Analysis
-
max time kernel
111s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
15-02-2023 23:28
General
-
Target
PURCHASE ORDER.doc
-
Size
78KB
-
MD5
64559d83eb87d528a109b1e3a067bb9a
-
SHA1
4711cd71b583f87548d699c14e8a39a595b7a70b
-
SHA256
284f55fed83bb6e37858ff016660423600caadf375aa5ed8333c418bc6a03d36
-
SHA512
c887bda5ca7d62c1586dd8454b1a5e56c4e156329b99104e4db38b4b54b37c4931a2da8838a6ffb9c1c1798f1e1f6f4eda951a691c768868825a04587b7502b8
-
SSDEEP
1536:lZlUideVtGei5nvxHySvPlVFd5pw7WpNY3q38iVTt:lZlUIuSvxzPlVwap4Wd
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k hey.txt2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hey.txthey.txt3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZooUzERsvsgBLT.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZooUzERsvsgBLT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B24.tmp"4⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\hey.txt"C:\Users\Admin\AppData\Local\Temp\hey.txt"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\hey.txt"C:\Users\Admin\AppData\Local\Temp\hey.txt"4⤵
- Executes dropped EXE
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
880KB
MD569c7f6716fd29e8e9a2bd06b462ca6ff
SHA1e79da5de5e4c8335eeb63102d1bd6e0d64630f8b
SHA2568e4be4419065e5426c553601aa55c2565c4a2c893799f7e9f4ad3b1061915bbb
SHA5128851e4a7634d8b716b2b7dbd910715abd8a951213c584b3b4f26ac1b70fb401272eeac3eca5f232ec58be35756a3258e429317d2d71d1b421211a7764ec2b8b0
-
Filesize
880KB
MD569c7f6716fd29e8e9a2bd06b462ca6ff
SHA1e79da5de5e4c8335eeb63102d1bd6e0d64630f8b
SHA2568e4be4419065e5426c553601aa55c2565c4a2c893799f7e9f4ad3b1061915bbb
SHA5128851e4a7634d8b716b2b7dbd910715abd8a951213c584b3b4f26ac1b70fb401272eeac3eca5f232ec58be35756a3258e429317d2d71d1b421211a7764ec2b8b0
-
Filesize
880KB
MD569c7f6716fd29e8e9a2bd06b462ca6ff
SHA1e79da5de5e4c8335eeb63102d1bd6e0d64630f8b
SHA2568e4be4419065e5426c553601aa55c2565c4a2c893799f7e9f4ad3b1061915bbb
SHA5128851e4a7634d8b716b2b7dbd910715abd8a951213c584b3b4f26ac1b70fb401272eeac3eca5f232ec58be35756a3258e429317d2d71d1b421211a7764ec2b8b0
-
Filesize
880KB
MD569c7f6716fd29e8e9a2bd06b462ca6ff
SHA1e79da5de5e4c8335eeb63102d1bd6e0d64630f8b
SHA2568e4be4419065e5426c553601aa55c2565c4a2c893799f7e9f4ad3b1061915bbb
SHA5128851e4a7634d8b716b2b7dbd910715abd8a951213c584b3b4f26ac1b70fb401272eeac3eca5f232ec58be35756a3258e429317d2d71d1b421211a7764ec2b8b0
-
Filesize
1KB
MD55f7a9bb771eb532a1062eed12c07de15
SHA148fc6bc4b50f0fcffb8b73a111063351277c46bf
SHA25688d27ef4f61c1919fccdcd9c9e015a7354d8e5ec34c4e386d7c592dc0957ce77
SHA512449390538f657b64706735d586ea3c165efd6db72ab39bcde11177169a09331f030f4752a790af3b84cdbb4600c798408650bbe39597c50ed4059ef6528bdf91
-
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
904KB
-
Filesize
624KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
-
-
-
Filesize
1.4MB
-
Filesize
1.4MB
-
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
104KB
-
Filesize
56KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
120KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
216KB
-