Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 18:35
Static task
static1
Behavioral task
behavioral1
Sample
TheWarz-Crack.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TheWarz-Crack.exe
Resource
win10v2004-20240226-en
General
-
Target
TheWarz-Crack.exe
-
Size
1.2MB
-
MD5
6b035800be70ccbedd9154a9ae57d03b
-
SHA1
c7de2eba384c891723b4a17753ee00129f5fe973
-
SHA256
e621a036413f70d0a00dbe48de5773dceea1429dc1864aebe90cb277583690de
-
SHA512
1b41dc9bf8c040ca33d26da8986f346ff6be02bf2197b78c96b2c6dbb45ba19bf4b31d8eeb4e715c78507b78ea6d2b05d039fb28e11ec8750fc5080a42c318d7
-
SSDEEP
24576:yzjh/FIFRPOUS01XpN4wEpv7I+CqSfhvuwGHEqPb2LxBxf3y:CKFNSEpN4NpvcAyBudHTCFq
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 8 IoCs
Processes:
resource yara_rule behavioral2/memory/680-17-0x0000000000400000-0x00000000052E8000-memory.dmp modiloader_stage2 behavioral2/memory/680-20-0x0000000000400000-0x00000000052E8000-memory.dmp modiloader_stage2 behavioral2/memory/680-21-0x0000000000400000-0x00000000052E8000-memory.dmp modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\FB_3303.tmp.exe modiloader_stage2 behavioral2/memory/680-51-0x0000000000400000-0x00000000004CA000-memory.dmp modiloader_stage2 behavioral2/memory/4580-59-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/680-50-0x0000000000400000-0x00000000052E8000-memory.dmp modiloader_stage2 behavioral2/memory/1652-91-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1452 netsh.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
M.exeFB_3303.tmp.exeFB_2844.tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation M.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation FB_3303.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation FB_2844.tmp.exe -
Drops startup file 2 IoCs
Processes:
TheWarz-Crack-1.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ff3a911dbfff7e34d508efdb7eca614.exe TheWarz-Crack-1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ff3a911dbfff7e34d508efdb7eca614.exe TheWarz-Crack-1.exe -
Executes dropped EXE 7 IoCs
Processes:
M.exeM.exeFB_2844.tmp.exeFB_3303.tmp.exeFB_3381.tmp.exeWrnia.exeTheWarz-Crack-1.exepid process 876 M.exe 680 M.exe 232 FB_2844.tmp.exe 4580 FB_3303.tmp.exe 2300 FB_3381.tmp.exe 1652 Wrnia.exe 4124 TheWarz-Crack-1.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
TheWarz-Crack.exeWrnia.exeTheWarz-Crack-1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" TheWarz-Crack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Wrnia = "C:\\Users\\Admin\\AppData\\Roaming\\Wrnia.exe" Wrnia.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4ff3a911dbfff7e34d508efdb7eca614 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TheWarz-Crack-1.exe\" .." TheWarz-Crack-1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4ff3a911dbfff7e34d508efdb7eca614 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TheWarz-Crack-1.exe\" .." TheWarz-Crack-1.exe -
Drops file in System32 directory 2 IoCs
Processes:
FB_3381.tmp.exedescription ioc process File created C:\Windows\SysWOW64\accessibilitycpI.dll FB_3381.tmp.exe File opened for modification C:\Windows\SysWOW64\accessibilitycpI.dll FB_3381.tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
M.exedescription pid process target process PID 876 set thread context of 680 876 M.exe M.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
M.exeFB_3381.tmp.exepid process 876 M.exe 876 M.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe 2300 FB_3381.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
FB_3381.tmp.exeTheWarz-Crack-1.exedescription pid process Token: SeDebugPrivilege 2300 FB_3381.tmp.exe Token: SeDebugPrivilege 4124 TheWarz-Crack-1.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
M.exepid process 876 M.exe 876 M.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
TheWarz-Crack.exeM.exeM.exeFB_3303.tmp.exeFB_2844.tmp.exeTheWarz-Crack-1.exedescription pid process target process PID 3256 wrote to memory of 876 3256 TheWarz-Crack.exe M.exe PID 3256 wrote to memory of 876 3256 TheWarz-Crack.exe M.exe PID 3256 wrote to memory of 876 3256 TheWarz-Crack.exe M.exe PID 876 wrote to memory of 680 876 M.exe M.exe PID 876 wrote to memory of 680 876 M.exe M.exe PID 876 wrote to memory of 680 876 M.exe M.exe PID 876 wrote to memory of 680 876 M.exe M.exe PID 876 wrote to memory of 680 876 M.exe M.exe PID 876 wrote to memory of 680 876 M.exe M.exe PID 876 wrote to memory of 680 876 M.exe M.exe PID 876 wrote to memory of 680 876 M.exe M.exe PID 876 wrote to memory of 680 876 M.exe M.exe PID 876 wrote to memory of 680 876 M.exe M.exe PID 876 wrote to memory of 680 876 M.exe M.exe PID 876 wrote to memory of 680 876 M.exe M.exe PID 876 wrote to memory of 680 876 M.exe M.exe PID 680 wrote to memory of 232 680 M.exe FB_2844.tmp.exe PID 680 wrote to memory of 232 680 M.exe FB_2844.tmp.exe PID 680 wrote to memory of 232 680 M.exe FB_2844.tmp.exe PID 680 wrote to memory of 4580 680 M.exe FB_3303.tmp.exe PID 680 wrote to memory of 4580 680 M.exe FB_3303.tmp.exe PID 680 wrote to memory of 4580 680 M.exe FB_3303.tmp.exe PID 680 wrote to memory of 2300 680 M.exe FB_3381.tmp.exe PID 680 wrote to memory of 2300 680 M.exe FB_3381.tmp.exe PID 680 wrote to memory of 2300 680 M.exe FB_3381.tmp.exe PID 4580 wrote to memory of 1652 4580 FB_3303.tmp.exe Wrnia.exe PID 4580 wrote to memory of 1652 4580 FB_3303.tmp.exe Wrnia.exe PID 4580 wrote to memory of 1652 4580 FB_3303.tmp.exe Wrnia.exe PID 232 wrote to memory of 4124 232 FB_2844.tmp.exe TheWarz-Crack-1.exe PID 232 wrote to memory of 4124 232 FB_2844.tmp.exe TheWarz-Crack-1.exe PID 232 wrote to memory of 4124 232 FB_2844.tmp.exe TheWarz-Crack-1.exe PID 4124 wrote to memory of 1452 4124 TheWarz-Crack-1.exe netsh.exe PID 4124 wrote to memory of 1452 4124 TheWarz-Crack-1.exe netsh.exe PID 4124 wrote to memory of 1452 4124 TheWarz-Crack-1.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack.exe"C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FB_2844.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_2844.tmp.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack-1.exe"C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack-1.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack-1.exe" "TheWarz-Crack-1.exe" ENABLE6⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\FB_3303.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_3303.tmp.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Wrnia.exe"C:\Users\Admin\AppData\Roaming\Wrnia.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\FB_3381.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_3381.tmp.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4028 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FB_2844.tmp.exeFilesize
29KB
MD5614ee07b628e4994d4d7f1b9beda6ece
SHA10171581e8d76d2d922027f4f072cff8215c55abb
SHA256b4458b76c0ade6678ac78a74dfa38dff4125d39210717b2c2bdd271bdd733cef
SHA512c279ff78b25f40bde2f64ab33ba5a2b9b4046e68a4e2089121118173930eaab813f48e8a30f569b25a316c79cc4e42df18df8c219a258096d5ce9359f007e001
-
C:\Users\Admin\AppData\Local\Temp\FB_3303.tmp.exeFilesize
36KB
MD5bc31fb751e47491430d909c72c5529c9
SHA1c1a5925786cf7729d04f765cd1cd47fab5ddcf95
SHA256aecbf1535c7be968369ce966f8478cc55dd311f122565f5ee7d627cd302f4921
SHA51203af1955cd15bf239a1e3ec768f66320b17a84e06d977fa3aa1aa1e1b7c03db78e10a6e8d94ffa504b56fc649722a3fd6dcbec95335d888d20c2ade989a8355d
-
C:\Users\Admin\AppData\Local\Temp\FB_3381.tmp.exeFilesize
723KB
MD5ca554c5962d17073e7ce0e65e505158c
SHA15d09fe7bac713a0e03b3b1322019f86dd10a2c9e
SHA256448565c452f2c88c73061548aa46c1dbdc281567dffc2abec39e7eb177f230cb
SHA512969408b0975c6e0288b3bd5e5521fa092712d8cc9fe23f9166751d0f1e2f5c570712bc91c8602c0474dd0c6a2ef52975b06736295dca7f9d9fbb7a8da2fc8b27
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.ex_Filesize
851KB
MD54c687cafefcab325c62847a3910c71a9
SHA1882409e2d437758967ffbe8d9740dd35a86e95c6
SHA256fb635a07236ad5395238b0e18ba87f60264d93bc8a2e13805b661f528a185793
SHA51297b730f00751df1a41670b079c1f784709f8ce79b3eaece05be0007ddb8f8566876a93b21be459dbb9f91e265b45c88565dda3a1e7501a4f63b2b7255a9cd5de
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exeFilesize
716KB
MD5aa8a27f555ba52a3057d1ebd59e51193
SHA1fbc1b0916e428969d2e7e11f2a0c5bd6449ad05f
SHA25609cd260d8a7a59b6e123b59d1d7ccdb289d56ccf7be4952451768bbafee305d2
SHA51204bbf4d273bebd851725b5b4cae007413983cdb7efef56f8d88995493f5c8d0afa29accd7d8135ac686acbde8c8f7507c23969b4f5315409dedc2e4d34fdcfb3
-
C:\Windows\SysWOW64\accessibilitycpI.dllFilesize
302KB
MD50d313a81c8b3b25e58ea49359242bea4
SHA17d9e242e418a982f248f9981b10b64830d67d802
SHA2563000f91791e0b3331ccc130d0bc5d94b2ae5fc529b3924a2e97002e3251d926b
SHA51263f9bef6ad11372b241b5e679c63c2164e21073f8a99b7442d89e301b017e5e2f0c344ef3df0227506837816c86e7539899a9c1499cefa0b18c257f8f87837a7
-
memory/680-51-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/680-20-0x0000000000400000-0x00000000052E8000-memory.dmpFilesize
78.9MB
-
memory/680-17-0x0000000000400000-0x00000000052E8000-memory.dmpFilesize
78.9MB
-
memory/680-50-0x0000000000400000-0x00000000052E8000-memory.dmpFilesize
78.9MB
-
memory/680-21-0x0000000000400000-0x00000000052E8000-memory.dmpFilesize
78.9MB
-
memory/876-7-0x0000000002280000-0x0000000002282000-memory.dmpFilesize
8KB
-
memory/876-14-0x00000000022A0000-0x00000000022A5000-memory.dmpFilesize
20KB
-
memory/1652-91-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/2300-60-0x0000000000850000-0x000000000090A000-memory.dmpFilesize
744KB
-
memory/2300-62-0x00000000057F0000-0x0000000005D94000-memory.dmpFilesize
5.6MB
-
memory/2300-63-0x00000000052E0000-0x0000000005372000-memory.dmpFilesize
584KB
-
memory/2300-73-0x0000000005270000-0x000000000527A000-memory.dmpFilesize
40KB
-
memory/2300-74-0x0000000005380000-0x00000000053D6000-memory.dmpFilesize
344KB
-
memory/2300-61-0x00000000051A0000-0x000000000523C000-memory.dmpFilesize
624KB
-
memory/4580-59-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB