Analysis
-
max time kernel
123s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2023 05:30
Static task
static1
Behavioral task
behavioral1
Sample
canscaner.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
canscaner.exe
Resource
win10v2004-20230703-en
General
-
Target
canscaner.exe
-
Size
359KB
-
MD5
1e121f211154ea35481f600f70ff4896
-
SHA1
fc5cd57e6105e1b3b65d13ae01833e4df3a8ce69
-
SHA256
9733cb0728ddfe72f5ebcaeda6f7898e1902d51173bf8bf370be319f103a616f
-
SHA512
823b3c1e2505bb6f34bd324e2540857874a4899ac0c8e80d55eebab2d80f9dac1ce71668adb435551c3a31bdbd12fa997cd93e290e88b51a19cd014c560098c3
-
SSDEEP
3072:h9TNwme7IkrAsypLIDyimbNWo/KwlppAX/JhkF/yASHAMGzl2fcU+FguHDYdX+pU:Wme7WPpL6mbNWo3lYMFzSHxlQYKNt
Malware Config
Extracted
warzonerat
esserc.ooguy.com:2822
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\fhfhfhf.exe," reg.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 7 IoCs
resource yara_rule behavioral2/memory/1784-160-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/1784-164-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/1784-165-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/1784-178-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/1784-182-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/1784-208-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat behavioral2/memory/1784-212-0x0000000000400000-0x000000000055C000-memory.dmp warzonerat -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3568 netsh.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" AddInProcess32.exe -
Executes dropped EXE 4 IoCs
pid Process 5108 fhfhfhf.exe 692 fhfhfhffgbfbv.exe 2388 fhfhfhffgbfbv.exe 4596 9.exe -
Loads dropped DLL 1 IoCs
pid Process 3972 svchost.exe -
resource yara_rule behavioral2/files/0x000800000002320c-187.dat upx behavioral2/memory/4596-195-0x0000000000DA0000-0x0000000000DCD000-memory.dmp upx behavioral2/files/0x000800000002320c-191.dat upx behavioral2/files/0x000800000002320c-192.dat upx behavioral2/memory/4596-211-0x0000000000DA0000-0x0000000000DCD000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\rfxvmt.dll AddInProcess32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5108 set thread context of 1784 5108 fhfhfhf.exe 100 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Microsoft DN1\rdpwrap.ini AddInProcess32.exe File created C:\Program Files\Microsoft DN1\sqlmap.dll AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 4732 canscaner.exe 5108 fhfhfhf.exe 5108 fhfhfhf.exe 5108 fhfhfhf.exe 5108 fhfhfhf.exe 5108 fhfhfhf.exe 692 fhfhfhffgbfbv.exe 2388 fhfhfhffgbfbv.exe 2388 fhfhfhffgbfbv.exe 2388 fhfhfhffgbfbv.exe 5108 fhfhfhf.exe 5108 fhfhfhf.exe 5108 fhfhfhf.exe 5108 fhfhfhf.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe 3972 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 640 Process not Found -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4732 canscaner.exe Token: SeDebugPrivilege 5108 fhfhfhf.exe Token: SeDebugPrivilege 692 fhfhfhffgbfbv.exe Token: SeDebugPrivilege 2388 fhfhfhffgbfbv.exe Token: SeDebugPrivilege 1784 AddInProcess32.exe Token: SeAuditPrivilege 3972 svchost.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 4732 wrote to memory of 4552 4732 canscaner.exe 93 PID 4732 wrote to memory of 4552 4732 canscaner.exe 93 PID 4732 wrote to memory of 4552 4732 canscaner.exe 93 PID 4552 wrote to memory of 384 4552 cmd.exe 95 PID 4552 wrote to memory of 384 4552 cmd.exe 95 PID 4552 wrote to memory of 384 4552 cmd.exe 95 PID 4732 wrote to memory of 5108 4732 canscaner.exe 98 PID 4732 wrote to memory of 5108 4732 canscaner.exe 98 PID 4732 wrote to memory of 5108 4732 canscaner.exe 98 PID 5108 wrote to memory of 1816 5108 fhfhfhf.exe 99 PID 5108 wrote to memory of 1816 5108 fhfhfhf.exe 99 PID 5108 wrote to memory of 1816 5108 fhfhfhf.exe 99 PID 5108 wrote to memory of 1816 5108 fhfhfhf.exe 99 PID 5108 wrote to memory of 1816 5108 fhfhfhf.exe 99 PID 5108 wrote to memory of 1816 5108 fhfhfhf.exe 99 PID 5108 wrote to memory of 1816 5108 fhfhfhf.exe 99 PID 5108 wrote to memory of 1816 5108 fhfhfhf.exe 99 PID 5108 wrote to memory of 1816 5108 fhfhfhf.exe 99 PID 5108 wrote to memory of 1816 5108 fhfhfhf.exe 99 PID 5108 wrote to memory of 1816 5108 fhfhfhf.exe 99 PID 5108 wrote to memory of 1784 5108 fhfhfhf.exe 100 PID 5108 wrote to memory of 1784 5108 fhfhfhf.exe 100 PID 5108 wrote to memory of 1784 5108 fhfhfhf.exe 100 PID 5108 wrote to memory of 1784 5108 fhfhfhf.exe 100 PID 5108 wrote to memory of 1784 5108 fhfhfhf.exe 100 PID 5108 wrote to memory of 1784 5108 fhfhfhf.exe 100 PID 5108 wrote to memory of 1784 5108 fhfhfhf.exe 100 PID 5108 wrote to memory of 1784 5108 fhfhfhf.exe 100 PID 5108 wrote to memory of 1784 5108 fhfhfhf.exe 100 PID 5108 wrote to memory of 1784 5108 fhfhfhf.exe 100 PID 5108 wrote to memory of 1784 5108 fhfhfhf.exe 100 PID 5108 wrote to memory of 692 5108 fhfhfhf.exe 103 PID 5108 wrote to memory of 692 5108 fhfhfhf.exe 103 PID 5108 wrote to memory of 692 5108 fhfhfhf.exe 103 PID 692 wrote to memory of 2388 692 fhfhfhffgbfbv.exe 104 PID 692 wrote to memory of 2388 692 fhfhfhffgbfbv.exe 104 PID 692 wrote to memory of 2388 692 fhfhfhffgbfbv.exe 104 PID 1784 wrote to memory of 4596 1784 AddInProcess32.exe 105 PID 1784 wrote to memory of 4596 1784 AddInProcess32.exe 105 PID 1784 wrote to memory of 4596 1784 AddInProcess32.exe 105 PID 4596 wrote to memory of 3568 4596 9.exe 106 PID 4596 wrote to memory of 3568 4596 9.exe 106 PID 4596 wrote to memory of 3568 4596 9.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\canscaner.exe"C:\Users\Admin\AppData\Local\Temp\canscaner.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\fhfhfhf.exe,"2⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\fhfhfhf.exe,"3⤵
- Modifies WinLogon for persistence
PID:384
-
-
-
C:\Users\Admin\AppData\Roaming\fhfhfhf.exe"C:\Users\Admin\AppData\Roaming\fhfhfhf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵PID:1816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\9.exe"C:\Users\Admin\AppData\Local\Temp\9.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=33895⤵
- Modifies Windows Firewall
PID:3568
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fhfhfhffgbfbv.exe"C:\Users\Admin\AppData\Local\Temp\fhfhfhffgbfbv.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Local\Temp\fhfhfhffgbfbv.exe"C:\Users\Admin\AppData\Local\Temp\fhfhfhffgbfbv.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:3768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
1KB
MD57dca233df92b3884663fa5a40db8d49c
SHA1208b8f27b708c4e06ac37f974471cc7b29c29b60
SHA25690c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c
SHA512d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
55B
MD53f94a28fb35da4ac0d3a7c132a3aadb2
SHA1a9876451c87115c8cbec8bf8dcab65d728ac1db4
SHA2566cfe3daac56adfeb14d118977511176c7c47600c11f67991fbefc21afd1bfa72
SHA5128bad152c41b3604b83e0b0ae5b1db8f11d09b6a74b3ce763737433778073278febb2e4cce99982caad4fa838c86054b475c023d0e9a723bf36795ee49d06c254
-
Filesize
56B
MD59126722ab6dd9931de8f45f2b22b65fa
SHA16d2c75e72a529c8d9e03f916b0fb44f929a2b5c0
SHA256ac15edc2f75b4332205fe0bdbcfcc349012b7859014c85f8a971a5d13bbc8c58
SHA512a9d8345c90de3a5b58a00a6aaa6c9db25c7b37c4c9da2ffd599c00399ce7bb9487b823df98df8d4561fd37f38b16ef2e158e2bf33b7bcae8adfea8552d57a162
-
Filesize
56B
MD59126722ab6dd9931de8f45f2b22b65fa
SHA16d2c75e72a529c8d9e03f916b0fb44f929a2b5c0
SHA256ac15edc2f75b4332205fe0bdbcfcc349012b7859014c85f8a971a5d13bbc8c58
SHA512a9d8345c90de3a5b58a00a6aaa6c9db25c7b37c4c9da2ffd599c00399ce7bb9487b823df98df8d4561fd37f38b16ef2e158e2bf33b7bcae8adfea8552d57a162
-
Filesize
359KB
MD51e121f211154ea35481f600f70ff4896
SHA1fc5cd57e6105e1b3b65d13ae01833e4df3a8ce69
SHA2569733cb0728ddfe72f5ebcaeda6f7898e1902d51173bf8bf370be319f103a616f
SHA512823b3c1e2505bb6f34bd324e2540857874a4899ac0c8e80d55eebab2d80f9dac1ce71668adb435551c3a31bdbd12fa997cd93e290e88b51a19cd014c560098c3
-
Filesize
359KB
MD51e121f211154ea35481f600f70ff4896
SHA1fc5cd57e6105e1b3b65d13ae01833e4df3a8ce69
SHA2569733cb0728ddfe72f5ebcaeda6f7898e1902d51173bf8bf370be319f103a616f
SHA512823b3c1e2505bb6f34bd324e2540857874a4899ac0c8e80d55eebab2d80f9dac1ce71668adb435551c3a31bdbd12fa997cd93e290e88b51a19cd014c560098c3
-
Filesize
359KB
MD51e121f211154ea35481f600f70ff4896
SHA1fc5cd57e6105e1b3b65d13ae01833e4df3a8ce69
SHA2569733cb0728ddfe72f5ebcaeda6f7898e1902d51173bf8bf370be319f103a616f
SHA512823b3c1e2505bb6f34bd324e2540857874a4899ac0c8e80d55eebab2d80f9dac1ce71668adb435551c3a31bdbd12fa997cd93e290e88b51a19cd014c560098c3
-
Filesize
321KB
MD55c2160799c3fc664c83bbc9958eede94
SHA17d39f7d2fb2a302779a28efd0f1c85589cfef066
SHA256d91ae65f689c4f70b27de6941f81e9b1600447a920162a3e69ad734bac62ecd5
SHA512681d697f1a79baa6892e1a8da03ca9b63d118cbc587784db9ed4664e49e10731b9ab0d6e0379fd65325ae586f7afb2a2f839f8c3a8ec9ebdbe1a045a26f229df
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26