Analysis
-
max time kernel
150s -
max time network
73s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25/02/2023, 14:45
Static task
static1
Behavioral task
behavioral1
Sample
E&V - PO.61370025177.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
E&V - PO.61370025177.exe
Resource
win10v2004-20230220-en
General
-
Target
E&V - PO.61370025177.exe
-
Size
903KB
-
MD5
cc2e6a027d9a95e1b2df73f1b0350107
-
SHA1
0d0899b4940db158978fa66d92e40e0c013d3e1d
-
SHA256
e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
-
SHA512
33721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a
-
SSDEEP
24576:j9JiT/gnOmk/3T911111111111111dODiRu4N:2gny11111111111111GiR5
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kdiurdjk.lnk E&V - PO.61370025177.exe -
Executes dropped EXE 3 IoCs
pid Process 1660 kdiurdjk.exe 1832 Xapfnzes.exe 1568 Xapfnzes.exe -
Loads dropped DLL 3 IoCs
pid Process 1452 cmd.exe 1660 kdiurdjk.exe 1832 Xapfnzes.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1660 set thread context of 1876 1660 kdiurdjk.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1280 PING.EXE 1864 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe 2032 E&V - PO.61370025177.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2032 E&V - PO.61370025177.exe Token: SeDebugPrivilege 1660 kdiurdjk.exe Token: SeDebugPrivilege 1832 Xapfnzes.exe Token: SeDebugPrivilege 1568 Xapfnzes.exe Token: 33 2016 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2016 AUDIODG.EXE Token: 33 2016 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2016 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1452 2032 E&V - PO.61370025177.exe 27 PID 2032 wrote to memory of 1452 2032 E&V - PO.61370025177.exe 27 PID 2032 wrote to memory of 1452 2032 E&V - PO.61370025177.exe 27 PID 2032 wrote to memory of 1452 2032 E&V - PO.61370025177.exe 27 PID 1452 wrote to memory of 1864 1452 cmd.exe 29 PID 1452 wrote to memory of 1864 1452 cmd.exe 29 PID 1452 wrote to memory of 1864 1452 cmd.exe 29 PID 1452 wrote to memory of 1864 1452 cmd.exe 29 PID 1452 wrote to memory of 1280 1452 cmd.exe 30 PID 1452 wrote to memory of 1280 1452 cmd.exe 30 PID 1452 wrote to memory of 1280 1452 cmd.exe 30 PID 1452 wrote to memory of 1280 1452 cmd.exe 30 PID 1452 wrote to memory of 1660 1452 cmd.exe 31 PID 1452 wrote to memory of 1660 1452 cmd.exe 31 PID 1452 wrote to memory of 1660 1452 cmd.exe 31 PID 1452 wrote to memory of 1660 1452 cmd.exe 31 PID 1660 wrote to memory of 1876 1660 kdiurdjk.exe 32 PID 1660 wrote to memory of 1876 1660 kdiurdjk.exe 32 PID 1660 wrote to memory of 1876 1660 kdiurdjk.exe 32 PID 1660 wrote to memory of 1876 1660 kdiurdjk.exe 32 PID 1660 wrote to memory of 1876 1660 kdiurdjk.exe 32 PID 1660 wrote to memory of 1876 1660 kdiurdjk.exe 32 PID 1660 wrote to memory of 1876 1660 kdiurdjk.exe 32 PID 1660 wrote to memory of 1876 1660 kdiurdjk.exe 32 PID 1660 wrote to memory of 1876 1660 kdiurdjk.exe 32 PID 1660 wrote to memory of 1876 1660 kdiurdjk.exe 32 PID 1660 wrote to memory of 1876 1660 kdiurdjk.exe 32 PID 1660 wrote to memory of 1876 1660 kdiurdjk.exe 32 PID 1660 wrote to memory of 1832 1660 kdiurdjk.exe 33 PID 1660 wrote to memory of 1832 1660 kdiurdjk.exe 33 PID 1660 wrote to memory of 1832 1660 kdiurdjk.exe 33 PID 1660 wrote to memory of 1832 1660 kdiurdjk.exe 33 PID 1832 wrote to memory of 1568 1832 Xapfnzes.exe 34 PID 1832 wrote to memory of 1568 1832 Xapfnzes.exe 34 PID 1832 wrote to memory of 1568 1832 Xapfnzes.exe 34 PID 1832 wrote to memory of 1568 1832 Xapfnzes.exe 34 PID 1876 wrote to memory of 1764 1876 AddInProcess32.exe 36 PID 1876 wrote to memory of 1764 1876 AddInProcess32.exe 36 PID 1876 wrote to memory of 1764 1876 AddInProcess32.exe 36 PID 1876 wrote to memory of 1764 1876 AddInProcess32.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe"C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 15 > nul && copy "C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe" "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe" && ping 127.0.0.1 -n 15 > nul && "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 153⤵
- Runs ping.exe
PID:1864
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 153⤵
- Runs ping.exe
PID:1280
-
-
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵PID:1764
-
-
-
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
57B
MD5f9ce4e8ef08f1ed70603adf725dc554f
SHA1b8d52be81203a1f2c710154516fcbe8c90dc3b02
SHA256a69bd2c2c9a261b951a23b0ef4729b22aab7c87acf27c6bc26680874eb10fb7d
SHA5123fe8b1c25b6a558334850a73284df9cc0cd4947ea68df2a84de3144ec3cf963e95a0670b6e40b1266a307d892c27140a700532ba8ee5cbde3085b915a54396ea
-
Filesize
57B
MD5f9ce4e8ef08f1ed70603adf725dc554f
SHA1b8d52be81203a1f2c710154516fcbe8c90dc3b02
SHA256a69bd2c2c9a261b951a23b0ef4729b22aab7c87acf27c6bc26680874eb10fb7d
SHA5123fe8b1c25b6a558334850a73284df9cc0cd4947ea68df2a84de3144ec3cf963e95a0670b6e40b1266a307d892c27140a700532ba8ee5cbde3085b915a54396ea
-
Filesize
54B
MD52b42a560cb1ca0563d3652157e9df2f1
SHA1d1960957bf81f92bc3c445a6da1ccde1b632b210
SHA25640363ee6928161c22e54166dd216d4ee821617dc3a6a0169d8011af17f07928d
SHA512d56ac16c93c37957d47a6c9596f57c0edb83dae49b89b398ebc6a6821b6d2d08d361f776a4b274f15d1b7ef20cabc41bb5972b214ddbc11765544dfd81b803ee
-
Filesize
903KB
MD5cc2e6a027d9a95e1b2df73f1b0350107
SHA10d0899b4940db158978fa66d92e40e0c013d3e1d
SHA256e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
SHA51233721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a
-
Filesize
903KB
MD5cc2e6a027d9a95e1b2df73f1b0350107
SHA10d0899b4940db158978fa66d92e40e0c013d3e1d
SHA256e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
SHA51233721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
903KB
MD5cc2e6a027d9a95e1b2df73f1b0350107
SHA10d0899b4940db158978fa66d92e40e0c013d3e1d
SHA256e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
SHA51233721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a