Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2023, 12:07
Static task
static1
Behavioral task
behavioral1
Sample
Nueva Licitación·pdf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Nueva Licitación·pdf.exe
Resource
win10v2004-20230220-en
General
-
Target
Nueva Licitación·pdf.exe
-
Size
694KB
-
MD5
e139e86d62fbf7c936d7243f18161b95
-
SHA1
ec350ff61126352132c96bbbf3e19f6670998aca
-
SHA256
e1ac514b5cc907df4f0a6ed89cb6f17827302f89fd4cb95d8f8606b4d2e54d5b
-
SHA512
d7357101df9a778e2302b2b6f1d12779428001613d17ad672747d84f2fe3f312703593405553376cdbb04210792131cdeb01935f503fd0822ae0e73554c708a0
-
SSDEEP
12288:3FfNPXhuc7Uu1mk38CPV3z0srfJe5wAUYnrl4oLYaxZ/ZIWAz:rfkyUg8CPVfrBe5wAUYr2+YaxZGnz
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Nueva Licitación·pdf.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Nueva Licitación·pdf.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat Nueva Licitación·pdf.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start Nueva Licitación·pdf.exe -
Loads dropped DLL 2 IoCs
pid Process 392 Nueva Licitación·pdf.exe 392 Nueva Licitación·pdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows 8 update = "C:\\Users\\Admin\\Documents\\Windows8.exe" Nueva Licitación·pdf.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4968 Nueva Licitación·pdf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 392 Nueva Licitación·pdf.exe 4968 Nueva Licitación·pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 392 set thread context of 4968 392 Nueva Licitación·pdf.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
resource yara_rule behavioral2/files/0x000600000002315a-174.dat nsis_installer_1 behavioral2/files/0x000600000002315a-174.dat nsis_installer_2 behavioral2/files/0x000600000002315a-180.dat nsis_installer_1 behavioral2/files/0x000600000002315a-180.dat nsis_installer_2 -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Documents\Documents:ApplicationData Nueva Licitación·pdf.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 392 Nueva Licitación·pdf.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 392 wrote to memory of 4968 392 Nueva Licitación·pdf.exe 86 PID 392 wrote to memory of 4968 392 Nueva Licitación·pdf.exe 86 PID 392 wrote to memory of 4968 392 Nueva Licitación·pdf.exe 86 PID 392 wrote to memory of 4968 392 Nueva Licitación·pdf.exe 86 PID 4968 wrote to memory of 3136 4968 Nueva Licitación·pdf.exe 87 PID 4968 wrote to memory of 3136 4968 Nueva Licitación·pdf.exe 87 PID 4968 wrote to memory of 3136 4968 Nueva Licitación·pdf.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe"C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe"C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe"2⤵
- Checks QEMU agent file
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵PID:3136
-
-
C:\Users\Admin\Documents\Windows8.exe"C:\Users\Admin\Documents\Windows8.exe"3⤵PID:4856
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Archilochian\Steffans\Mastras188\Mfl.Mil54
Filesize93KB
MD5827bf2670868763c1efb414a81704260
SHA1887e1b09617570f55a715e916d26af6f40c433b8
SHA2563df0b3fa4190d8a63cfbde83b45e166b64cc1ff2a1d627e4ca2d7737e7d020af
SHA512483c6bed293892cfd93550e008391097b08fe7ce248eeacd539adcd3f157dfbad2ec09aee1837d5e5e189cf0cc276c05507e79a45e37a7382f46719f7a474f3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Archilochian\Victuals\Protevangelium\Aquatinta\Timoteus\Plovjern.Lax113
Filesize234KB
MD59d9a2bddb2619eefda32b51f6dced7e1
SHA1fb5c7dec1e01b3cd4399c2af8d3148f1be082926
SHA256e54b3b3f11ac93036a7ada30d2986d7bd322807970efd1c5944aee4c330da6ba
SHA5121d48e4b1d5730ea139cc2a449542c9d873ab8abc27d6e4b79b65d81f4230cee4ba741af810a8638eaa2d3d2879e43c7e3974e0e783217eba762208a82e13ac2d
-
Filesize
694KB
MD5e139e86d62fbf7c936d7243f18161b95
SHA1ec350ff61126352132c96bbbf3e19f6670998aca
SHA256e1ac514b5cc907df4f0a6ed89cb6f17827302f89fd4cb95d8f8606b4d2e54d5b
SHA512d7357101df9a778e2302b2b6f1d12779428001613d17ad672747d84f2fe3f312703593405553376cdbb04210792131cdeb01935f503fd0822ae0e73554c708a0
-
Filesize
694KB
MD5e139e86d62fbf7c936d7243f18161b95
SHA1ec350ff61126352132c96bbbf3e19f6670998aca
SHA256e1ac514b5cc907df4f0a6ed89cb6f17827302f89fd4cb95d8f8606b4d2e54d5b
SHA512d7357101df9a778e2302b2b6f1d12779428001613d17ad672747d84f2fe3f312703593405553376cdbb04210792131cdeb01935f503fd0822ae0e73554c708a0