Analysis
-
max time kernel
550s -
max time network
553s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02-02-2023 15:27
Static task
static1
Behavioral task
behavioral1
Sample
Quotation 202311025_PDF.scr
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Quotation 202311025_PDF.scr
Resource
win10v2004-20221111-en
General
-
Target
Quotation 202311025_PDF.scr
-
Size
24KB
-
MD5
f1ed9f09ea489162b2a5ef0c4d285503
-
SHA1
5e1b5599aef58f90e4ad3efa43661a1d7cc4ed6c
-
SHA256
c8007f5d3d8770320aa06642b4363f60d8caa0056507a6e1bf94dfb38b786f97
-
SHA512
4dfa6ad16b68bcc15362a93ef970bde290a654f67df507d8a3e8976ae45d38a4603184ad79fb7099de5fdaed637b8291022c3af3a374435428cc99512403252a
-
SSDEEP
384:iJg3aSz4PT02opvtOvt6Y4BwEapWNJR+:iW3Dl2oZU1ZdWNJR
Malware Config
Extracted
warzonerat
37.120.155.179:52920
Signatures
-
Detect PureCrypter injector 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1504-56-0x0000000006130000-0x00000000063B0000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Quotation 202311025_PDF.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qreoiutud = "\"C:\\Users\\Admin\\AppData\\Roaming\\Nqzrmbza\\Qreoiutud.exe\"" Quotation 202311025_PDF.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation 202311025_PDF.scrdescription pid process target process PID 1504 set thread context of 1184 1504 Quotation 202311025_PDF.scr RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 1288 ipconfig.exe 1072 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1764 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Quotation 202311025_PDF.scrpowershell.exedescription pid process Token: SeDebugPrivilege 1504 Quotation 202311025_PDF.scr Token: SeDebugPrivilege 1764 powershell.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
Quotation 202311025_PDF.scrcmd.execmd.exedescription pid process target process PID 1504 wrote to memory of 1100 1504 Quotation 202311025_PDF.scr cmd.exe PID 1504 wrote to memory of 1100 1504 Quotation 202311025_PDF.scr cmd.exe PID 1504 wrote to memory of 1100 1504 Quotation 202311025_PDF.scr cmd.exe PID 1504 wrote to memory of 1100 1504 Quotation 202311025_PDF.scr cmd.exe PID 1100 wrote to memory of 1072 1100 cmd.exe ipconfig.exe PID 1100 wrote to memory of 1072 1100 cmd.exe ipconfig.exe PID 1100 wrote to memory of 1072 1100 cmd.exe ipconfig.exe PID 1100 wrote to memory of 1072 1100 cmd.exe ipconfig.exe PID 1504 wrote to memory of 1764 1504 Quotation 202311025_PDF.scr powershell.exe PID 1504 wrote to memory of 1764 1504 Quotation 202311025_PDF.scr powershell.exe PID 1504 wrote to memory of 1764 1504 Quotation 202311025_PDF.scr powershell.exe PID 1504 wrote to memory of 1764 1504 Quotation 202311025_PDF.scr powershell.exe PID 1504 wrote to memory of 1744 1504 Quotation 202311025_PDF.scr cmd.exe PID 1504 wrote to memory of 1744 1504 Quotation 202311025_PDF.scr cmd.exe PID 1504 wrote to memory of 1744 1504 Quotation 202311025_PDF.scr cmd.exe PID 1504 wrote to memory of 1744 1504 Quotation 202311025_PDF.scr cmd.exe PID 1744 wrote to memory of 1288 1744 cmd.exe ipconfig.exe PID 1744 wrote to memory of 1288 1744 cmd.exe ipconfig.exe PID 1744 wrote to memory of 1288 1744 cmd.exe ipconfig.exe PID 1744 wrote to memory of 1288 1744 cmd.exe ipconfig.exe PID 1504 wrote to memory of 1184 1504 Quotation 202311025_PDF.scr RegAsm.exe PID 1504 wrote to memory of 1184 1504 Quotation 202311025_PDF.scr RegAsm.exe PID 1504 wrote to memory of 1184 1504 Quotation 202311025_PDF.scr RegAsm.exe PID 1504 wrote to memory of 1184 1504 Quotation 202311025_PDF.scr RegAsm.exe PID 1504 wrote to memory of 1184 1504 Quotation 202311025_PDF.scr RegAsm.exe PID 1504 wrote to memory of 1184 1504 Quotation 202311025_PDF.scr RegAsm.exe PID 1504 wrote to memory of 1184 1504 Quotation 202311025_PDF.scr RegAsm.exe PID 1504 wrote to memory of 1184 1504 Quotation 202311025_PDF.scr RegAsm.exe PID 1504 wrote to memory of 1184 1504 Quotation 202311025_PDF.scr RegAsm.exe PID 1504 wrote to memory of 1184 1504 Quotation 202311025_PDF.scr RegAsm.exe PID 1504 wrote to memory of 1184 1504 Quotation 202311025_PDF.scr RegAsm.exe PID 1504 wrote to memory of 1184 1504 Quotation 202311025_PDF.scr RegAsm.exe PID 1504 wrote to memory of 1184 1504 Quotation 202311025_PDF.scr RegAsm.exe PID 1504 wrote to memory of 1184 1504 Quotation 202311025_PDF.scr RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation 202311025_PDF.scr"C:\Users\Admin\AppData\Local\Temp\Quotation 202311025_PDF.scr" /S1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig/release2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig/renew2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1072-58-0x0000000000000000-mapping.dmp
-
memory/1100-57-0x0000000000000000-mapping.dmp
-
memory/1184-69-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1184-85-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1184-83-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1184-80-0x0000000000405E28-mapping.dmp
-
memory/1184-79-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1184-78-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1184-76-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1184-74-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1184-72-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1184-70-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1288-66-0x0000000000000000-mapping.dmp
-
memory/1504-68-0x0000000004EC0000-0x0000000004F12000-memory.dmpFilesize
328KB
-
memory/1504-54-0x0000000000980000-0x000000000098C000-memory.dmpFilesize
48KB
-
memory/1504-56-0x0000000006130000-0x00000000063B0000-memory.dmpFilesize
2.5MB
-
memory/1504-55-0x0000000075C81000-0x0000000075C83000-memory.dmpFilesize
8KB
-
memory/1744-65-0x0000000000000000-mapping.dmp
-
memory/1764-64-0x000000006EFB0000-0x000000006F55B000-memory.dmpFilesize
5.7MB
-
memory/1764-63-0x000000006EFB0000-0x000000006F55B000-memory.dmpFilesize
5.7MB
-
memory/1764-62-0x000000006EFB0000-0x000000006F55B000-memory.dmpFilesize
5.7MB
-
memory/1764-60-0x0000000000000000-mapping.dmp