Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2023, 14:45
Static task
static1
Behavioral task
behavioral1
Sample
E&V - PO.61370025177.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
E&V - PO.61370025177.exe
Resource
win10v2004-20230220-en
General
-
Target
E&V - PO.61370025177.exe
-
Size
903KB
-
MD5
cc2e6a027d9a95e1b2df73f1b0350107
-
SHA1
0d0899b4940db158978fa66d92e40e0c013d3e1d
-
SHA256
e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
-
SHA512
33721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a
-
SSDEEP
24576:j9JiT/gnOmk/3T911111111111111dODiRu4N:2gny11111111111111GiR5
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4128 netsh.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" AddInProcess32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation kdiurdjk.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation Xapfnzes.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kdiurdjk.lnk E&V - PO.61370025177.exe -
Executes dropped EXE 4 IoCs
pid Process 1080 kdiurdjk.exe 1616 Xapfnzes.exe 4632 Xapfnzes.exe 3112 47.exe -
Loads dropped DLL 1 IoCs
pid Process 4720 svchost.exe -
resource yara_rule behavioral2/files/0x00020000000225be-192.dat upx behavioral2/files/0x00020000000225be-195.dat upx behavioral2/files/0x00020000000225be-196.dat upx behavioral2/memory/3112-200-0x0000000000250000-0x000000000027D000-memory.dmp upx behavioral2/memory/3112-206-0x0000000000250000-0x000000000027D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\rfxvmt.dll AddInProcess32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1080 set thread context of 2324 1080 kdiurdjk.exe 91 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Microsoft DN1\sqlmap.dll AddInProcess32.exe File created C:\Program Files\Microsoft DN1\rdpwrap.ini AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2744 PING.EXE 1360 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe 2068 E&V - PO.61370025177.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2068 E&V - PO.61370025177.exe Token: SeDebugPrivilege 1080 kdiurdjk.exe Token: 33 1548 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1548 AUDIODG.EXE Token: SeDebugPrivilege 1616 Xapfnzes.exe Token: SeDebugPrivilege 4632 Xapfnzes.exe Token: SeDebugPrivilege 2324 AddInProcess32.exe Token: SeAuditPrivilege 4720 svchost.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2748 2068 E&V - PO.61370025177.exe 84 PID 2068 wrote to memory of 2748 2068 E&V - PO.61370025177.exe 84 PID 2068 wrote to memory of 2748 2068 E&V - PO.61370025177.exe 84 PID 2748 wrote to memory of 2744 2748 cmd.exe 86 PID 2748 wrote to memory of 2744 2748 cmd.exe 86 PID 2748 wrote to memory of 2744 2748 cmd.exe 86 PID 2748 wrote to memory of 1360 2748 cmd.exe 87 PID 2748 wrote to memory of 1360 2748 cmd.exe 87 PID 2748 wrote to memory of 1360 2748 cmd.exe 87 PID 2748 wrote to memory of 1080 2748 cmd.exe 90 PID 2748 wrote to memory of 1080 2748 cmd.exe 90 PID 2748 wrote to memory of 1080 2748 cmd.exe 90 PID 1080 wrote to memory of 2324 1080 kdiurdjk.exe 91 PID 1080 wrote to memory of 2324 1080 kdiurdjk.exe 91 PID 1080 wrote to memory of 2324 1080 kdiurdjk.exe 91 PID 1080 wrote to memory of 2324 1080 kdiurdjk.exe 91 PID 1080 wrote to memory of 2324 1080 kdiurdjk.exe 91 PID 1080 wrote to memory of 2324 1080 kdiurdjk.exe 91 PID 1080 wrote to memory of 2324 1080 kdiurdjk.exe 91 PID 1080 wrote to memory of 2324 1080 kdiurdjk.exe 91 PID 1080 wrote to memory of 2324 1080 kdiurdjk.exe 91 PID 1080 wrote to memory of 2324 1080 kdiurdjk.exe 91 PID 1080 wrote to memory of 2324 1080 kdiurdjk.exe 91 PID 2324 wrote to memory of 2164 2324 AddInProcess32.exe 92 PID 2324 wrote to memory of 2164 2324 AddInProcess32.exe 92 PID 2324 wrote to memory of 2164 2324 AddInProcess32.exe 92 PID 1080 wrote to memory of 1616 1080 kdiurdjk.exe 96 PID 1080 wrote to memory of 1616 1080 kdiurdjk.exe 96 PID 1080 wrote to memory of 1616 1080 kdiurdjk.exe 96 PID 1616 wrote to memory of 4632 1616 Xapfnzes.exe 97 PID 1616 wrote to memory of 4632 1616 Xapfnzes.exe 97 PID 1616 wrote to memory of 4632 1616 Xapfnzes.exe 97 PID 2324 wrote to memory of 2164 2324 AddInProcess32.exe 92 PID 2324 wrote to memory of 2164 2324 AddInProcess32.exe 92 PID 2324 wrote to memory of 3112 2324 AddInProcess32.exe 98 PID 2324 wrote to memory of 3112 2324 AddInProcess32.exe 98 PID 2324 wrote to memory of 3112 2324 AddInProcess32.exe 98 PID 3112 wrote to memory of 4128 3112 47.exe 99 PID 3112 wrote to memory of 4128 3112 47.exe 99 PID 3112 wrote to memory of 4128 3112 47.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe"C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 14 > nul && copy "C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe" "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe" && ping 127.0.0.1 -n 14 > nul && "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 143⤵
- Runs ping.exe
PID:2744
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 143⤵
- Runs ping.exe
PID:1360
-
-
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵PID:2164
-
-
C:\Users\Admin\AppData\Local\Temp\47.exe"C:\Users\Admin\AppData\Local\Temp\47.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=33896⤵
- Modifies Windows Firewall
PID:4128
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a0 0x4581⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:4400
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
1KB
MD57dca233df92b3884663fa5a40db8d49c
SHA1208b8f27b708c4e06ac37f974471cc7b29c29b60
SHA25690c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c
SHA512d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
54B
MD5650efd7432b59f2e927dd54cc5a930e8
SHA10e856cf8f56def81d2b589de0fbbdf801e8416b7
SHA25670aa8ccc92cffe750a10010d7c7014246ffc61e581472a179a420d8223ae0e51
SHA5125a8b99a16bbf9ca3da698a37581e3af49a7e7f713f2c9c5b94831873f97f8da7677156384e0ac215bdb2d6d505cca1cdfc14f211738c1511eb674d635e6b7725
-
Filesize
57B
MD59c0f3f56bf8ac8c93a1f71554eb39916
SHA1523237b53c1246af1be877290013c79eb6f57f0d
SHA256c541b41ee2e53cc17a05dd5e78a949f69cd10215be8e675ef08be07fd6c0cd86
SHA512d040577b76484cfde408c83d0e9626c6622f472073db5aa1df810c107f2aa38a8114dc82bb8aa525be792a4a7a82d26e9b1a6e66da56513974468561312795f8
-
Filesize
57B
MD59c0f3f56bf8ac8c93a1f71554eb39916
SHA1523237b53c1246af1be877290013c79eb6f57f0d
SHA256c541b41ee2e53cc17a05dd5e78a949f69cd10215be8e675ef08be07fd6c0cd86
SHA512d040577b76484cfde408c83d0e9626c6622f472073db5aa1df810c107f2aa38a8114dc82bb8aa525be792a4a7a82d26e9b1a6e66da56513974468561312795f8
-
Filesize
903KB
MD5cc2e6a027d9a95e1b2df73f1b0350107
SHA10d0899b4940db158978fa66d92e40e0c013d3e1d
SHA256e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
SHA51233721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a
-
Filesize
903KB
MD5cc2e6a027d9a95e1b2df73f1b0350107
SHA10d0899b4940db158978fa66d92e40e0c013d3e1d
SHA256e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
SHA51233721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a
-
Filesize
299KB
MD5fca6ba93c780afa00a5703df9ac65754
SHA13ed423763fdd9722ff8bed3667ffa93f77390138
SHA2561c4930123ec2a809b3bd93969967d6c321d8d65fc7b886e062b2581c741944e5
SHA512538b0995be3796737575a2fd3aaa1644b3e6566e4cd5ed5c4df9e0a586368e7ceea8f0284de53f7c3f0874fc90b9a194d2ea1438bc9d7779eb12d00b8807f595
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26