750bf34d6bfaf
SHA16fb9f75797adaf6d4745415d740946301c0fefc1
SHA2560653031df30643ea5efa30506bc0bff8ce88fc4a589f69c0260381e982e9e1d5
SHA512c774614f96417748a766147ab03acce9e15d168fa601f84e4ed642073500f483d3d0156d17cbc8382d837b72e7042ac5ec6f2fe1e91a3105672289c299a8a2ea
-
\Users\Admin\AppData\Local\Temp\new warzone file.exeFilesize
113KB
MD54c87cc90157de9ee0ded52059b79b402
SHA1c9b439950937b47c3b1b3c71c09f82215089c5b2
SHA256a27087a5e852d409af70e117cfe6beab449556581876daca7ed6169e27e8ddea
SHA5128880bc3d8ab285481f701bb5f61a43c2933e5fe09183a1414bde07817036be4302e53b48f6ccdd360e940513fb2052014856b310504218e19aea472078d68a79
-
\Users\Admin\AppData\Local\Temp\new warzone file.exeFilesize
113KB
MD54c87cc90157de9ee0ded52059b79b402
SHA1c9b439950937b47c3b1b3c71c09f82215089c5b2
SHA256a27087a5e852d409af70e117cfe6beab449556581876daca7ed6169e27e8ddea
SHA5128880bc3d8ab285481f701bb5f61a43c2933e5fe09183a1414bde07817036be4302e53b48f6ccdd360e940513fb2052014856b310504218e19aea472078d68a79
-
memory/872-86-0x0000000000990000-0x00000000009AE000-memory.dmpFilesize
120KB
-
memory/872-83-0x0000000000000000-mapping.dmp
-
memory/980-64-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/980-66-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/980-68-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/980-71-0x0000000000448CDE-mapping.dmp
-
memory/980-73-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/980-75-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/980-69-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/980-70-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1136-79-0x0000000000000000-mapping.dmp
-
memory/1136-97-0x0000000003E50000-0x0000000003F50000-memory.dmpFilesize
1024KB
-
memory/1364-60-0x0000000000000000-mapping.dmp
-
memory/1412-56-0x00000000003D0000-0x00000000003E6000-memory.dmpFilesize
88KB
-
memory/1412-54-0x0000000000940000-0x00000000009F6000-memory.dmpFilesize
728KB
-
memory/1412-63-0x0000000005010000-0x0000000005060000-memory.dmpFilesize
320KB
-
memory/1412-55-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/1412-58-0x0000000009C70000-0x0000000009D0A000-memory.dmpFilesize
616KB
-
memory/1412-57-0x0000000000480000-0x000000000048A000-memory.dmpFilesize
40KB
-
memory/1560-96-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/1560-92-0x0000000000000000-mapping.dmp
-
memory/1704-65-0x000000006F4D0000-0x000000006FA7B000-memory.dmpFilesize
5.7MB
-
memory/1704-88-0x000000006F4D0000-0x000000006FA7B000-memory.dmpFilesize
5.7MB
-
memory/1704-59-0x0000000000000000-mapping.dmp
-
memory/1740-94-0x000000006D250000-0x000000006D7FB000-memory.dmpFilesize
5.7MB
-
memory/1740-95-0x000000006D250000-0x000000006D7FB000-memory.dmpFilesize
5.7MB
-
memory/1740-90-0x0000000000000000-mapping.dmp