Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
18-05-2024 13:17
Static task
static1
Behavioral task
behavioral1
Sample
um_x64.exe
Resource
win11-20240508-en
General
-
Target
um_x64.exe
-
Size
2.2MB
-
MD5
e2fc229dbf8224232d5281b1b9c12aca
-
SHA1
36c57d932bff9db9c221911fcc676f00c21cf4e6
-
SHA256
4ac725ff452104c51cf1cd896797b3c46dfd9fdff4fcb4cb0b78b74a122bcd60
-
SHA512
95d1e3383445210e4cc4574baf7fcd68fb68099f202534108a5120ce776f93b777d112a0175ee41ad5e91b18bddc864ebb89fe7c8817769c3fd16762f1e2a27b
-
SSDEEP
12288:hw3Pj/+DfNCKml36Ych32o0Fcmr/bXrKT9xiAJ65TTlBDa+zB2av:C3LsN8
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
Processes:
$wz$sd_nj$dvz.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat $wz$sd_nj$dvz.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start $wz$sd_nj$dvz.exe -
Executes dropped EXE 1 IoCs
Processes:
$wz$sd_nj$dvz.exepid process 3556 $wz$sd_nj$dvz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NTFS ADS 2 IoCs
Processes:
$wz$sd_nj$dvz.exedescription ioc process File created C:\Users\Admin\Documents\Documents:ApplicationData $wz$sd_nj$dvz.exe File opened for modification C:\Users\Admin\Documents\Documents:ApplicationData $wz$sd_nj$dvz.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
um_x64.exepowershell.exe$wz$sd_nj$dvz.exepid process 4356 um_x64.exe 4356 um_x64.exe 5028 powershell.exe 5028 powershell.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe 3556 $wz$sd_nj$dvz.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 5028 powershell.exe Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3280 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
um_x64.exe$wz$sd_nj$dvz.execmd.exedescription pid process target process PID 4356 wrote to memory of 3556 4356 um_x64.exe $wz$sd_nj$dvz.exe PID 4356 wrote to memory of 3556 4356 um_x64.exe $wz$sd_nj$dvz.exe PID 4356 wrote to memory of 3556 4356 um_x64.exe $wz$sd_nj$dvz.exe PID 3556 wrote to memory of 5028 3556 $wz$sd_nj$dvz.exe powershell.exe PID 3556 wrote to memory of 5028 3556 $wz$sd_nj$dvz.exe powershell.exe PID 3556 wrote to memory of 5028 3556 $wz$sd_nj$dvz.exe powershell.exe PID 3556 wrote to memory of 2484 3556 $wz$sd_nj$dvz.exe cmd.exe PID 3556 wrote to memory of 2484 3556 $wz$sd_nj$dvz.exe cmd.exe PID 3556 wrote to memory of 2484 3556 $wz$sd_nj$dvz.exe cmd.exe PID 3556 wrote to memory of 440 3556 $wz$sd_nj$dvz.exe cmd.exe PID 3556 wrote to memory of 440 3556 $wz$sd_nj$dvz.exe cmd.exe PID 3556 wrote to memory of 440 3556 $wz$sd_nj$dvz.exe cmd.exe PID 2484 wrote to memory of 4692 2484 cmd.exe reg.exe PID 2484 wrote to memory of 4692 2484 cmd.exe reg.exe PID 2484 wrote to memory of 4692 2484 cmd.exe reg.exe PID 3556 wrote to memory of 440 3556 $wz$sd_nj$dvz.exe cmd.exe PID 3556 wrote to memory of 440 3556 $wz$sd_nj$dvz.exe cmd.exe PID 3556 wrote to memory of 3280 3556 $wz$sd_nj$dvz.exe Explorer.EXE PID 3556 wrote to memory of 3280 3556 $wz$sd_nj$dvz.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\um_x64.exe"C:\Users\Admin\AppData\Local\Temp\um_x64.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\ProgramData\Windows App Certification Kit\$wz$sd_nj$dvz.exe"C:\ProgramData\Windows App Certification Kit\$wz$sd_nj$dvz.exe"3⤵
- Drops startup file
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028 -
C:\Windows\SysWOW64\cmd.execmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\Windows App Certification Kit\$wz$sd_nj$dvz.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\Windows App Certification Kit\$wz$sd_nj$dvz.exe"5⤵PID:4692
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5d18f0b30efd9f100f11f81825bae050b
SHA1eacd3786e86ee03b14300c2dc6a08e5cfa2406bf
SHA25673c15f93c957b337b30e6b6712487234738a3e0569611d3aac49896582f7b54c
SHA512e6987f4a553699e80b64217919a066eab2e2f81d13c6c4e53c0c5b423c17ac7f129b86b56512de2e45e21d840e0ba3629ffd6ed2aadb84d4ff19521371e00560
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82