Overview

overview

10

Static

static

SecuriteIn...26.exe

windows7-x64

10

SecuriteIn...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    99s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2022 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Lazy.264437.6912.26926.exe

  • Size

    727KB

  • MD5

    11fdd18da995241a7e74cc35d65de2db

  • SHA1

    fbe27c616e9d2f6b72fc40a1756ae4e4b4723ae3

  • SHA256

    6a4d569d0a0b08dfc52d10256bf3b384eaf57a3331a23b0456a109abcf772efd

  • SHA512

    bb4a0895fb234f5e90c35201a4c10b3b035e22dd4ab57d5a214d08e835cea0f49a8584f0a623a3efd389ed86bf9fb67ab2bc1f6e20eef42efd9917a84c877cd6

  • SSDEEP

    12288:KQqDi5HYIsMzxl5PMuU9M4YTIjXnhBzDwvy2HAA:NvNsqlKjXhB92H9

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 8 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.264437.6912.26926.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.264437.6912.26926.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\3wrt4gh.exe,"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 8
        3⤵
        • Runs ping.exe
        PID:1492
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\3wrt4gh.exe,"
        3⤵
        • Modifies WinLogon for persistence
        PID:1380
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.264437.6912.26926.exe" "C:\Users\Admin\AppData\Roaming\3wrt4gh.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\Admin\AppData\Roaming\3wrt4gh.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 20
        3⤵
        • Runs ping.exe
        PID:340
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 20
        3⤵
        • Runs ping.exe
        PID:1416
      • C:\Users\Admin\AppData\Roaming\3wrt4gh.exe
        "C:\Users\Admin\AppData\Roaming\3wrt4gh.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:848
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
            PID:1616
          • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.exe
            "C:\Users\Admin\AppData\Local\Temp\3wrt4gh.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1728
            • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.exe
              "C:\Users\Admin\AppData\Local\Temp\3wrt4gh.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1604

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.exe
      Filesize

      76KB

      MD5

      0e362e7005823d0bec3719b902ed6d62

      SHA1

      590d860b909804349e0cdc2f1662b37bd62f7463

      SHA256

      2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

      SHA512

      518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.exe
      Filesize

      76KB

      MD5

      0e362e7005823d0bec3719b902ed6d62

      SHA1

      590d860b909804349e0cdc2f1662b37bd62f7463

      SHA256

      2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

      SHA512

      518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.exe
      Filesize

      76KB

      MD5

      0e362e7005823d0bec3719b902ed6d62

      SHA1

      590d860b909804349e0cdc2f1662b37bd62f7463

      SHA256

      2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

      SHA512

      518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.txt
      Filesize

      55B

      MD5

      52f9d586f3b9ad01b518028acf7a6349

      SHA1

      36a31b8929a5078b64bb2d37e6bbb415e6878bba

      SHA256

      468a5935f608987eeffc57086dda84b4820cc870d5096c6acdad35248bcb187e

      SHA512

      b3c9581f7832f7e77d60f8a91449d4d3bc9eaab888ac0d21167b0284dad9c5197cc4cc664b31f28d731d2745410dc564ede28f8602a04bb01eead6250b10c952

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.txt
      Filesize

      52B

      MD5

      e58f069b884882f69a555c81fd8175a9

      SHA1

      9753a72ba10819f5a73f6a7b788ebecdda9793ee

      SHA256

      a51de083be360adb484334c1598c66e48b2f34f8b85879d73841973a2f1f87b7

      SHA512

      1b9980ea5a54ff09c9f9c9cc338870fbe19141e274dac59c52bfeeee4faf8d5268e8639d11b68c0c7b6b4a72d18ea054a3ec802a6eb5510b3e0f0477b9e3fc08

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.txt
      Filesize

      55B

      MD5

      dd9258d5759d9c271d35af5f38a82b18

      SHA1

      3fc9d780540a8b23876f09bcfd6c8fe389764c04

      SHA256

      27cfbea1dcbb4b7045fc001d72ae5f7d12546cf6c4a1bf235c1ce46f5ec19fab

      SHA512

      81f3df1c82b37f3c4eca333dcbcd2c2442d0a469427f5812b6cbf201210cad28a6356346cac6b0b56137ad6f7b910a42f1f97fda4f52ac0c1245b1106a504e93

      Download Submit

    • C:\Users\Admin\AppData\Roaming\3wrt4gh.exe
      Filesize

      727KB

      MD5

      11fdd18da995241a7e74cc35d65de2db

      SHA1

      fbe27c616e9d2f6b72fc40a1756ae4e4b4723ae3

      SHA256

      6a4d569d0a0b08dfc52d10256bf3b384eaf57a3331a23b0456a109abcf772efd

      SHA512

      bb4a0895fb234f5e90c35201a4c10b3b035e22dd4ab57d5a214d08e835cea0f49a8584f0a623a3efd389ed86bf9fb67ab2bc1f6e20eef42efd9917a84c877cd6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\3wrt4gh.exe
      Filesize

      727KB

      MD5

      11fdd18da995241a7e74cc35d65de2db

      SHA1

      fbe27c616e9d2f6b72fc40a1756ae4e4b4723ae3

      SHA256

      6a4d569d0a0b08dfc52d10256bf3b384eaf57a3331a23b0456a109abcf772efd

      SHA512

      bb4a0895fb234f5e90c35201a4c10b3b035e22dd4ab57d5a214d08e835cea0f49a8584f0a623a3efd389ed86bf9fb67ab2bc1f6e20eef42efd9917a84c877cd6

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3wrt4gh.exe
      Filesize

      76KB

      MD5

      0e362e7005823d0bec3719b902ed6d62

      SHA1

      590d860b909804349e0cdc2f1662b37bd62f7463

      SHA256

      2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

      SHA512

      518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3wrt4gh.exe
      Filesize

      76KB

      MD5

      0e362e7005823d0bec3719b902ed6d62

      SHA1

      590d860b909804349e0cdc2f1662b37bd62f7463

      SHA256

      2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

      SHA512

      518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

      Download Submit

    • \Users\Admin\AppData\Roaming\3wrt4gh.exe
      Filesize

      727KB

      MD5

      11fdd18da995241a7e74cc35d65de2db

      SHA1

      fbe27c616e9d2f6b72fc40a1756ae4e4b4723ae3

      SHA256

      6a4d569d0a0b08dfc52d10256bf3b384eaf57a3331a23b0456a109abcf772efd

      SHA512

      bb4a0895fb234f5e90c35201a4c10b3b035e22dd4ab57d5a214d08e835cea0f49a8584f0a623a3efd389ed86bf9fb67ab2bc1f6e20eef42efd9917a84c877cd6

      Download Submit

    • memory/268-58-0x0000000000000000-mapping.dmp

      Download

    • memory/340-61-0x0000000000000000-mapping.dmp

      Download

    • memory/848-70-0x0000000000C30000-0x0000000000C4A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/848-68-0x0000000000DC0000-0x0000000000E7C000-memory.dmp

      Filesize

      752KB

      Download

    • memory/848-65-0x0000000000000000-mapping.dmp

      Download

    • memory/848-71-0x0000000000C60000-0x0000000000C66000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1308-60-0x0000000000000000-mapping.dmp

      Download

    • memory/1380-62-0x0000000000000000-mapping.dmp

      Download

    • memory/1416-63-0x0000000000000000-mapping.dmp

      Download

    • memory/1492-59-0x0000000000000000-mapping.dmp

      Download

    • memory/1604-97-0x0000000000000000-mapping.dmp

      Download

    • memory/1616-73-0x0000000000400000-0x0000000000568000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1616-77-0x0000000000400000-0x0000000000568000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1616-83-0x0000000000400000-0x0000000000568000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1616-84-0x000000000040B556-mapping.dmp

      Download

    • memory/1616-87-0x0000000000400000-0x0000000000568000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1616-88-0x0000000000400000-0x0000000000568000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1616-80-0x0000000000400000-0x0000000000568000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1616-72-0x0000000000400000-0x0000000000568000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1616-78-0x0000000000400000-0x0000000000568000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1616-82-0x0000000000400000-0x0000000000568000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1616-75-0x0000000000400000-0x0000000000568000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1728-93-0x0000000000CD0000-0x0000000000CEA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1728-90-0x0000000000000000-mapping.dmp

      Download

    • memory/1992-54-0x0000000000E60000-0x0000000000F1C000-memory.dmp

      Filesize

      752KB

      Download

    • memory/1992-57-0x0000000000C70000-0x0000000000C88000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1992-56-0x0000000000AA0000-0x0000000000AD0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1992-55-0x00000000763A1000-0x00000000763A3000-memory.dmp

      Filesize

      8KB

      Download