Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24/02/2023, 18:20
Static task
static1
Behavioral task
behavioral1
Sample
FCEE4E3E7DDC82570DF89F9CBF013D01.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
FCEE4E3E7DDC82570DF89F9CBF013D01.exe
Resource
win10v2004-20230220-en
General
-
Target
FCEE4E3E7DDC82570DF89F9CBF013D01.exe
-
Size
284KB
-
MD5
fcee4e3e7ddc82570df89f9cbf013d01
-
SHA1
b5a7d853e8f041876aaa82d4b28664246d28576d
-
SHA256
81f94cffb6a6c854eca0e0b8d5cf43b43736b549d01f56f946d08760523598c7
-
SHA512
3cfbbb64cff247ac9930733770f86385d65cb92ac7fe242494c70dbe58b8b461ac9ab98b4f84dd9c49627eff4cdc8c6f5e5403bb470e06dbe2bc69c6f8f4621b
-
SSDEEP
6144:uicFyLT+g1GQbT9N556+bllmYJ9kONyZmjkHa5C8bE7en7:hPTT1NTDbBb/m0QmzQKEa7
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe FCEE4E3E7DDC82570DF89F9CBF013D01.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe FCEE4E3E7DDC82570DF89F9CBF013D01.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat FCEE4E3E7DDC82570DF89F9CBF013D01.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start FCEE4E3E7DDC82570DF89F9CBF013D01.exe -
Executes dropped EXE 1 IoCs
pid Process 764 Windows8.exe -
Loads dropped DLL 5 IoCs
pid Process 1200 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 1200 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 432 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 764 Windows8.exe 764 Windows8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows 8 updated = "C:\\Users\\Admin\\Documents\\Windows8.exe" FCEE4E3E7DDC82570DF89F9CBF013D01.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 432 FCEE4E3E7DDC82570DF89F9CBF013D01.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1200 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 432 FCEE4E3E7DDC82570DF89F9CBF013D01.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1200 set thread context of 432 1200 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Documents\Documents:ApplicationData FCEE4E3E7DDC82570DF89F9CBF013D01.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 296 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1200 FCEE4E3E7DDC82570DF89F9CBF013D01.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 296 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1200 wrote to memory of 432 1200 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 28 PID 1200 wrote to memory of 432 1200 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 28 PID 1200 wrote to memory of 432 1200 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 28 PID 1200 wrote to memory of 432 1200 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 28 PID 1200 wrote to memory of 432 1200 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 28 PID 432 wrote to memory of 296 432 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 31 PID 432 wrote to memory of 296 432 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 31 PID 432 wrote to memory of 296 432 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 31 PID 432 wrote to memory of 296 432 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 31 PID 432 wrote to memory of 764 432 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 33 PID 432 wrote to memory of 764 432 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 33 PID 432 wrote to memory of 764 432 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 33 PID 432 wrote to memory of 764 432 FCEE4E3E7DDC82570DF89F9CBF013D01.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\FCEE4E3E7DDC82570DF89F9CBF013D01.exe"C:\Users\Admin\AppData\Local\Temp\FCEE4E3E7DDC82570DF89F9CBF013D01.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\FCEE4E3E7DDC82570DF89F9CBF013D01.exe"C:\Users\Admin\AppData\Local\Temp\FCEE4E3E7DDC82570DF89F9CBF013D01.exe"2⤵
- Checks QEMU agent file
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296
-
-
C:\Users\Admin\Documents\Windows8.exe"C:\Users\Admin\Documents\Windows8.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
C:\Users\Admin\AppData\Roaming\Photolabeller\Byzantinize\Vandlbsforureninger\Snares\Afdamp\Tomlende\Achras.att
Filesize87KB
MD5b1671f380f00d206191060eefd4c7aa9
SHA1881a18f8dbfe26c3ba4db02e4310aadfcdb83d68
SHA256425e2c996fd7f3c0c08f1df1a286a20253a667cd31d76447c5a99d9c6af05baf
SHA512f6ea715a9aa8dbb94dc8379f5185f84935b85c45e30e3efcead01282e91b8d0b2d3600a3bb72b8a45b4bf113ee95ba06369c1d7c490b0899cedb85357230a2f6
-
C:\Users\Admin\AppData\Roaming\Photolabeller\Byzantinize\Vandlbsforureninger\Snares\Afdamp\Tomlende\Anormale.Res
Filesize232KB
MD53fbaf63329b8985adf7122b89ac7c9c6
SHA1f8f537d5453fedb2e58f15ce352d8c691a67300a
SHA2564dff4e2620dbc65e53e03623c56d8f29cbf82847363fc098af6a81947ab7770d
SHA5127108362de34fc8f814ee46f27e3b8ca9d13e5be0c62f6337f3d0385e7883fb2fe673e73856d46e48403e3090bda20e411cd624fed48f164d3745f407b63d56f3
-
Filesize
284KB
MD5fcee4e3e7ddc82570df89f9cbf013d01
SHA1b5a7d853e8f041876aaa82d4b28664246d28576d
SHA25681f94cffb6a6c854eca0e0b8d5cf43b43736b549d01f56f946d08760523598c7
SHA5123cfbbb64cff247ac9930733770f86385d65cb92ac7fe242494c70dbe58b8b461ac9ab98b4f84dd9c49627eff4cdc8c6f5e5403bb470e06dbe2bc69c6f8f4621b
-
Filesize
284KB
MD5fcee4e3e7ddc82570df89f9cbf013d01
SHA1b5a7d853e8f041876aaa82d4b28664246d28576d
SHA25681f94cffb6a6c854eca0e0b8d5cf43b43736b549d01f56f946d08760523598c7
SHA5123cfbbb64cff247ac9930733770f86385d65cb92ac7fe242494c70dbe58b8b461ac9ab98b4f84dd9c49627eff4cdc8c6f5e5403bb470e06dbe2bc69c6f8f4621b
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
Filesize
284KB
MD5fcee4e3e7ddc82570df89f9cbf013d01
SHA1b5a7d853e8f041876aaa82d4b28664246d28576d
SHA25681f94cffb6a6c854eca0e0b8d5cf43b43736b549d01f56f946d08760523598c7
SHA5123cfbbb64cff247ac9930733770f86385d65cb92ac7fe242494c70dbe58b8b461ac9ab98b4f84dd9c49627eff4cdc8c6f5e5403bb470e06dbe2bc69c6f8f4621b