Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2023, 18:20

General

  • Target

    FCEE4E3E7DDC82570DF89F9CBF013D01.exe

  • Size

    284KB

  • MD5

    fcee4e3e7ddc82570df89f9cbf013d01

  • SHA1

    b5a7d853e8f041876aaa82d4b28664246d28576d

  • SHA256

    81f94cffb6a6c854eca0e0b8d5cf43b43736b549d01f56f946d08760523598c7

  • SHA512

    3cfbbb64cff247ac9930733770f86385d65cb92ac7fe242494c70dbe58b8b461ac9ab98b4f84dd9c49627eff4cdc8c6f5e5403bb470e06dbe2bc69c6f8f4621b

  • SSDEEP

    6144:uicFyLT+g1GQbT9N556+bllmYJ9kONyZmjkHa5C8bE7en7:hPTT1NTDbBb/m0QmzQKEa7

Malware Config

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FCEE4E3E7DDC82570DF89F9CBF013D01.exe
    "C:\Users\Admin\AppData\Local\Temp\FCEE4E3E7DDC82570DF89F9CBF013D01.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4180
    • C:\Users\Admin\AppData\Local\Temp\FCEE4E3E7DDC82570DF89F9CBF013D01.exe
      "C:\Users\Admin\AppData\Local\Temp\FCEE4E3E7DDC82570DF89F9CBF013D01.exe"
      2⤵
      • Checks QEMU agent file
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3788
      • C:\Users\Admin\Documents\Windows8.exe
        "C:\Users\Admin\Documents\Windows8.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3152

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lyun1f2w.tt4.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\nsk1EBF.tmp\System.dll

          Filesize

          12KB

          MD5

          8cf2ac271d7679b1d68eefc1ae0c5618

          SHA1

          7cc1caaa747ee16dc894a600a4256f64fa65a9b8

          SHA256

          6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

          SHA512

          ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

        • C:\Users\Admin\AppData\Local\Temp\nsk1EBF.tmp\System.dll

          Filesize

          12KB

          MD5

          8cf2ac271d7679b1d68eefc1ae0c5618

          SHA1

          7cc1caaa747ee16dc894a600a4256f64fa65a9b8

          SHA256

          6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

          SHA512

          ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

        • C:\Users\Admin\AppData\Local\Temp\nsq710F.tmp\System.dll

          Filesize

          12KB

          MD5

          8cf2ac271d7679b1d68eefc1ae0c5618

          SHA1

          7cc1caaa747ee16dc894a600a4256f64fa65a9b8

          SHA256

          6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

          SHA512

          ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

        • C:\Users\Admin\AppData\Local\Temp\nsq710F.tmp\System.dll

          Filesize

          12KB

          MD5

          8cf2ac271d7679b1d68eefc1ae0c5618

          SHA1

          7cc1caaa747ee16dc894a600a4256f64fa65a9b8

          SHA256

          6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

          SHA512

          ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

        • C:\Users\Admin\AppData\Local\Temp\nsq710F.tmp\System.dll

          Filesize

          12KB

          MD5

          8cf2ac271d7679b1d68eefc1ae0c5618

          SHA1

          7cc1caaa747ee16dc894a600a4256f64fa65a9b8

          SHA256

          6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

          SHA512

          ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

        • C:\Users\Admin\AppData\Roaming\Photolabeller\Byzantinize\Vandlbsforureninger\Snares\Afdamp\Tomlende\Achras.att

          Filesize

          87KB

          MD5

          b1671f380f00d206191060eefd4c7aa9

          SHA1

          881a18f8dbfe26c3ba4db02e4310aadfcdb83d68

          SHA256

          425e2c996fd7f3c0c08f1df1a286a20253a667cd31d76447c5a99d9c6af05baf

          SHA512

          f6ea715a9aa8dbb94dc8379f5185f84935b85c45e30e3efcead01282e91b8d0b2d3600a3bb72b8a45b4bf113ee95ba06369c1d7c490b0899cedb85357230a2f6

        • C:\Users\Admin\AppData\Roaming\Photolabeller\Byzantinize\Vandlbsforureninger\Snares\Afdamp\Tomlende\Anormale.Res

          Filesize

          232KB

          MD5

          3fbaf63329b8985adf7122b89ac7c9c6

          SHA1

          f8f537d5453fedb2e58f15ce352d8c691a67300a

          SHA256

          4dff4e2620dbc65e53e03623c56d8f29cbf82847363fc098af6a81947ab7770d

          SHA512

          7108362de34fc8f814ee46f27e3b8ca9d13e5be0c62f6337f3d0385e7883fb2fe673e73856d46e48403e3090bda20e411cd624fed48f164d3745f407b63d56f3

        • C:\Users\Admin\Documents\Windows8.exe

          Filesize

          284KB

          MD5

          fcee4e3e7ddc82570df89f9cbf013d01

          SHA1

          b5a7d853e8f041876aaa82d4b28664246d28576d

          SHA256

          81f94cffb6a6c854eca0e0b8d5cf43b43736b549d01f56f946d08760523598c7

          SHA512

          3cfbbb64cff247ac9930733770f86385d65cb92ac7fe242494c70dbe58b8b461ac9ab98b4f84dd9c49627eff4cdc8c6f5e5403bb470e06dbe2bc69c6f8f4621b

        • C:\Users\Admin\Documents\Windows8.exe

          Filesize

          284KB

          MD5

          fcee4e3e7ddc82570df89f9cbf013d01

          SHA1

          b5a7d853e8f041876aaa82d4b28664246d28576d

          SHA256

          81f94cffb6a6c854eca0e0b8d5cf43b43736b549d01f56f946d08760523598c7

          SHA512

          3cfbbb64cff247ac9930733770f86385d65cb92ac7fe242494c70dbe58b8b461ac9ab98b4f84dd9c49627eff4cdc8c6f5e5403bb470e06dbe2bc69c6f8f4621b

        • memory/1444-157-0x0000000000400000-0x0000000001654000-memory.dmp

          Filesize

          18.3MB

        • memory/1444-187-0x0000000000400000-0x0000000001654000-memory.dmp

          Filesize

          18.3MB

        • memory/1444-184-0x0000000001660000-0x0000000005346000-memory.dmp

          Filesize

          60.9MB

        • memory/1444-160-0x0000000001660000-0x0000000005346000-memory.dmp

          Filesize

          60.9MB

        • memory/1444-177-0x0000000000400000-0x0000000001654000-memory.dmp

          Filesize

          18.3MB

        • memory/1444-144-0x0000000000400000-0x0000000001654000-memory.dmp

          Filesize

          18.3MB

        • memory/3788-163-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

          Filesize

          64KB

        • memory/3788-199-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

          Filesize

          64KB

        • memory/3788-167-0x0000000005DC0000-0x0000000005E26000-memory.dmp

          Filesize

          408KB

        • memory/3788-166-0x0000000005D50000-0x0000000005DB6000-memory.dmp

          Filesize

          408KB

        • memory/3788-165-0x0000000005450000-0x0000000005472000-memory.dmp

          Filesize

          136KB

        • memory/3788-164-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

          Filesize

          64KB

        • memory/3788-162-0x0000000005620000-0x0000000005C48000-memory.dmp

          Filesize

          6.2MB

        • memory/3788-161-0x0000000002AE0000-0x0000000002B16000-memory.dmp

          Filesize

          216KB

        • memory/3788-197-0x00000000073D0000-0x0000000007402000-memory.dmp

          Filesize

          200KB

        • memory/3788-186-0x0000000006410000-0x000000000642E000-memory.dmp

          Filesize

          120KB

        • memory/3788-198-0x000000006DB50000-0x000000006DB9C000-memory.dmp

          Filesize

          304KB

        • memory/3788-209-0x0000000006960000-0x000000000697E000-memory.dmp

          Filesize

          120KB

        • memory/3788-210-0x0000000007D60000-0x00000000083DA000-memory.dmp

          Filesize

          6.5MB

        • memory/3788-211-0x0000000007710000-0x000000000772A000-memory.dmp

          Filesize

          104KB

        • memory/3788-212-0x0000000007780000-0x000000000778A000-memory.dmp

          Filesize

          40KB

        • memory/3788-213-0x0000000007990000-0x0000000007A26000-memory.dmp

          Filesize

          600KB

        • memory/3788-214-0x0000000007940000-0x000000000794E000-memory.dmp

          Filesize

          56KB

        • memory/3788-215-0x0000000007A50000-0x0000000007A6A000-memory.dmp

          Filesize

          104KB

        • memory/3788-216-0x0000000007A30000-0x0000000007A38000-memory.dmp

          Filesize

          32KB