Overview

overview

10

Static

static

SecuriteIn...26.exe

windows7-x64

10

SecuriteIn...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    160s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2022 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Lazy.264437.6912.26926.exe

  • Size

    727KB

  • MD5

    11fdd18da995241a7e74cc35d65de2db

  • SHA1

    fbe27c616e9d2f6b72fc40a1756ae4e4b4723ae3

  • SHA256

    6a4d569d0a0b08dfc52d10256bf3b384eaf57a3331a23b0456a109abcf772efd

  • SHA512

    bb4a0895fb234f5e90c35201a4c10b3b035e22dd4ab57d5a214d08e835cea0f49a8584f0a623a3efd389ed86bf9fb67ab2bc1f6e20eef42efd9917a84c877cd6

  • SSDEEP

    12288:KQqDi5HYIsMzxl5PMuU9M4YTIjXnhBzDwvy2HAA:NvNsqlKjXhB92H9

Score
10/10
warzoneratevasioninfostealerpersistenceratupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 4 IoCs
    rat
  • Executes dropped EXE 4 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.264437.6912.26926.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.264437.6912.26926.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\3wrt4gh.exe,"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4116
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 8
        3⤵
        • Runs ping.exe
        PID:1360
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\3wrt4gh.exe,"
        3⤵
        • Modifies WinLogon for persistence
        PID:5088
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 10 > nul && copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.264437.6912.26926.exe" "C:\Users\Admin\AppData\Roaming\3wrt4gh.exe" && ping 127.0.0.1 -n 10 > nul && "C:\Users\Admin\AppData\Roaming\3wrt4gh.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3632
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 10
        3⤵
        • Runs ping.exe
        PID:4032
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 10
        3⤵
        • Runs ping.exe
        PID:4164
      • C:\Users\Admin\AppData\Roaming\3wrt4gh.exe
        "C:\Users\Admin\AppData\Roaming\3wrt4gh.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4184
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
            PID:888
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
            • Sets DLL path for service in the registry
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1092
            • C:\Users\Admin\AppData\Local\Temp\108.exe
              "C:\Users\Admin\AppData\Local\Temp\108.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3996
              • C:\Windows\SysWOW64\netsh.exe
                netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
                6⤵
                • Modifies Windows Firewall
                PID:2416
          • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.exe
            "C:\Users\Admin\AppData\Local\Temp\3wrt4gh.exe"
            4⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1924
            • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.exe
              "C:\Users\Admin\AppData\Local\Temp\3wrt4gh.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2868
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -s TermService
      1⤵
        PID:2552
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -s TermService
        1⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3332

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Microsoft DN1\sqlmap.dll
        Filesize

        114KB

        MD5

        461ade40b800ae80a40985594e1ac236

        SHA1

        b3892eef846c044a2b0785d54a432b3e93a968c8

        SHA256

        798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

        SHA512

        421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\108.exe
        Filesize

        70KB

        MD5

        ca96229390a0e6a53e8f2125f2c01114

        SHA1

        a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

        SHA256

        0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

        SHA512

        e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\108.exe
        Filesize

        70KB

        MD5

        ca96229390a0e6a53e8f2125f2c01114

        SHA1

        a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

        SHA256

        0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

        SHA512

        e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.exe
        Filesize

        76KB

        MD5

        0e362e7005823d0bec3719b902ed6d62

        SHA1

        590d860b909804349e0cdc2f1662b37bd62f7463

        SHA256

        2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

        SHA512

        518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.exe
        Filesize

        76KB

        MD5

        0e362e7005823d0bec3719b902ed6d62

        SHA1

        590d860b909804349e0cdc2f1662b37bd62f7463

        SHA256

        2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

        SHA512

        518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.exe
        Filesize

        76KB

        MD5

        0e362e7005823d0bec3719b902ed6d62

        SHA1

        590d860b909804349e0cdc2f1662b37bd62f7463

        SHA256

        2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

        SHA512

        518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.txt
        Filesize

        53B

        MD5

        0a18c8a0432a797a09022d47a392e53e

        SHA1

        3d764e53de6dfc76ae6d7cbaae3f77ab7e3e29f7

        SHA256

        a6b0d54931c1cb2932f205176712330a11a6eb79993259e71c14919423e4c9ed

        SHA512

        9338473996b57e4444cf0d8a97e69798989675c87025ea5a5acc23a29f56b48633baee69a176193b57bba9700118b577a94febe158447e3e04248efa481f71ba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.txt
        Filesize

        56B

        MD5

        cd0484846d1aa07dee60cff7de0338a7

        SHA1

        8c291eae263d94f55c3d5d4d20416a419e005f3a

        SHA256

        2f10a27311b8b5b4c37f86cc0a3ce5022443cc0b8b512d04ba3027bbc3964ff3

        SHA512

        5701531b1cadf4f2d262466db99b5301e40a51c131891e78c6283fb19e87048faace934bd45712a5df1172a7ea4babb78fe4d5c2eb4d33cae28b919f817aee76

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3wrt4gh.txt
        Filesize

        56B

        MD5

        cd0484846d1aa07dee60cff7de0338a7

        SHA1

        8c291eae263d94f55c3d5d4d20416a419e005f3a

        SHA256

        2f10a27311b8b5b4c37f86cc0a3ce5022443cc0b8b512d04ba3027bbc3964ff3

        SHA512

        5701531b1cadf4f2d262466db99b5301e40a51c131891e78c6283fb19e87048faace934bd45712a5df1172a7ea4babb78fe4d5c2eb4d33cae28b919f817aee76

        Download Submit

      • C:\Users\Admin\AppData\Roaming\3wrt4gh.exe
        Filesize

        727KB

        MD5

        11fdd18da995241a7e74cc35d65de2db

        SHA1

        fbe27c616e9d2f6b72fc40a1756ae4e4b4723ae3

        SHA256

        6a4d569d0a0b08dfc52d10256bf3b384eaf57a3331a23b0456a109abcf772efd

        SHA512

        bb4a0895fb234f5e90c35201a4c10b3b035e22dd4ab57d5a214d08e835cea0f49a8584f0a623a3efd389ed86bf9fb67ab2bc1f6e20eef42efd9917a84c877cd6

        Download Submit

      • C:\Users\Admin\AppData\Roaming\3wrt4gh.exe
        Filesize

        727KB

        MD5

        11fdd18da995241a7e74cc35d65de2db

        SHA1

        fbe27c616e9d2f6b72fc40a1756ae4e4b4723ae3

        SHA256

        6a4d569d0a0b08dfc52d10256bf3b384eaf57a3331a23b0456a109abcf772efd

        SHA512

        bb4a0895fb234f5e90c35201a4c10b3b035e22dd4ab57d5a214d08e835cea0f49a8584f0a623a3efd389ed86bf9fb67ab2bc1f6e20eef42efd9917a84c877cd6

        Download Submit

      • \??\c:\program files\microsoft dn1\rdpwrap.ini
        Filesize

        291KB

        MD5

        914d30cdc026d77366e6ac105cd5eefc

        SHA1

        95e0c8463f4995bf126fa0cffab4a8a947963a1a

        SHA256

        f00109618610375ea494b1406fa7e5548d75a52669b1bf1761a80394301b42f8

        SHA512

        184c1c12c18b02e27a8674476c768b0dcaef7dff722dfd27e4f342ba7ce65653c399eed0bedc3d9cbca0fec0fa5a17077e8e71f4d7807e2119eec1687ccc7635

        Download Submit

      • \??\c:\program files\microsoft dn1\sqlmap.dll
        Filesize

        114KB

        MD5

        461ade40b800ae80a40985594e1ac236

        SHA1

        b3892eef846c044a2b0785d54a432b3e93a968c8

        SHA256

        798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

        SHA512

        421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

        Download Submit

      • memory/888-147-0x0000000000000000-mapping.dmp

        Download

      • memory/1092-149-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1092-148-0x0000000000000000-mapping.dmp

        Download

      • memory/1092-162-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1092-151-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1092-152-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1092-163-0x000000000AD70000-0x000000000AF10000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1360-138-0x0000000000000000-mapping.dmp

        Download

      • memory/1924-153-0x0000000000000000-mapping.dmp

        Download

      • memory/1924-156-0x0000000000CC0000-0x0000000000CDA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2416-167-0x0000000000000000-mapping.dmp

        Download

      • memory/2868-158-0x0000000000000000-mapping.dmp

        Download

      • memory/3632-139-0x0000000000000000-mapping.dmp

        Download

      • memory/3996-164-0x0000000000000000-mapping.dmp

        Download

      • memory/3996-172-0x0000000000AA0000-0x0000000000ACD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/3996-168-0x0000000000AA0000-0x0000000000ACD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4032-140-0x0000000000000000-mapping.dmp

        Download

      • memory/4116-137-0x0000000000000000-mapping.dmp

        Download

      • memory/4164-142-0x0000000000000000-mapping.dmp

        Download

      • memory/4184-143-0x0000000000000000-mapping.dmp

        Download

      • memory/4184-146-0x00000000004A0000-0x000000000055C000-memory.dmp

        Filesize

        752KB

        Download

      • memory/4412-132-0x0000000000AB0000-0x0000000000B6C000-memory.dmp

        Filesize

        752KB

        Download

      • memory/4412-136-0x00000000064E0000-0x00000000064EA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4412-135-0x0000000004F50000-0x0000000004FEC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4412-134-0x0000000004E10000-0x0000000004EA2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4412-133-0x00000000052E0000-0x0000000005884000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/5088-141-0x0000000000000000-mapping.dmp

        Download