Analysis Overview
SHA256
6898a4a5134e3da33a28477ce504ef8385021d2200080573e85e5ea332724d0e
Threat Level: Known bad
The file Server.exe was found to be: Known bad.
Malicious Activity Summary
Warzonerat family
Warzone RAT payload
WarzoneRat, AveMaria
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Accesses Microsoft Outlook profiles
Adds Run key to start application
Modifies WinLogon
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Suspicious behavior: EnumeratesProcesses
outlook_office_path
outlook_win_path
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-21 14:06
Signatures
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzonerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-21 14:06
Reported
2024-04-21 14:11
Platform
win10v2004-20240412-en
Max time kernel
299s
Max time network
303s
Command Line
Signatures
WarzoneRat, AveMaria
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Antivirus = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Documents\Documents:ApplicationData | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\Documents:ApplicationData | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tonnersturma-31352.portmap.host | udp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.221.208.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.15.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tonnersturma-31352.portmap.host | udp |
| DE | 193.161.193.99:5541 | tonnersturma-31352.portmap.host | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 8.8.8.8:53 | 133.250.112.20.in-addr.arpa | udp |
| DE | 193.161.193.99:5541 | tonnersturma-31352.portmap.host | tcp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.14.97.104.in-addr.arpa | udp |
Files
memory/60-0-0x0000000002C00000-0x0000000002C36000-memory.dmp
memory/60-1-0x0000000073B60000-0x0000000074310000-memory.dmp
memory/60-2-0x0000000002D40000-0x0000000002D50000-memory.dmp
memory/60-3-0x0000000002D40000-0x0000000002D50000-memory.dmp
memory/60-4-0x00000000057F0000-0x0000000005E18000-memory.dmp
memory/60-5-0x00000000056B0000-0x00000000056D2000-memory.dmp
memory/60-6-0x0000000005E90000-0x0000000005EF6000-memory.dmp
memory/60-7-0x0000000005F00000-0x0000000005F66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tcg1tj5s.sji.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/60-17-0x0000000006070000-0x00000000063C4000-memory.dmp
memory/60-18-0x0000000006520000-0x000000000653E000-memory.dmp
memory/60-19-0x0000000006570000-0x00000000065BC000-memory.dmp
memory/60-20-0x000000007F810000-0x000000007F820000-memory.dmp
memory/60-21-0x0000000006B00000-0x0000000006B32000-memory.dmp
memory/60-22-0x00000000703E0000-0x000000007042C000-memory.dmp
memory/60-32-0x0000000002D40000-0x0000000002D50000-memory.dmp
memory/60-33-0x0000000006AE0000-0x0000000006AFE000-memory.dmp
memory/60-34-0x0000000006B50000-0x0000000006BF3000-memory.dmp
memory/60-35-0x0000000007EA0000-0x000000000851A000-memory.dmp
memory/60-36-0x0000000007860000-0x000000000787A000-memory.dmp
memory/60-37-0x00000000078D0000-0x00000000078DA000-memory.dmp
memory/60-38-0x0000000007AE0000-0x0000000007B76000-memory.dmp
memory/60-39-0x0000000007A60000-0x0000000007A71000-memory.dmp
memory/60-40-0x0000000007A90000-0x0000000007A9E000-memory.dmp
memory/60-41-0x0000000007AA0000-0x0000000007AB4000-memory.dmp
memory/60-42-0x0000000007BA0000-0x0000000007BBA000-memory.dmp
memory/60-43-0x0000000007B80000-0x0000000007B88000-memory.dmp
memory/60-49-0x0000000073B60000-0x0000000074310000-memory.dmp
memory/4376-50-0x0000000000700000-0x0000000000701000-memory.dmp
memory/4692-55-0x0000000005AD0000-0x0000000005B54000-memory.dmp
memory/4692-64-0x0000000005AD0000-0x0000000005B54000-memory.dmp
memory/2864-65-0x0000017778670000-0x0000017778680000-memory.dmp
memory/2864-81-0x0000017778770000-0x0000017778780000-memory.dmp
memory/2864-97-0x000001777CAE0000-0x000001777CAE1000-memory.dmp
memory/2864-99-0x000001777CB10000-0x000001777CB11000-memory.dmp
memory/2864-100-0x000001777CB10000-0x000001777CB11000-memory.dmp
memory/2864-101-0x000001777CC20000-0x000001777CC21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
C:\Users\Admin\AppData\Local\Temp\mozglue.dll
| MD5 | 75f8cc548cabf0cc800c25047e4d3124 |
| SHA1 | 602676768f9faecd35b48c38a0632781dfbde10c |
| SHA256 | fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0 |
| SHA512 | ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f |
C:\Users\Admin\AppData\Local\Temp\nss3.dll
| MD5 | d7858e8449004e21b01d468e9fd04b82 |
| SHA1 | 9524352071ede21c167e7e4f106e9526dc23ef4e |
| SHA256 | 78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db |
| SHA512 | 1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440 |
C:\Users\Admin\AppData\Local\Temp\softokn3.dll
| MD5 | 471c983513694ac3002590345f2be0da |
| SHA1 | 6612b9af4ff6830fa9b7d4193078434ef72f775b |
| SHA256 | bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f |
| SHA512 | a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410 |
C:\Users\Admin\AppData\Local\Temp\freebl3.dll
| MD5 | ef12ab9d0b231b8f898067b2114b1bc0 |
| SHA1 | 6d90f27b2105945f9bb77039e8b892070a5f9442 |
| SHA256 | 2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7 |
| SHA512 | 2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-21 14:06
Reported
2024-04-21 14:11
Platform
win11-20240412-en
Max time kernel
298s
Max time network
302s
Command Line
Signatures
WarzoneRat, AveMaria
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Antivirus = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Documents\Documents:ApplicationData | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\Documents:ApplicationData | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 492 wrote to memory of 3672 | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 492 wrote to memory of 3672 | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 492 wrote to memory of 3672 | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 492 wrote to memory of 4456 | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 492 wrote to memory of 4456 | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 492 wrote to memory of 4456 | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 492 wrote to memory of 4456 | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 492 wrote to memory of 4456 | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tonnersturma-31352.portmap.host | udp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:5542 | tonnersturma-31352.portmap.host | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
Files
memory/3672-0-0x00000000024D0000-0x0000000002506000-memory.dmp
memory/3672-1-0x0000000073E40000-0x00000000745F1000-memory.dmp
memory/3672-3-0x00000000024C0000-0x00000000024D0000-memory.dmp
memory/3672-2-0x00000000024C0000-0x00000000024D0000-memory.dmp
memory/3672-4-0x0000000004EA0000-0x00000000054CA000-memory.dmp
memory/3672-5-0x0000000004E00000-0x0000000004E22000-memory.dmp
memory/3672-6-0x0000000005700000-0x0000000005766000-memory.dmp
memory/3672-7-0x0000000005770000-0x00000000057D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qzsc3p3d.030.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3672-16-0x00000000058C0000-0x0000000005C17000-memory.dmp
memory/3672-17-0x0000000005CA0000-0x0000000005CBE000-memory.dmp
memory/3672-18-0x0000000005CE0000-0x0000000005D2C000-memory.dmp
memory/3672-19-0x000000007EE90000-0x000000007EEA0000-memory.dmp
memory/3672-20-0x0000000006270000-0x00000000062A4000-memory.dmp
memory/3672-21-0x0000000070800000-0x000000007084C000-memory.dmp
memory/3672-31-0x00000000024C0000-0x00000000024D0000-memory.dmp
memory/3672-32-0x00000000024C0000-0x00000000024D0000-memory.dmp
memory/3672-30-0x00000000062C0000-0x00000000062DE000-memory.dmp
memory/3672-33-0x0000000006CA0000-0x0000000006D44000-memory.dmp
memory/3672-34-0x0000000007610000-0x0000000007C8A000-memory.dmp
memory/3672-35-0x0000000006FD0000-0x0000000006FEA000-memory.dmp
memory/3672-36-0x0000000007050000-0x000000000705A000-memory.dmp
memory/3672-37-0x0000000007260000-0x00000000072F6000-memory.dmp
memory/3672-38-0x00000000071E0000-0x00000000071F1000-memory.dmp
memory/3672-39-0x0000000007210000-0x000000000721E000-memory.dmp
memory/3672-40-0x0000000007220000-0x0000000007235000-memory.dmp
memory/3672-41-0x0000000007320000-0x000000000733A000-memory.dmp
memory/3672-45-0x0000000007310000-0x0000000007318000-memory.dmp
memory/3672-48-0x0000000073E40000-0x00000000745F1000-memory.dmp
memory/4456-49-0x0000000001380000-0x0000000001381000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-21 14:06
Reported
2024-04-21 14:11
Platform
win7-20240220-en
Max time kernel
299s
Max time network
302s
Command Line
Signatures
WarzoneRat, AveMaria
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WD Antivirus = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\AutsI.. = "0" | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\xjtkuGI = "0" | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Documents\Documents:ApplicationData | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\Documents\Documents:ApplicationData | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\cmd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tonnersturma-31352.portmap.host | udp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| US | 8.8.8.8:53 | tonnersturma-31352.portmap.host | udp |
| DE | 193.161.193.99:5541 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:5541 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:5541 | tonnersturma-31352.portmap.host | tcp |
| DE | 193.161.193.99:5541 | tonnersturma-31352.portmap.host | tcp |
Files
memory/2184-3-0x0000000000290000-0x00000000002D0000-memory.dmp
memory/2184-2-0x0000000073310000-0x00000000738BB000-memory.dmp
memory/2184-5-0x0000000000290000-0x00000000002D0000-memory.dmp
memory/2184-4-0x0000000073310000-0x00000000738BB000-memory.dmp
memory/2184-6-0x0000000073310000-0x00000000738BB000-memory.dmp
memory/2508-11-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2508-10-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2480-14-0x0000000005050000-0x0000000005054000-memory.dmp
memory/2248-15-0x00000000026A0000-0x00000000027A0000-memory.dmp
memory/2248-16-0x00000000026A0000-0x00000000027A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-21 14:06
Reported
2024-04-21 14:11
Platform
win10-20240404-en
Max time kernel
293s
Max time network
302s
Command Line
Signatures
WarzoneRat, AveMaria
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Antivirus = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Documents\Documents:ApplicationData | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\Documents:ApplicationData | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tonnersturma-31352.portmap.host | udp |
| DE | 193.161.193.99:31352 | tonnersturma-31352.portmap.host | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tonnersturma-31352.portmap.host | udp |
| DE | 193.161.193.99:5541 | tonnersturma-31352.portmap.host | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 193.161.193.99:5541 | tonnersturma-31352.portmap.host | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 8.8.8.8:53 | 133.250.112.20.in-addr.arpa | udp |
Files
memory/3516-3-0x0000000072D70000-0x000000007345E000-memory.dmp
memory/3516-2-0x0000000004F80000-0x0000000004FB6000-memory.dmp
memory/3516-4-0x00000000074E0000-0x00000000074F0000-memory.dmp
memory/3516-5-0x00000000074E0000-0x00000000074F0000-memory.dmp
memory/3516-6-0x0000000007B20000-0x0000000008148000-memory.dmp
memory/3516-7-0x00000000079A0000-0x00000000079C2000-memory.dmp
memory/3516-8-0x0000000008250000-0x00000000082B6000-memory.dmp
memory/3516-9-0x0000000007A40000-0x0000000007AA6000-memory.dmp
memory/3516-10-0x0000000008380000-0x00000000086D0000-memory.dmp
memory/3516-11-0x0000000008750000-0x000000000876C000-memory.dmp
memory/3516-12-0x0000000008C70000-0x0000000008CBB000-memory.dmp
memory/3516-13-0x0000000008AD0000-0x0000000008B46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1wejxvqq.34j.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3516-30-0x000000007EC70000-0x000000007EC80000-memory.dmp
memory/3516-31-0x0000000009B30000-0x0000000009B63000-memory.dmp
memory/3516-32-0x000000006FA70000-0x000000006FABB000-memory.dmp
memory/3516-33-0x0000000009AF0000-0x0000000009B0E000-memory.dmp
memory/3516-38-0x0000000009C60000-0x0000000009D05000-memory.dmp
memory/3516-39-0x00000000074E0000-0x00000000074F0000-memory.dmp
memory/3516-40-0x0000000009E20000-0x0000000009EB4000-memory.dmp
memory/3516-233-0x0000000009DD0000-0x0000000009DEA000-memory.dmp
memory/3516-238-0x0000000009DC0000-0x0000000009DC8000-memory.dmp
memory/3516-257-0x0000000072D70000-0x000000007345E000-memory.dmp
memory/3448-258-0x00000000023F0000-0x00000000023F1000-memory.dmp