Analysis
-
max time kernel
96s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2023, 09:41
Static task
static1
Behavioral task
behavioral1
Sample
50695a48edcc2576675a4d862311b28b.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
50695a48edcc2576675a4d862311b28b.exe
Resource
win10v2004-20230220-en
General
-
Target
50695a48edcc2576675a4d862311b28b.exe
-
Size
222KB
-
MD5
50695a48edcc2576675a4d862311b28b
-
SHA1
1e390ccab122caa7f1c396ed0325cdc572a65946
-
SHA256
918bd8df4133a9c6a279757baf27e33ce33c0d115e405178c4563a556e26b647
-
SHA512
6b927a88973641ceaab1ae01bd80414d540f14d408435f9aee1a387e5f190d42272a9c6e6a873573547a45df3f7b041cbbc148360e528fbe948e52578009d789
-
SSDEEP
3072:/fY/TU9fE9PEtuZsbZUeHbkZUHZ+rINhqX+E13rGowgdMoTnqFiDyJvS+sr3vPPH:XYa6HOZUtFwlMrxwgUYGts7PwhtxY
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" giuiwxga.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation giuiwxga.exe -
Executes dropped EXE 2 IoCs
pid Process 3656 giuiwxga.exe 4404 giuiwxga.exe -
Loads dropped DLL 1 IoCs
pid Process 1816 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ktoxhdmv = "C:\\Users\\Admin\\AppData\\Roaming\\vrbkgpxtd\\yrrnwgclhqavfo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\giuiwxga.exe\" C:\\Users\\Admin\\AppDat" giuiwxga.exe -
Modifies WinLogon 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList giuiwxga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts giuiwxga.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\bbc.pdu = "0" giuiwxga.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" giuiwxga.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\rfxvmt.dll giuiwxga.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3656 set thread context of 4404 3656 giuiwxga.exe 88 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Microsoft DN1\sqlmap.dll giuiwxga.exe File created C:\Program Files\Microsoft DN1\rdpwrap.ini giuiwxga.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 672 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3656 giuiwxga.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4404 giuiwxga.exe Token: SeAuditPrivilege 1816 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2640 wrote to memory of 3656 2640 50695a48edcc2576675a4d862311b28b.exe 86 PID 2640 wrote to memory of 3656 2640 50695a48edcc2576675a4d862311b28b.exe 86 PID 2640 wrote to memory of 3656 2640 50695a48edcc2576675a4d862311b28b.exe 86 PID 3656 wrote to memory of 4404 3656 giuiwxga.exe 88 PID 3656 wrote to memory of 4404 3656 giuiwxga.exe 88 PID 3656 wrote to memory of 4404 3656 giuiwxga.exe 88 PID 3656 wrote to memory of 4404 3656 giuiwxga.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\50695a48edcc2576675a4d862311b28b.exe"C:\Users\Admin\AppData\Local\Temp\50695a48edcc2576675a4d862311b28b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe"C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe" C:\Users\Admin\AppData\Local\Temp\xmfqciidksw.w2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe"C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe"3⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:640
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
60KB
MD57e14ab7fdec2ba5ca24b6a3af21c430b
SHA18621b145ec2936a18a57ec5296c7b3ed088ba692
SHA25685c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e
SHA5123b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06
-
Filesize
60KB
MD57e14ab7fdec2ba5ca24b6a3af21c430b
SHA18621b145ec2936a18a57ec5296c7b3ed088ba692
SHA25685c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e
SHA5123b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06
-
Filesize
60KB
MD57e14ab7fdec2ba5ca24b6a3af21c430b
SHA18621b145ec2936a18a57ec5296c7b3ed088ba692
SHA25685c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e
SHA5123b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06
-
Filesize
161KB
MD56bf7158a9b5dc387e0dd79895abf1e52
SHA14dbffcaf9ea9b37d32b173af246532a13f71d1a6
SHA256aef63c8e0201a2975249852a6c7a11f256e615020ac04b5c31a5906b2bd30d2a
SHA5123aa3926ca6a8a772f66193a5a590720205f40b13656990935abcad1ac2faff6dad71f15bf1558fbd807d9479ece65da26181dbdc3ee88de59081ccc344c7f1b5
-
Filesize
8KB
MD50407fc904cad9de15d803cb22985308a
SHA1047eb49d90a212bd61ff6fa8b0f813e6899a0f3d
SHA256238df51fccc66a32a3d082766a3642939a4422c6ed658936d2e365dbcc7cb264
SHA5123625e85b843f378ea18dc2d5ec66fbbf96784cfc5ceb5a93e90249fab9ec25dd1ba84ff1c7d6329d53fc6e97338f90e59f53c21110f117e424c9b2054dff8055
-
Filesize
299KB
MD5fca6ba93c780afa00a5703df9ac65754
SHA13ed423763fdd9722ff8bed3667ffa93f77390138
SHA2561c4930123ec2a809b3bd93969967d6c321d8d65fc7b886e062b2581c741944e5
SHA512538b0995be3796737575a2fd3aaa1644b3e6566e4cd5ed5c4df9e0a586368e7ceea8f0284de53f7c3f0874fc90b9a194d2ea1438bc9d7779eb12d00b8807f595
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26