Analysis

  • max time kernel
    141s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    25/02/2023, 01:00

General

  • Target

    bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe

  • Size

    287KB

  • MD5

    117d45a1a70dba08bd9f49c581717d62

  • SHA1

    5d9f304c36677dbc50e225c53ed2daef0718f4bf

  • SHA256

    bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350

  • SHA512

    fc99cd865b933c5bba311cef2b1a71cbc4e6867c45cc4d6daaec751117b0335fde103253d354d49d99e336badfc97ae6dea6028a9e6d751bfef1261e7bc2aae1

  • SSDEEP

    6144:2icFyL6SgUo3Mv97fqEJHvbR02vN79QD8CchMehu:pP6I9TPPbRFV9UeY

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe
    "C:\Users\Admin\AppData\Local\Temp\bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Users\Admin\AppData\Local\Temp\bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe
      "C:\Users\Admin\AppData\Local\Temp\bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe"
      2⤵
      • Checks QEMU agent file
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:664
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:532
      • C:\Users\Admin\Documents\Windows8.exe
        "C:\Users\Admin\Documents\Windows8.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:908

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nstBB6.tmp\System.dll

          Filesize

          12KB

          MD5

          8cf2ac271d7679b1d68eefc1ae0c5618

          SHA1

          7cc1caaa747ee16dc894a600a4256f64fa65a9b8

          SHA256

          6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

          SHA512

          ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

        • C:\Users\Admin\AppData\Roaming\Photolabeller\Byzantinize\Vandlbsforureninger\Overstoping.Sto

          Filesize

          231KB

          MD5

          b7707f515faeda4bda4ccba71479e293

          SHA1

          ec6d7c807f5ba644e0a9112d3973832fc21ec115

          SHA256

          ecb66f9e1a26fe15a8cee7d6f7685296b5682bc3ecc669424220eddce3307f4f

          SHA512

          923c9ad735a18b02edd8652d18d15026248223179dba392c1cb120b5ba5b55341cca1c924c4dc9930db2a3b1ece48676dfb93937e6363fe542b36e910111efdd

        • C:\Users\Admin\AppData\Roaming\Photolabeller\Byzantinize\Vandlbsforureninger\Straffesagens\Felttegns\Adsbud\Investeringsskemaers\Snvrende.Qua

          Filesize

          95KB

          MD5

          e9b13226a5189842b0cf59c26096c490

          SHA1

          aaff3150ed875bc9344c7bed273796a6aca28add

          SHA256

          ae00e6e9278fdef85c9c4f0872ecf031e9c25763725b44f444f28625f61893ae

          SHA512

          20b73a588c45ce000b9625dfeed7e2cdc08fdfbd4cac2c8d6a18514a633e30ddc7ef88bb693a0d5bfa3089a135d517b22a4642ea2bbd5bc84905a490f1974766

        • C:\Users\Admin\Documents\Windows8.exe

          Filesize

          287KB

          MD5

          117d45a1a70dba08bd9f49c581717d62

          SHA1

          5d9f304c36677dbc50e225c53ed2daef0718f4bf

          SHA256

          bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350

          SHA512

          fc99cd865b933c5bba311cef2b1a71cbc4e6867c45cc4d6daaec751117b0335fde103253d354d49d99e336badfc97ae6dea6028a9e6d751bfef1261e7bc2aae1

        • C:\Users\Admin\Documents\Windows8.exe

          Filesize

          287KB

          MD5

          117d45a1a70dba08bd9f49c581717d62

          SHA1

          5d9f304c36677dbc50e225c53ed2daef0718f4bf

          SHA256

          bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350

          SHA512

          fc99cd865b933c5bba311cef2b1a71cbc4e6867c45cc4d6daaec751117b0335fde103253d354d49d99e336badfc97ae6dea6028a9e6d751bfef1261e7bc2aae1

        • \Users\Admin\AppData\Local\Temp\nstBB6.tmp\System.dll

          Filesize

          12KB

          MD5

          8cf2ac271d7679b1d68eefc1ae0c5618

          SHA1

          7cc1caaa747ee16dc894a600a4256f64fa65a9b8

          SHA256

          6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

          SHA512

          ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

        • \Users\Admin\AppData\Local\Temp\nstBB6.tmp\System.dll

          Filesize

          12KB

          MD5

          8cf2ac271d7679b1d68eefc1ae0c5618

          SHA1

          7cc1caaa747ee16dc894a600a4256f64fa65a9b8

          SHA256

          6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

          SHA512

          ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

        • \Users\Admin\AppData\Local\Temp\nsu22BF.tmp\System.dll

          Filesize

          12KB

          MD5

          8cf2ac271d7679b1d68eefc1ae0c5618

          SHA1

          7cc1caaa747ee16dc894a600a4256f64fa65a9b8

          SHA256

          6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

          SHA512

          ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

        • \Users\Admin\AppData\Local\Temp\nsu22BF.tmp\System.dll

          Filesize

          12KB

          MD5

          8cf2ac271d7679b1d68eefc1ae0c5618

          SHA1

          7cc1caaa747ee16dc894a600a4256f64fa65a9b8

          SHA256

          6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

          SHA512

          ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

        • \Users\Admin\Documents\Windows8.exe

          Filesize

          287KB

          MD5

          117d45a1a70dba08bd9f49c581717d62

          SHA1

          5d9f304c36677dbc50e225c53ed2daef0718f4bf

          SHA256

          bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350

          SHA512

          fc99cd865b933c5bba311cef2b1a71cbc4e6867c45cc4d6daaec751117b0335fde103253d354d49d99e336badfc97ae6dea6028a9e6d751bfef1261e7bc2aae1

        • memory/532-111-0x0000000002630000-0x0000000002670000-memory.dmp

          Filesize

          256KB

        • memory/532-110-0x0000000002630000-0x0000000002670000-memory.dmp

          Filesize

          256KB

        • memory/664-100-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

        • memory/664-99-0x0000000001470000-0x0000000004065000-memory.dmp

          Filesize

          44.0MB

        • memory/664-96-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

        • memory/664-94-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

        • memory/664-90-0x0000000001470000-0x0000000004065000-memory.dmp

          Filesize

          44.0MB

        • memory/664-71-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

        • memory/664-120-0x0000000001470000-0x0000000004065000-memory.dmp

          Filesize

          44.0MB

        • memory/664-122-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

        • memory/664-70-0x0000000001470000-0x0000000004065000-memory.dmp

          Filesize

          44.0MB

        • memory/664-69-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

        • memory/908-135-0x0000000003440000-0x0000000006035000-memory.dmp

          Filesize

          44.0MB

        • memory/1700-68-0x00000000033C0000-0x0000000005FB5000-memory.dmp

          Filesize

          44.0MB

        • memory/1700-67-0x00000000033C0000-0x0000000005FB5000-memory.dmp

          Filesize

          44.0MB