Analysis
-
max time kernel
552s -
max time network
555s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 15:27
Static task
static1
Behavioral task
behavioral1
Sample
Quotation 202311025_PDF.scr
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Quotation 202311025_PDF.scr
Resource
win10v2004-20221111-en
General
-
Target
Quotation 202311025_PDF.scr
-
Size
24KB
-
MD5
f1ed9f09ea489162b2a5ef0c4d285503
-
SHA1
5e1b5599aef58f90e4ad3efa43661a1d7cc4ed6c
-
SHA256
c8007f5d3d8770320aa06642b4363f60d8caa0056507a6e1bf94dfb38b786f97
-
SHA512
4dfa6ad16b68bcc15362a93ef970bde290a654f67df507d8a3e8976ae45d38a4603184ad79fb7099de5fdaed637b8291022c3af3a374435428cc99512403252a
-
SSDEEP
384:iJg3aSz4PT02opvtOvt6Y4BwEapWNJR+:iW3Dl2oZU1ZdWNJR
Malware Config
Extracted
warzonerat
37.120.155.179:52920
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Quotation 202311025_PDF.scrdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Quotation 202311025_PDF.scr -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Quotation 202311025_PDF.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qreoiutud = "\"C:\\Users\\Admin\\AppData\\Roaming\\Nqzrmbza\\Qreoiutud.exe\"" Quotation 202311025_PDF.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation 202311025_PDF.scrdescription pid process target process PID 2728 set thread context of 1808 2728 Quotation 202311025_PDF.scr RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 4408 ipconfig.exe 4016 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4784 powershell.exe 4784 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Quotation 202311025_PDF.scrpowershell.exedescription pid process Token: SeDebugPrivilege 2728 Quotation 202311025_PDF.scr Token: SeDebugPrivilege 4784 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
Quotation 202311025_PDF.scrcmd.execmd.exedescription pid process target process PID 2728 wrote to memory of 1280 2728 Quotation 202311025_PDF.scr cmd.exe PID 2728 wrote to memory of 1280 2728 Quotation 202311025_PDF.scr cmd.exe PID 2728 wrote to memory of 1280 2728 Quotation 202311025_PDF.scr cmd.exe PID 1280 wrote to memory of 4408 1280 cmd.exe ipconfig.exe PID 1280 wrote to memory of 4408 1280 cmd.exe ipconfig.exe PID 1280 wrote to memory of 4408 1280 cmd.exe ipconfig.exe PID 2728 wrote to memory of 4784 2728 Quotation 202311025_PDF.scr powershell.exe PID 2728 wrote to memory of 4784 2728 Quotation 202311025_PDF.scr powershell.exe PID 2728 wrote to memory of 4784 2728 Quotation 202311025_PDF.scr powershell.exe PID 2728 wrote to memory of 4264 2728 Quotation 202311025_PDF.scr cmd.exe PID 2728 wrote to memory of 4264 2728 Quotation 202311025_PDF.scr cmd.exe PID 2728 wrote to memory of 4264 2728 Quotation 202311025_PDF.scr cmd.exe PID 4264 wrote to memory of 4016 4264 cmd.exe ipconfig.exe PID 4264 wrote to memory of 4016 4264 cmd.exe ipconfig.exe PID 4264 wrote to memory of 4016 4264 cmd.exe ipconfig.exe PID 2728 wrote to memory of 1808 2728 Quotation 202311025_PDF.scr RegAsm.exe PID 2728 wrote to memory of 1808 2728 Quotation 202311025_PDF.scr RegAsm.exe PID 2728 wrote to memory of 1808 2728 Quotation 202311025_PDF.scr RegAsm.exe PID 2728 wrote to memory of 1808 2728 Quotation 202311025_PDF.scr RegAsm.exe PID 2728 wrote to memory of 1808 2728 Quotation 202311025_PDF.scr RegAsm.exe PID 2728 wrote to memory of 1808 2728 Quotation 202311025_PDF.scr RegAsm.exe PID 2728 wrote to memory of 1808 2728 Quotation 202311025_PDF.scr RegAsm.exe PID 2728 wrote to memory of 1808 2728 Quotation 202311025_PDF.scr RegAsm.exe PID 2728 wrote to memory of 1808 2728 Quotation 202311025_PDF.scr RegAsm.exe PID 2728 wrote to memory of 1808 2728 Quotation 202311025_PDF.scr RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation 202311025_PDF.scr"C:\Users\Admin\AppData\Local\Temp\Quotation 202311025_PDF.scr" /S1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig/release2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig/renew2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1280-134-0x0000000000000000-mapping.dmp
-
memory/1808-152-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1808-151-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1808-149-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1808-147-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1808-146-0x0000000000000000-mapping.dmp
-
memory/2728-133-0x0000000006570000-0x0000000006592000-memory.dmpFilesize
136KB
-
memory/2728-132-0x00000000003D0000-0x00000000003DC000-memory.dmpFilesize
48KB
-
memory/4016-145-0x0000000000000000-mapping.dmp
-
memory/4264-144-0x0000000000000000-mapping.dmp
-
memory/4408-135-0x0000000000000000-mapping.dmp
-
memory/4784-136-0x0000000000000000-mapping.dmp
-
memory/4784-143-0x0000000006520000-0x000000000653A000-memory.dmpFilesize
104KB
-
memory/4784-142-0x0000000007690000-0x0000000007D0A000-memory.dmpFilesize
6.5MB
-
memory/4784-141-0x0000000006000000-0x000000000601E000-memory.dmpFilesize
120KB
-
memory/4784-140-0x00000000059B0000-0x0000000005A16000-memory.dmpFilesize
408KB
-
memory/4784-139-0x0000000005810000-0x0000000005876000-memory.dmpFilesize
408KB
-
memory/4784-138-0x0000000005170000-0x0000000005798000-memory.dmpFilesize
6.2MB
-
memory/4784-137-0x0000000002A20000-0x0000000002A56000-memory.dmpFilesize
216KB