Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 12:53
Static task
static1
Behavioral task
behavioral1
Sample
3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
Buffisternes.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Buffisternes.ps1
Resource
win10v2004-20240412-en
General
-
Target
3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1.exe
-
Size
523KB
-
MD5
0b37c260284040ee0beb1549da143fb5
-
SHA1
9ae52f766f75f704a28e4dd4a5fd23ba6cc1548b
-
SHA256
3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1
-
SHA512
4433ba8bef7b41b70607d332a005c21472955b7d6caea68be6dfd5fdf0acdcda69fa72a121575997cc26b64db62d444d07dd386eeb2bf0cd75667ec95cf7d3ad
-
SSDEEP
12288:KbNmJ8L4M58gAzcEHIksyBR3l1iAddpPW7rCMtvXpnh:We8L4MPAzfHBR3lkCcrCWXJh
Malware Config
Extracted
warzonerat
96.9.225.105:61861
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2860-180-0x0000000000370000-0x00000000013D2000-memory.dmp warzonerat behavioral1/memory/2860-207-0x0000000000370000-0x00000000013D2000-memory.dmp warzonerat -
Loads dropped DLL 6 IoCs
Processes:
wab.exepid process 2860 wab.exe 2860 wab.exe 2860 wab.exe 2860 wab.exe 2860 wab.exe 2860 wab.exe -
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
Processes:
wab.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wab.exe Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wab.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Futurisms = "%Heksemesteren% -windowstyle minimized $Keratotic98=(Get-ItemProperty -Path 'HKCU:\\Uforbeholdne\\').Glued;%Heksemesteren% ($Keratotic98)" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 2860 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 1248 powershell.exe 2860 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1248 set thread context of 2860 1248 powershell.exe wab.exe -
Drops file in Windows directory 1 IoCs
Processes:
3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1.exedescription ioc process File opened for modification C:\Windows\resources\Eksamenens\indkomstbeskatningerne.ini 3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 1248 powershell.exe 1248 powershell.exe 1248 powershell.exe 1248 powershell.exe 1248 powershell.exe 1248 powershell.exe 1248 powershell.exe 1248 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 1248 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1248 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1.exepowershell.exewab.execmd.exedescription pid process target process PID 2592 wrote to memory of 1248 2592 3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1.exe powershell.exe PID 2592 wrote to memory of 1248 2592 3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1.exe powershell.exe PID 2592 wrote to memory of 1248 2592 3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1.exe powershell.exe PID 2592 wrote to memory of 1248 2592 3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1.exe powershell.exe PID 1248 wrote to memory of 2196 1248 powershell.exe cmd.exe PID 1248 wrote to memory of 2196 1248 powershell.exe cmd.exe PID 1248 wrote to memory of 2196 1248 powershell.exe cmd.exe PID 1248 wrote to memory of 2196 1248 powershell.exe cmd.exe PID 1248 wrote to memory of 2860 1248 powershell.exe wab.exe PID 1248 wrote to memory of 2860 1248 powershell.exe wab.exe PID 1248 wrote to memory of 2860 1248 powershell.exe wab.exe PID 1248 wrote to memory of 2860 1248 powershell.exe wab.exe PID 1248 wrote to memory of 2860 1248 powershell.exe wab.exe PID 1248 wrote to memory of 2860 1248 powershell.exe wab.exe PID 2860 wrote to memory of 1096 2860 wab.exe cmd.exe PID 2860 wrote to memory of 1096 2860 wab.exe cmd.exe PID 2860 wrote to memory of 1096 2860 wab.exe cmd.exe PID 2860 wrote to memory of 1096 2860 wab.exe cmd.exe PID 1096 wrote to memory of 2968 1096 cmd.exe reg.exe PID 1096 wrote to memory of 2968 1096 cmd.exe reg.exe PID 1096 wrote to memory of 2968 1096 cmd.exe reg.exe PID 1096 wrote to memory of 2968 1096 cmd.exe reg.exe -
outlook_office_path 1 IoCs
Processes:
wab.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wab.exe -
outlook_win_path 1 IoCs
Processes:
wab.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1.exe"C:\Users\Admin\AppData\Local\Temp\3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden ; $Mins186=Get-Content 'C:\Users\Admin\AppData\Roaming\sep\Shahdoms249\terpers\Buffisternes.Muj';$Citrusfrugtens=$Mins186.SubString(61489,3);.$Citrusfrugtens($Mins186)2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:2196
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Futurisms" /t REG_EXPAND_SZ /d "%Heksemesteren% -windowstyle minimized $Keratotic98=(Get-ItemProperty -Path 'HKCU:\Uforbeholdne\').Glued;%Heksemesteren% ($Keratotic98)"4⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Futurisms" /t REG_EXPAND_SZ /d "%Heksemesteren% -windowstyle minimized $Keratotic98=(Get-ItemProperty -Path 'HKCU:\Uforbeholdne\').Glued;%Heksemesteren% ($Keratotic98)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:2968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55951ba0f3d4d4a56416d7763104d9142
SHA10d0f21a950a6c56d727e1583cced3e595049e0eb
SHA256ccb24d53293ce40a76c5b199a2db0379de65ab8d3d37a576d2345631e2b75e18
SHA5121743285280a0ef0fab070c090ca8b7ae8b4d311e3931e49489e36036f8a2f2c3349ea2fa2fe3f4a607310df64d9687b2b170cfb7bc45a2f3503d2225af5d50b8
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
60KB
MD5536404b62f83ffc1c1ab96b8702ac936
SHA1e3fcddb4a59854532c9628fb842a89e44600d4df
SHA2562257be627271ea9c32361cfcdb142ccb3b807d841dbfc04c08356cd1d8336600
SHA5125e4f55571925250785b7674552960883841caf0ae0949a788d3afaf38494aab49f3838eb2f17a6138f4131ffd9f995a153d1676fc382734fde2b83d43d94663d
-
Filesize
290KB
MD52bb2b71dee5988168849d51f9081b20a
SHA12f8afd1f790c68a2092cdd4b844e590e504629c5
SHA256535e2da50a80f574eaa47fa9e03aeba1b0c394a69cd998db00f4b7bbd14d29d0
SHA512938486d07a95de438ec40199a603ea4eff5dde90180804d18df701b3974dd1794ab111e29b134a5ad509bd3da75f0cfc0f7e32e6accbf72a75d1955bcc51af49
-
Filesize
326KB
MD5ef12ab9d0b231b8f898067b2114b1bc0
SHA16d90f27b2105945f9bb77039e8b892070a5f9442
SHA2562b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA5122aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193
-
Filesize
133KB
MD575f8cc548cabf0cc800c25047e4d3124
SHA1602676768f9faecd35b48c38a0632781dfbde10c
SHA256fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f
-
Filesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
Filesize
1.2MB
MD5d7858e8449004e21b01d468e9fd04b82
SHA19524352071ede21c167e7e4f106e9526dc23ef4e
SHA25678758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db
SHA5121e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440
-
Filesize
141KB
MD5471c983513694ac3002590345f2be0da
SHA16612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f