Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2023, 14:44
Static task
static1
Behavioral task
behavioral1
Sample
E&V - PO.61370025177.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
E&V - PO.61370025177.exe
Resource
win10v2004-20230220-en
General
-
Target
E&V - PO.61370025177.exe
-
Size
903KB
-
MD5
cc2e6a027d9a95e1b2df73f1b0350107
-
SHA1
0d0899b4940db158978fa66d92e40e0c013d3e1d
-
SHA256
e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
-
SHA512
33721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a
-
SSDEEP
24576:j9JiT/gnOmk/3T911111111111111dODiRu4N:2gny11111111111111GiR5
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1260 netsh.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" AddInProcess32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation kdiurdjk.exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation Xapfnzes.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kdiurdjk.lnk E&V - PO.61370025177.exe -
Executes dropped EXE 4 IoCs
pid Process 3864 kdiurdjk.exe 3804 Xapfnzes.exe 3656 Xapfnzes.exe 3584 46.exe -
Loads dropped DLL 1 IoCs
pid Process 2036 svchost.exe -
resource yara_rule behavioral2/files/0x0006000000023149-192.dat upx behavioral2/files/0x0006000000023149-196.dat upx behavioral2/files/0x0006000000023149-195.dat upx behavioral2/memory/3584-200-0x0000000000510000-0x000000000053D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\rfxvmt.dll AddInProcess32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3864 set thread context of 1452 3864 kdiurdjk.exe 91 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Microsoft DN1\sqlmap.dll AddInProcess32.exe File created C:\Program Files\Microsoft DN1\rdpwrap.ini AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1568 3584 WerFault.exe 98 -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 3032 PING.EXE 4232 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe 3964 E&V - PO.61370025177.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3964 E&V - PO.61370025177.exe Token: SeDebugPrivilege 3864 kdiurdjk.exe Token: 33 768 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 768 AUDIODG.EXE Token: SeDebugPrivilege 3804 Xapfnzes.exe Token: SeDebugPrivilege 3656 Xapfnzes.exe Token: SeDebugPrivilege 1452 AddInProcess32.exe Token: SeAuditPrivilege 2036 svchost.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 3964 wrote to memory of 3112 3964 E&V - PO.61370025177.exe 84 PID 3964 wrote to memory of 3112 3964 E&V - PO.61370025177.exe 84 PID 3964 wrote to memory of 3112 3964 E&V - PO.61370025177.exe 84 PID 3112 wrote to memory of 3032 3112 cmd.exe 86 PID 3112 wrote to memory of 3032 3112 cmd.exe 86 PID 3112 wrote to memory of 3032 3112 cmd.exe 86 PID 3112 wrote to memory of 4232 3112 cmd.exe 87 PID 3112 wrote to memory of 4232 3112 cmd.exe 87 PID 3112 wrote to memory of 4232 3112 cmd.exe 87 PID 3112 wrote to memory of 3864 3112 cmd.exe 90 PID 3112 wrote to memory of 3864 3112 cmd.exe 90 PID 3112 wrote to memory of 3864 3112 cmd.exe 90 PID 3864 wrote to memory of 1452 3864 kdiurdjk.exe 91 PID 3864 wrote to memory of 1452 3864 kdiurdjk.exe 91 PID 3864 wrote to memory of 1452 3864 kdiurdjk.exe 91 PID 3864 wrote to memory of 1452 3864 kdiurdjk.exe 91 PID 3864 wrote to memory of 1452 3864 kdiurdjk.exe 91 PID 3864 wrote to memory of 1452 3864 kdiurdjk.exe 91 PID 3864 wrote to memory of 1452 3864 kdiurdjk.exe 91 PID 3864 wrote to memory of 1452 3864 kdiurdjk.exe 91 PID 3864 wrote to memory of 1452 3864 kdiurdjk.exe 91 PID 3864 wrote to memory of 1452 3864 kdiurdjk.exe 91 PID 3864 wrote to memory of 1452 3864 kdiurdjk.exe 91 PID 1452 wrote to memory of 4824 1452 AddInProcess32.exe 92 PID 1452 wrote to memory of 4824 1452 AddInProcess32.exe 92 PID 1452 wrote to memory of 4824 1452 AddInProcess32.exe 92 PID 3864 wrote to memory of 3804 3864 kdiurdjk.exe 96 PID 3864 wrote to memory of 3804 3864 kdiurdjk.exe 96 PID 3864 wrote to memory of 3804 3864 kdiurdjk.exe 96 PID 3804 wrote to memory of 3656 3804 Xapfnzes.exe 97 PID 3804 wrote to memory of 3656 3804 Xapfnzes.exe 97 PID 3804 wrote to memory of 3656 3804 Xapfnzes.exe 97 PID 1452 wrote to memory of 4824 1452 AddInProcess32.exe 92 PID 1452 wrote to memory of 4824 1452 AddInProcess32.exe 92 PID 1452 wrote to memory of 3584 1452 AddInProcess32.exe 98 PID 1452 wrote to memory of 3584 1452 AddInProcess32.exe 98 PID 1452 wrote to memory of 3584 1452 AddInProcess32.exe 98 PID 3584 wrote to memory of 1260 3584 46.exe 99 PID 3584 wrote to memory of 1260 3584 46.exe 99 PID 3584 wrote to memory of 1260 3584 46.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe"C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 16 > nul && copy "C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe" "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe" && ping 127.0.0.1 -n 16 > nul && "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 163⤵
- Runs ping.exe
PID:3032
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 163⤵
- Runs ping.exe
PID:4232
-
-
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵PID:4824
-
-
C:\Users\Admin\AppData\Local\Temp\46.exe"C:\Users\Admin\AppData\Local\Temp\46.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=33896⤵
- Modifies Windows Firewall
PID:1260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 3966⤵
- Program crash
PID:1568
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656
-
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f8 0x50c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:3908
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3584 -ip 35841⤵PID:4272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
1KB
MD57dca233df92b3884663fa5a40db8d49c
SHA1208b8f27b708c4e06ac37f974471cc7b29c29b60
SHA25690c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c
SHA512d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
57B
MD5ecebb68c8d1b7e3cf247467986c5dee3
SHA10df744f22c4b1419d7091e56ba0f15c52f9bef2a
SHA2561182143aa4bebf09cf0bf9f59e0655e8ed9a7a21dc8d9b4bb2da29ed1a449cdd
SHA512da8a98e48606315a47d2e7665b10e8fbcd395ce496baa3d889881738e66ea955838e0872ecdbf6e6ae89732be568ad0670d6a0ea5ebf401c9a0ec277ef5bb42c
-
Filesize
57B
MD505c12b71beae96cff30f4e0538b8aa1c
SHA174da49eff2caaea14fa6781309a074bdfdd2863a
SHA2568205d3e3a1534480a1c0650ebf8aa8a7ed98ad40863fe6576d23136a92055798
SHA512cf7414266f9220f471c62d2a6cb5903e63b41190b1198644bb0b9c1af0afffd2c6ddbd6d1d7e46a2284ab96ef1a26374bf75890dea24288f2c30e20ac161334c
-
Filesize
57B
MD505c12b71beae96cff30f4e0538b8aa1c
SHA174da49eff2caaea14fa6781309a074bdfdd2863a
SHA2568205d3e3a1534480a1c0650ebf8aa8a7ed98ad40863fe6576d23136a92055798
SHA512cf7414266f9220f471c62d2a6cb5903e63b41190b1198644bb0b9c1af0afffd2c6ddbd6d1d7e46a2284ab96ef1a26374bf75890dea24288f2c30e20ac161334c
-
Filesize
903KB
MD5cc2e6a027d9a95e1b2df73f1b0350107
SHA10d0899b4940db158978fa66d92e40e0c013d3e1d
SHA256e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
SHA51233721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a
-
Filesize
903KB
MD5cc2e6a027d9a95e1b2df73f1b0350107
SHA10d0899b4940db158978fa66d92e40e0c013d3e1d
SHA256e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
SHA51233721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a
-
Filesize
299KB
MD5fca6ba93c780afa00a5703df9ac65754
SHA13ed423763fdd9722ff8bed3667ffa93f77390138
SHA2561c4930123ec2a809b3bd93969967d6c321d8d65fc7b886e062b2581c741944e5
SHA512538b0995be3796737575a2fd3aaa1644b3e6566e4cd5ed5c4df9e0a586368e7ceea8f0284de53f7c3f0874fc90b9a194d2ea1438bc9d7779eb12d00b8807f595
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26