Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 18:35
Static task
static1
Behavioral task
behavioral1
Sample
TheWarz-Crack.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TheWarz-Crack.exe
Resource
win10v2004-20240226-en
General
-
Target
TheWarz-Crack.exe
-
Size
1.2MB
-
MD5
6b035800be70ccbedd9154a9ae57d03b
-
SHA1
c7de2eba384c891723b4a17753ee00129f5fe973
-
SHA256
e621a036413f70d0a00dbe48de5773dceea1429dc1864aebe90cb277583690de
-
SHA512
1b41dc9bf8c040ca33d26da8986f346ff6be02bf2197b78c96b2c6dbb45ba19bf4b31d8eeb4e715c78507b78ea6d2b05d039fb28e11ec8750fc5080a42c318d7
-
SSDEEP
24576:yzjh/FIFRPOUS01XpN4wEpv7I+CqSfhvuwGHEqPb2LxBxf3y:CKFNSEpN4NpvcAyBudHTCFq
Malware Config
Extracted
njrat
0.6.4
TheWarz-Crack-1
103.22.181.199:1177
4ff3a911dbfff7e34d508efdb7eca614
-
reg_key
4ff3a911dbfff7e34d508efdb7eca614
-
splitter
|'|'|
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 9 IoCs
Processes:
resource yara_rule behavioral1/memory/2528-40-0x0000000000400000-0x00000000052E8000-memory.dmp modiloader_stage2 behavioral1/memory/2528-36-0x0000000000400000-0x00000000052E8000-memory.dmp modiloader_stage2 behavioral1/memory/2528-38-0x0000000000400000-0x00000000052E8000-memory.dmp modiloader_stage2 behavioral1/memory/2528-42-0x0000000000400000-0x00000000052E8000-memory.dmp modiloader_stage2 \Users\Admin\AppData\Local\Temp\FB_AC57.tmp.exe modiloader_stage2 behavioral1/memory/2528-82-0x0000000000400000-0x00000000004CA000-memory.dmp modiloader_stage2 behavioral1/memory/2528-75-0x0000000000400000-0x00000000052E8000-memory.dmp modiloader_stage2 behavioral1/memory/2012-90-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral1/memory/1012-145-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2828 netsh.exe -
Executes dropped EXE 7 IoCs
Processes:
M.exeM.exeFB_9905.tmp.exeFB_AC57.tmp.exeFB_ACE4.tmp.exeWrnia.exeTheWarz-Crack-1.exepid process 2872 M.exe 2528 M.exe 2664 FB_9905.tmp.exe 2012 FB_AC57.tmp.exe 2384 FB_ACE4.tmp.exe 1012 Wrnia.exe 636 TheWarz-Crack-1.exe -
Loads dropped DLL 17 IoCs
Processes:
TheWarz-Crack.exeM.exeM.exeFB_9905.tmp.exeFB_AC57.tmp.exeFB_ACE4.tmp.exeWrnia.exeTheWarz-Crack-1.exepid process 2300 TheWarz-Crack.exe 2300 TheWarz-Crack.exe 2872 M.exe 2872 M.exe 2528 M.exe 2528 M.exe 2528 M.exe 2528 M.exe 2664 FB_9905.tmp.exe 2528 M.exe 2012 FB_AC57.tmp.exe 2384 FB_ACE4.tmp.exe 2012 FB_AC57.tmp.exe 2012 FB_AC57.tmp.exe 1012 Wrnia.exe 2664 FB_9905.tmp.exe 636 TheWarz-Crack-1.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
TheWarz-Crack.exeWrnia.exeTheWarz-Crack-1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" TheWarz-Crack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wrnia = "C:\\Users\\Admin\\AppData\\Roaming\\Wrnia.exe" Wrnia.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\4ff3a911dbfff7e34d508efdb7eca614 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TheWarz-Crack-1.exe\" .." TheWarz-Crack-1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4ff3a911dbfff7e34d508efdb7eca614 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TheWarz-Crack-1.exe\" .." TheWarz-Crack-1.exe -
Drops file in System32 directory 2 IoCs
Processes:
FB_ACE4.tmp.exedescription ioc process File created C:\Windows\SysWOW64\accessibilitycpI.dll FB_ACE4.tmp.exe File opened for modification C:\Windows\SysWOW64\accessibilitycpI.dll FB_ACE4.tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
M.exedescription pid process target process PID 2872 set thread context of 2528 2872 M.exe M.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
M.exeFB_ACE4.tmp.exeTheWarz-Crack-1.exepid process 2872 M.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 2384 FB_ACE4.tmp.exe 636 TheWarz-Crack-1.exe 636 TheWarz-Crack-1.exe 2384 FB_ACE4.tmp.exe 636 TheWarz-Crack-1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
FB_ACE4.tmp.exeTheWarz-Crack-1.exedescription pid process Token: SeDebugPrivilege 2384 FB_ACE4.tmp.exe Token: SeDebugPrivilege 636 TheWarz-Crack-1.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
M.exepid process 2872 M.exe 2872 M.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
TheWarz-Crack.exeM.exeM.exeFB_AC57.tmp.exeFB_9905.tmp.exeTheWarz-Crack-1.exedescription pid process target process PID 2300 wrote to memory of 2872 2300 TheWarz-Crack.exe M.exe PID 2300 wrote to memory of 2872 2300 TheWarz-Crack.exe M.exe PID 2300 wrote to memory of 2872 2300 TheWarz-Crack.exe M.exe PID 2300 wrote to memory of 2872 2300 TheWarz-Crack.exe M.exe PID 2300 wrote to memory of 2872 2300 TheWarz-Crack.exe M.exe PID 2300 wrote to memory of 2872 2300 TheWarz-Crack.exe M.exe PID 2300 wrote to memory of 2872 2300 TheWarz-Crack.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2872 wrote to memory of 2528 2872 M.exe M.exe PID 2528 wrote to memory of 2664 2528 M.exe FB_9905.tmp.exe PID 2528 wrote to memory of 2664 2528 M.exe FB_9905.tmp.exe PID 2528 wrote to memory of 2664 2528 M.exe FB_9905.tmp.exe PID 2528 wrote to memory of 2664 2528 M.exe FB_9905.tmp.exe PID 2528 wrote to memory of 2664 2528 M.exe FB_9905.tmp.exe PID 2528 wrote to memory of 2664 2528 M.exe FB_9905.tmp.exe PID 2528 wrote to memory of 2664 2528 M.exe FB_9905.tmp.exe PID 2528 wrote to memory of 2012 2528 M.exe FB_AC57.tmp.exe PID 2528 wrote to memory of 2012 2528 M.exe FB_AC57.tmp.exe PID 2528 wrote to memory of 2012 2528 M.exe FB_AC57.tmp.exe PID 2528 wrote to memory of 2012 2528 M.exe FB_AC57.tmp.exe PID 2528 wrote to memory of 2012 2528 M.exe FB_AC57.tmp.exe PID 2528 wrote to memory of 2012 2528 M.exe FB_AC57.tmp.exe PID 2528 wrote to memory of 2012 2528 M.exe FB_AC57.tmp.exe PID 2528 wrote to memory of 2384 2528 M.exe FB_ACE4.tmp.exe PID 2528 wrote to memory of 2384 2528 M.exe FB_ACE4.tmp.exe PID 2528 wrote to memory of 2384 2528 M.exe FB_ACE4.tmp.exe PID 2528 wrote to memory of 2384 2528 M.exe FB_ACE4.tmp.exe PID 2528 wrote to memory of 2384 2528 M.exe FB_ACE4.tmp.exe PID 2528 wrote to memory of 2384 2528 M.exe FB_ACE4.tmp.exe PID 2528 wrote to memory of 2384 2528 M.exe FB_ACE4.tmp.exe PID 2012 wrote to memory of 1012 2012 FB_AC57.tmp.exe Wrnia.exe PID 2012 wrote to memory of 1012 2012 FB_AC57.tmp.exe Wrnia.exe PID 2012 wrote to memory of 1012 2012 FB_AC57.tmp.exe Wrnia.exe PID 2012 wrote to memory of 1012 2012 FB_AC57.tmp.exe Wrnia.exe PID 2012 wrote to memory of 1012 2012 FB_AC57.tmp.exe Wrnia.exe PID 2012 wrote to memory of 1012 2012 FB_AC57.tmp.exe Wrnia.exe PID 2012 wrote to memory of 1012 2012 FB_AC57.tmp.exe Wrnia.exe PID 2664 wrote to memory of 636 2664 FB_9905.tmp.exe TheWarz-Crack-1.exe PID 2664 wrote to memory of 636 2664 FB_9905.tmp.exe TheWarz-Crack-1.exe PID 2664 wrote to memory of 636 2664 FB_9905.tmp.exe TheWarz-Crack-1.exe PID 2664 wrote to memory of 636 2664 FB_9905.tmp.exe TheWarz-Crack-1.exe PID 2664 wrote to memory of 636 2664 FB_9905.tmp.exe TheWarz-Crack-1.exe PID 2664 wrote to memory of 636 2664 FB_9905.tmp.exe TheWarz-Crack-1.exe PID 2664 wrote to memory of 636 2664 FB_9905.tmp.exe TheWarz-Crack-1.exe PID 636 wrote to memory of 2828 636 TheWarz-Crack-1.exe netsh.exe PID 636 wrote to memory of 2828 636 TheWarz-Crack-1.exe netsh.exe PID 636 wrote to memory of 2828 636 TheWarz-Crack-1.exe netsh.exe PID 636 wrote to memory of 2828 636 TheWarz-Crack-1.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack.exe"C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FB_9905.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_9905.tmp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack-1.exe"C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack-1.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack-1.exe" "TheWarz-Crack-1.exe" ENABLE6⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\FB_AC57.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_AC57.tmp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Wrnia.exe"C:\Users\Admin\AppData\Roaming\Wrnia.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\FB_ACE4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_ACE4.tmp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.ex_Filesize
851KB
MD54c687cafefcab325c62847a3910c71a9
SHA1882409e2d437758967ffbe8d9740dd35a86e95c6
SHA256fb635a07236ad5395238b0e18ba87f60264d93bc8a2e13805b661f528a185793
SHA51297b730f00751df1a41670b079c1f784709f8ce79b3eaece05be0007ddb8f8566876a93b21be459dbb9f91e265b45c88565dda3a1e7501a4f63b2b7255a9cd5de
-
C:\Windows\SysWOW64\accessibilitycpI.dllFilesize
302KB
MD50d313a81c8b3b25e58ea49359242bea4
SHA17d9e242e418a982f248f9981b10b64830d67d802
SHA2563000f91791e0b3331ccc130d0bc5d94b2ae5fc529b3924a2e97002e3251d926b
SHA51263f9bef6ad11372b241b5e679c63c2164e21073f8a99b7442d89e301b017e5e2f0c344ef3df0227506837816c86e7539899a9c1499cefa0b18c257f8f87837a7
-
\Users\Admin\AppData\Local\Temp\FB_9905.tmp.exeFilesize
29KB
MD5614ee07b628e4994d4d7f1b9beda6ece
SHA10171581e8d76d2d922027f4f072cff8215c55abb
SHA256b4458b76c0ade6678ac78a74dfa38dff4125d39210717b2c2bdd271bdd733cef
SHA512c279ff78b25f40bde2f64ab33ba5a2b9b4046e68a4e2089121118173930eaab813f48e8a30f569b25a316c79cc4e42df18df8c219a258096d5ce9359f007e001
-
\Users\Admin\AppData\Local\Temp\FB_AC57.tmp.exeFilesize
36KB
MD5bc31fb751e47491430d909c72c5529c9
SHA1c1a5925786cf7729d04f765cd1cd47fab5ddcf95
SHA256aecbf1535c7be968369ce966f8478cc55dd311f122565f5ee7d627cd302f4921
SHA51203af1955cd15bf239a1e3ec768f66320b17a84e06d977fa3aa1aa1e1b7c03db78e10a6e8d94ffa504b56fc649722a3fd6dcbec95335d888d20c2ade989a8355d
-
\Users\Admin\AppData\Local\Temp\FB_ACE4.tmp.exeFilesize
723KB
MD5ca554c5962d17073e7ce0e65e505158c
SHA15d09fe7bac713a0e03b3b1322019f86dd10a2c9e
SHA256448565c452f2c88c73061548aa46c1dbdc281567dffc2abec39e7eb177f230cb
SHA512969408b0975c6e0288b3bd5e5521fa092712d8cc9fe23f9166751d0f1e2f5c570712bc91c8602c0474dd0c6a2ef52975b06736295dca7f9d9fbb7a8da2fc8b27
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exeFilesize
716KB
MD5aa8a27f555ba52a3057d1ebd59e51193
SHA1fbc1b0916e428969d2e7e11f2a0c5bd6449ad05f
SHA25609cd260d8a7a59b6e123b59d1d7ccdb289d56ccf7be4952451768bbafee305d2
SHA51204bbf4d273bebd851725b5b4cae007413983cdb7efef56f8d88995493f5c8d0afa29accd7d8135ac686acbde8c8f7507c23969b4f5315409dedc2e4d34fdcfb3
-
memory/1012-145-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/2012-90-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/2384-94-0x0000000000E30000-0x0000000000EEA000-memory.dmpFilesize
744KB
-
memory/2528-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2528-36-0x0000000000400000-0x00000000052E8000-memory.dmpFilesize
78.9MB
-
memory/2528-28-0x0000000000400000-0x00000000052E8000-memory.dmpFilesize
78.9MB
-
memory/2528-31-0x0000000000400000-0x00000000052E8000-memory.dmpFilesize
78.9MB
-
memory/2528-26-0x0000000000400000-0x00000000052E8000-memory.dmpFilesize
78.9MB
-
memory/2528-34-0x0000000000400000-0x00000000052E8000-memory.dmpFilesize
78.9MB
-
memory/2528-42-0x0000000000400000-0x00000000052E8000-memory.dmpFilesize
78.9MB
-
memory/2528-38-0x0000000000400000-0x00000000052E8000-memory.dmpFilesize
78.9MB
-
memory/2528-40-0x0000000000400000-0x00000000052E8000-memory.dmpFilesize
78.9MB
-
memory/2528-52-0x0000000000401000-0x0000000000402000-memory.dmpFilesize
4KB
-
memory/2528-82-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2528-75-0x0000000000400000-0x00000000052E8000-memory.dmpFilesize
78.9MB
-
memory/2528-33-0x0000000000400000-0x00000000052E8000-memory.dmpFilesize
78.9MB
-
memory/2528-24-0x0000000000300000-0x0000000000400000-memory.dmpFilesize
1024KB
-
memory/2872-20-0x00000000001F0000-0x00000000001F5000-memory.dmpFilesize
20KB
-
memory/2872-15-0x00000000001D0000-0x00000000001D2000-memory.dmpFilesize
8KB