Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24/02/2023, 09:41
Static task
static1
Behavioral task
behavioral1
Sample
50695a48edcc2576675a4d862311b28b.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
50695a48edcc2576675a4d862311b28b.exe
Resource
win10v2004-20230220-en
General
-
Target
50695a48edcc2576675a4d862311b28b.exe
-
Size
222KB
-
MD5
50695a48edcc2576675a4d862311b28b
-
SHA1
1e390ccab122caa7f1c396ed0325cdc572a65946
-
SHA256
918bd8df4133a9c6a279757baf27e33ce33c0d115e405178c4563a556e26b647
-
SHA512
6b927a88973641ceaab1ae01bd80414d540f14d408435f9aee1a387e5f190d42272a9c6e6a873573547a45df3f7b041cbbc148360e528fbe948e52578009d789
-
SSDEEP
3072:/fY/TU9fE9PEtuZsbZUeHbkZUHZ+rINhqX+E13rGowgdMoTnqFiDyJvS+sr3vPPH:XYa6HOZUtFwlMrxwgUYGts7PwhtxY
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 580 netsh.exe 320 netsh.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" giuiwxga.exe -
Executes dropped EXE 4 IoCs
pid Process 1900 giuiwxga.exe 544 giuiwxga.exe 2004 350.exe 1148 350.exe -
Loads dropped DLL 5 IoCs
pid Process 1624 50695a48edcc2576675a4d862311b28b.exe 1900 giuiwxga.exe 544 giuiwxga.exe 544 giuiwxga.exe 1480 Process not Found -
resource yara_rule behavioral1/files/0x0006000000014232-79.dat upx behavioral1/files/0x0006000000014232-82.dat upx behavioral1/files/0x0006000000014232-81.dat upx behavioral1/memory/2004-87-0x0000000000810000-0x000000000083D000-memory.dmp upx behavioral1/files/0x0006000000014232-93.dat upx behavioral1/files/0x0006000000014232-96.dat upx behavioral1/memory/1148-100-0x0000000000810000-0x000000000083D000-memory.dmp upx behavioral1/memory/2004-108-0x0000000000810000-0x000000000083D000-memory.dmp upx behavioral1/memory/1148-109-0x0000000000810000-0x000000000083D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\ktoxhdmv = "C:\\Users\\Admin\\AppData\\Roaming\\vrbkgpxtd\\yrrnwgclhqavfo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\giuiwxga.exe\" C:\\Users\\Admin\\AppDat" giuiwxga.exe -
Modifies WinLogon 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList giuiwxga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts giuiwxga.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\K.mAzfJ = "0" giuiwxga.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" giuiwxga.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\rfxvmt.dll giuiwxga.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1900 set thread context of 544 1900 giuiwxga.exe 28 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Microsoft DN1\sqlmap.dll giuiwxga.exe File created C:\Program Files\Microsoft DN1\rdpwrap.ini giuiwxga.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 1480 Process not Found 1480 Process not Found 1480 Process not Found 1480 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1900 giuiwxga.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 544 giuiwxga.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1624 wrote to memory of 1900 1624 50695a48edcc2576675a4d862311b28b.exe 26 PID 1624 wrote to memory of 1900 1624 50695a48edcc2576675a4d862311b28b.exe 26 PID 1624 wrote to memory of 1900 1624 50695a48edcc2576675a4d862311b28b.exe 26 PID 1624 wrote to memory of 1900 1624 50695a48edcc2576675a4d862311b28b.exe 26 PID 1900 wrote to memory of 544 1900 giuiwxga.exe 28 PID 1900 wrote to memory of 544 1900 giuiwxga.exe 28 PID 1900 wrote to memory of 544 1900 giuiwxga.exe 28 PID 1900 wrote to memory of 544 1900 giuiwxga.exe 28 PID 1900 wrote to memory of 544 1900 giuiwxga.exe 28 PID 544 wrote to memory of 2004 544 giuiwxga.exe 30 PID 544 wrote to memory of 2004 544 giuiwxga.exe 30 PID 544 wrote to memory of 2004 544 giuiwxga.exe 30 PID 544 wrote to memory of 2004 544 giuiwxga.exe 30 PID 2004 wrote to memory of 580 2004 350.exe 31 PID 2004 wrote to memory of 580 2004 350.exe 31 PID 2004 wrote to memory of 580 2004 350.exe 31 PID 2004 wrote to memory of 580 2004 350.exe 31 PID 544 wrote to memory of 1148 544 giuiwxga.exe 33 PID 544 wrote to memory of 1148 544 giuiwxga.exe 33 PID 544 wrote to memory of 1148 544 giuiwxga.exe 33 PID 544 wrote to memory of 1148 544 giuiwxga.exe 33 PID 1148 wrote to memory of 320 1148 350.exe 34 PID 1148 wrote to memory of 320 1148 350.exe 34 PID 1148 wrote to memory of 320 1148 350.exe 34 PID 1148 wrote to memory of 320 1148 350.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\50695a48edcc2576675a4d862311b28b.exe"C:\Users\Admin\AppData\Local\Temp\50695a48edcc2576675a4d862311b28b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe"C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe" C:\Users\Admin\AppData\Local\Temp\xmfqciidksw.w2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe"C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe"3⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Local\Temp\350.exe"C:\Users\Admin\AppData\Local\Temp\350.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=33895⤵
- Modifies Windows Firewall
PID:580
-
-
-
C:\Users\Admin\AppData\Local\Temp\350.exe"C:\Users\Admin\AppData\Local\Temp\350.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=33895⤵
- Modifies Windows Firewall
PID:320
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
60KB
MD57e14ab7fdec2ba5ca24b6a3af21c430b
SHA18621b145ec2936a18a57ec5296c7b3ed088ba692
SHA25685c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e
SHA5123b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06
-
Filesize
60KB
MD57e14ab7fdec2ba5ca24b6a3af21c430b
SHA18621b145ec2936a18a57ec5296c7b3ed088ba692
SHA25685c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e
SHA5123b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06
-
Filesize
60KB
MD57e14ab7fdec2ba5ca24b6a3af21c430b
SHA18621b145ec2936a18a57ec5296c7b3ed088ba692
SHA25685c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e
SHA5123b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06
-
Filesize
161KB
MD56bf7158a9b5dc387e0dd79895abf1e52
SHA14dbffcaf9ea9b37d32b173af246532a13f71d1a6
SHA256aef63c8e0201a2975249852a6c7a11f256e615020ac04b5c31a5906b2bd30d2a
SHA5123aa3926ca6a8a772f66193a5a590720205f40b13656990935abcad1ac2faff6dad71f15bf1558fbd807d9479ece65da26181dbdc3ee88de59081ccc344c7f1b5
-
Filesize
8KB
MD50407fc904cad9de15d803cb22985308a
SHA1047eb49d90a212bd61ff6fa8b0f813e6899a0f3d
SHA256238df51fccc66a32a3d082766a3642939a4422c6ed658936d2e365dbcc7cb264
SHA5123625e85b843f378ea18dc2d5ec66fbbf96784cfc5ceb5a93e90249fab9ec25dd1ba84ff1c7d6329d53fc6e97338f90e59f53c21110f117e424c9b2054dff8055
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
60KB
MD57e14ab7fdec2ba5ca24b6a3af21c430b
SHA18621b145ec2936a18a57ec5296c7b3ed088ba692
SHA25685c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e
SHA5123b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06
-
Filesize
60KB
MD57e14ab7fdec2ba5ca24b6a3af21c430b
SHA18621b145ec2936a18a57ec5296c7b3ed088ba692
SHA25685c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e
SHA5123b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06