Analysis
-
max time kernel
189s -
max time network
213s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
01-12-2022 11:26
General
-
Target
PO-11221001080.rtf
-
Size
27KB
-
MD5
54d44fd164775f48934f95be9210712c
-
SHA1
21b6eb36fda7271f1943d4f5a5b5f7b145ad4ae2
-
SHA256
28e41e8cc995c7e4c893c9719785f91d54c880c530b6fd34cdefbb93531a5b1f
-
SHA512
78645e9f2a297bb8934c1268d1f3f7a6a6077b72cea31d8dc5eb0bf69322fe55f5771613bfb684cb5a56d16d4b31529f54bddf0b9518d3cc2fa530f5481c2f87
-
SSDEEP
768:sFx0XaIsnPRIa4fwJMr5j0CMukJfHh9y4pE3F/pQEVj1:sf0Xvx3EMGzVJv/S3F/3Z1
Malware Config
Extracted
remcos
PeterObi2023
76.8.53.133:1198
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
sdfge.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
fghoiuytr.dat
-
keylog_flag
false
-
mouse_option
false
-
mutex
fghjcvbn-UURPOS
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
dfghrtyu
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
remcos
IYKE
76.8.53.133:1198
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
explorer.exe
-
copy_folder
machines
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
12345MEEE
-
mouse_option
false
-
mutex
12345MEEE-NS9UK1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
explorer
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
warzonerat
76.8.53.133:1198
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 3 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 11 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 49 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO-11221001080.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ikmerrec8416.exe"C:\Users\Admin\AppData\Roaming\ikmerrec8416.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ikmerrec8416.exe"C:\Users\Admin\AppData\Roaming\ikmerrec8416.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\My Nigga.exe"C:\Users\Admin\AppData\Local\Temp\My Nigga.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\machines\explorer.exe"6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\machines\explorer.exeC:\ProgramData\machines\explorer.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\iyke remcos.exe"C:\Users\Admin\AppData\Local\Temp\iyke remcos.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\machines\explorer.exe"6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\machines\explorer.exeC:\ProgramData\machines\explorer.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe"C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\machines\explorer.exeFilesize
469KB
MD5cfe7124b0cc081e0b02426f430064a80
SHA158069d9f9d74c392275849e9084c5a8980d774d3
SHA2561e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8
SHA5125eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2
-
C:\ProgramData\machines\explorer.exeFilesize
469KB
MD5cfe7124b0cc081e0b02426f430064a80
SHA158069d9f9d74c392275849e9084c5a8980d774d3
SHA2561e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8
SHA5125eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2
-
C:\ProgramData\machines\explorer.exeFilesize
469KB
MD5cfe7124b0cc081e0b02426f430064a80
SHA158069d9f9d74c392275849e9084c5a8980d774d3
SHA2561e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8
SHA5125eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2
-
C:\Users\Admin\AppData\Local\Temp\My Nigga.exeFilesize
469KB
MD582602aed5a4328fd0f432ac95f05a500
SHA183c7d33c0d034ec89953986d191fe82e5f5ba297
SHA256fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
SHA512afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9
-
C:\Users\Admin\AppData\Local\Temp\My Nigga.exeFilesize
469KB
MD582602aed5a4328fd0f432ac95f05a500
SHA183c7d33c0d034ec89953986d191fe82e5f5ba297
SHA256fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
SHA512afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
394B
MD506c791067d2932c95dd3677d2384841e
SHA1715003b9d13baa70e501982796d367792c1addfa
SHA256cf55c64c0a026c2a15389e088a337f98da369179508380519c1d7f69dc603f49
SHA51220a67da827a020cc6da8985cd1b1c0ec8847dd639c4c2a83f3e8af48dddaff58f5a05e8a3dba5e9911400d5f6e9d59b93361838f56455fd3b2fafe489e1a76ea
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
394B
MD506c791067d2932c95dd3677d2384841e
SHA1715003b9d13baa70e501982796d367792c1addfa
SHA256cf55c64c0a026c2a15389e088a337f98da369179508380519c1d7f69dc603f49
SHA51220a67da827a020cc6da8985cd1b1c0ec8847dd639c4c2a83f3e8af48dddaff58f5a05e8a3dba5e9911400d5f6e9d59b93361838f56455fd3b2fafe489e1a76ea
-
C:\Users\Admin\AppData\Local\Temp\iyke remcos.exeFilesize
469KB
MD5cfe7124b0cc081e0b02426f430064a80
SHA158069d9f9d74c392275849e9084c5a8980d774d3
SHA2561e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8
SHA5125eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2
-
C:\Users\Admin\AppData\Local\Temp\iyke remcos.exeFilesize
469KB
MD5cfe7124b0cc081e0b02426f430064a80
SHA158069d9f9d74c392275849e9084c5a8980d774d3
SHA2561e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8
SHA5125eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2
-
C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exeFilesize
113KB
MD57aa7c2c90371cf809dac01092c13d63e
SHA15a41e80d24d965f039fca837ecdd6322ca673d4e
SHA256ff3f9f08d7956fb6699d0d58f7f02aef326a981a6433b3fa89bb550a90495602
SHA512dbb068e8d2ad9ec64845d43fe993c0f0978b93a3aae616392993e17ec48add26b3521a69003cefd8c71586cf35220b61f52f75cfa5835331d85ffea4018b185f
-
C:\Users\Admin\AppData\Roaming\ikmerrec8416.exeFilesize
2.1MB
MD5da10ff1e72683c714b10987686b9d695
SHA14990862369970af40430125e4cf3376fc8ea33cf
SHA256ef520dd1c4f60b215ada787cd507ba5e72933a04eba01c9cd81496860de5bf0f
SHA512f124430db1e6e85a1137a3eba5ae8b3823b264c1bbccc93ccbac738ab5bd45aac7dc46fa97f1b62421c0ab0d3ed46b9d0cb5cbb3ff44eea7c756a813e7bdde63
-
C:\Users\Admin\AppData\Roaming\ikmerrec8416.exeFilesize
2.1MB
MD5da10ff1e72683c714b10987686b9d695
SHA14990862369970af40430125e4cf3376fc8ea33cf
SHA256ef520dd1c4f60b215ada787cd507ba5e72933a04eba01c9cd81496860de5bf0f
SHA512f124430db1e6e85a1137a3eba5ae8b3823b264c1bbccc93ccbac738ab5bd45aac7dc46fa97f1b62421c0ab0d3ed46b9d0cb5cbb3ff44eea7c756a813e7bdde63
-
C:\Users\Admin\AppData\Roaming\ikmerrec8416.exeFilesize
2.1MB
MD5da10ff1e72683c714b10987686b9d695
SHA14990862369970af40430125e4cf3376fc8ea33cf
SHA256ef520dd1c4f60b215ada787cd507ba5e72933a04eba01c9cd81496860de5bf0f
SHA512f124430db1e6e85a1137a3eba5ae8b3823b264c1bbccc93ccbac738ab5bd45aac7dc46fa97f1b62421c0ab0d3ed46b9d0cb5cbb3ff44eea7c756a813e7bdde63
-
\ProgramData\machines\explorer.exeFilesize
469KB
MD5cfe7124b0cc081e0b02426f430064a80
SHA158069d9f9d74c392275849e9084c5a8980d774d3
SHA2561e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8
SHA5125eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2
-
\ProgramData\machines\explorer.exeFilesize
469KB
MD5cfe7124b0cc081e0b02426f430064a80
SHA158069d9f9d74c392275849e9084c5a8980d774d3
SHA2561e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8
SHA5125eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2
-
\ProgramData\machines\explorer.exeFilesize
469KB
MD5cfe7124b0cc081e0b02426f430064a80
SHA158069d9f9d74c392275849e9084c5a8980d774d3
SHA2561e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8
SHA5125eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2
-
\Users\Admin\AppData\Local\Temp\My Nigga.exeFilesize
469KB
MD582602aed5a4328fd0f432ac95f05a500
SHA183c7d33c0d034ec89953986d191fe82e5f5ba297
SHA256fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
SHA512afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9
-
\Users\Admin\AppData\Local\Temp\My Nigga.exeFilesize
469KB
MD582602aed5a4328fd0f432ac95f05a500
SHA183c7d33c0d034ec89953986d191fe82e5f5ba297
SHA256fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
SHA512afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9
-
\Users\Admin\AppData\Local\Temp\iyke remcos.exeFilesize
469KB
MD5cfe7124b0cc081e0b02426f430064a80
SHA158069d9f9d74c392275849e9084c5a8980d774d3
SHA2561e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8
SHA5125eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2
-
\Users\Admin\AppData\Local\Temp\iyke remcos.exeFilesize
469KB
MD5cfe7124b0cc081e0b02426f430064a80
SHA158069d9f9d74c392275849e9084c5a8980d774d3
SHA2561e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8
SHA5125eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2
-
\Users\Admin\AppData\Local\Temp\warzone rawfile new.exeFilesize
113KB
MD57aa7c2c90371cf809dac01092c13d63e
SHA15a41e80d24d965f039fca837ecdd6322ca673d4e
SHA256ff3f9f08d7956fb6699d0d58f7f02aef326a981a6433b3fa89bb550a90495602
SHA512dbb068e8d2ad9ec64845d43fe993c0f0978b93a3aae616392993e17ec48add26b3521a69003cefd8c71586cf35220b61f52f75cfa5835331d85ffea4018b185f
-
\Users\Admin\AppData\Local\Temp\warzone rawfile new.exeFilesize
113KB
MD57aa7c2c90371cf809dac01092c13d63e
SHA15a41e80d24d965f039fca837ecdd6322ca673d4e
SHA256ff3f9f08d7956fb6699d0d58f7f02aef326a981a6433b3fa89bb550a90495602
SHA512dbb068e8d2ad9ec64845d43fe993c0f0978b93a3aae616392993e17ec48add26b3521a69003cefd8c71586cf35220b61f52f75cfa5835331d85ffea4018b185f
-
\Users\Admin\AppData\Roaming\ikmerrec8416.exeFilesize
2.1MB
MD5da10ff1e72683c714b10987686b9d695
SHA14990862369970af40430125e4cf3376fc8ea33cf
SHA256ef520dd1c4f60b215ada787cd507ba5e72933a04eba01c9cd81496860de5bf0f
SHA512f124430db1e6e85a1137a3eba5ae8b3823b264c1bbccc93ccbac738ab5bd45aac7dc46fa97f1b62421c0ab0d3ed46b9d0cb5cbb3ff44eea7c756a813e7bdde63
-
\Users\Admin\AppData\Roaming\ikmerrec8416.exeFilesize
2.1MB
MD5da10ff1e72683c714b10987686b9d695
SHA14990862369970af40430125e4cf3376fc8ea33cf
SHA256ef520dd1c4f60b215ada787cd507ba5e72933a04eba01c9cd81496860de5bf0f
SHA512f124430db1e6e85a1137a3eba5ae8b3823b264c1bbccc93ccbac738ab5bd45aac7dc46fa97f1b62421c0ab0d3ed46b9d0cb5cbb3ff44eea7c756a813e7bdde63
-
memory/460-102-0x0000000000000000-mapping.dmp
-
memory/564-94-0x0000000000000000-mapping.dmp
-
memory/968-114-0x0000000000000000-mapping.dmp
-
memory/1056-73-0x0000000000400000-0x0000000000566000-memory.dmpFilesize
1.4MB
-
memory/1056-82-0x0000000000400000-0x0000000000566000-memory.dmpFilesize
1.4MB
-
memory/1056-84-0x0000000000400000-0x0000000000566000-memory.dmpFilesize
1.4MB
-
memory/1056-79-0x0000000000561FBE-mapping.dmp
-
memory/1056-74-0x0000000000400000-0x0000000000566000-memory.dmpFilesize
1.4MB
-
memory/1056-78-0x0000000000400000-0x0000000000566000-memory.dmpFilesize
1.4MB
-
memory/1056-77-0x0000000000400000-0x0000000000566000-memory.dmpFilesize
1.4MB
-
memory/1056-76-0x0000000000400000-0x0000000000566000-memory.dmpFilesize
1.4MB
-
memory/1196-109-0x0000000000000000-mapping.dmp
-
memory/1452-88-0x0000000000000000-mapping.dmp
-
memory/1476-100-0x0000000000000000-mapping.dmp
-
memory/1596-105-0x0000000000000000-mapping.dmp
-
memory/1852-118-0x0000000000000000-mapping.dmp
-
memory/1860-67-0x00000000003D0000-0x00000000003E6000-memory.dmpFilesize
88KB
-
memory/1860-65-0x0000000000E70000-0x0000000001098000-memory.dmpFilesize
2.2MB
-
memory/1860-72-0x0000000009890000-0x0000000009A16000-memory.dmpFilesize
1.5MB
-
memory/1860-70-0x00000000003E0000-0x00000000003EE000-memory.dmpFilesize
56KB
-
memory/1860-71-0x00000000084E0000-0x000000000868E000-memory.dmpFilesize
1.7MB
-
memory/1860-62-0x0000000000000000-mapping.dmp
-
memory/2004-110-0x0000000000000000-mapping.dmp
-
memory/2040-54-0x0000000072FD1000-0x0000000072FD4000-memory.dmpFilesize
12KB
-
memory/2040-68-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2040-69-0x0000000071A3D000-0x0000000071A48000-memory.dmpFilesize
44KB
-
memory/2040-58-0x0000000071A3D000-0x0000000071A48000-memory.dmpFilesize
44KB
-
memory/2040-57-0x0000000076411000-0x0000000076413000-memory.dmpFilesize
8KB
-
memory/2040-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2040-55-0x0000000070A51000-0x0000000070A53000-memory.dmpFilesize
8KB