Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 00:37
Static task
static1
Behavioral task
behavioral1
Sample
LisectAVT_2403002A_44.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
LisectAVT_2403002A_44.exe
Resource
win10v2004-20240709-en
General
-
Target
LisectAVT_2403002A_44.exe
-
Size
250KB
-
MD5
1de50898c006fcc7d1924a6df312f8e2
-
SHA1
7b1ae04725421af4e1609bc1594d01691643613f
-
SHA256
f901f4b9437419d09352abcdec1a1e7bb1b511adbee059c42695753575b2b77c
-
SHA512
60d919aabbe922194e52e4b3834fb2ef8242427e851bff023cf3059c4bbf8574df318667b790638f7fc995872e2e35b572a4b0f3991dfc61150b1bba4b40d79c
-
SSDEEP
6144:jNc88VTZVxiL2CzS3vlm8LkuJKjWZSLV64:y88Vt7iLVWvU8LdmV
Malware Config
Extracted
warzonerat
216.250.253.35:2356
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Warzone RAT payload 10 IoCs
Processes:
resource yara_rule behavioral1/memory/2520-2-0x0000000000220000-0x0000000000242000-memory.dmp warzonerat behavioral1/memory/2520-3-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2520-4-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2520-18-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2520-21-0x0000000000220000-0x0000000000242000-memory.dmp warzonerat behavioral1/memory/2520-29-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2520-32-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2520-33-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2520-34-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat behavioral1/memory/2520-44-0x0000000000400000-0x000000000055A000-memory.dmp warzonerat -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1132 netsh.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
LisectAVT_2403002A_44.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" LisectAVT_2403002A_44.exe -
Executes dropped EXE 1 IoCs
Processes:
30.exepid process 3060 30.exe -
Loads dropped DLL 8 IoCs
Processes:
LisectAVT_2403002A_44.exepid process 2520 LisectAVT_2403002A_44.exe 2612 2520 LisectAVT_2403002A_44.exe 2520 LisectAVT_2403002A_44.exe 2520 LisectAVT_2403002A_44.exe 2520 LisectAVT_2403002A_44.exe 2520 LisectAVT_2403002A_44.exe 2520 LisectAVT_2403002A_44.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\30.exe upx behavioral1/memory/3060-13-0x0000000001380000-0x00000000013AD000-memory.dmp upx behavioral1/memory/3060-19-0x0000000001380000-0x00000000013AD000-memory.dmp upx behavioral1/memory/3060-22-0x0000000001380000-0x00000000013AD000-memory.dmp upx -
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
Processes:
LisectAVT_2403002A_44.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LisectAVT_2403002A_44.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LisectAVT_2403002A_44.exe -
Modifies WinLogon 2 TTPs 4 IoCs
Processes:
LisectAVT_2403002A_44.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList LisectAVT_2403002A_44.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts LisectAVT_2403002A_44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\bKHvndn = "0" LisectAVT_2403002A_44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" LisectAVT_2403002A_44.exe -
Drops file in System32 directory 1 IoCs
Processes:
LisectAVT_2403002A_44.exedescription ioc process File created C:\Windows\System32\rfxvmt.dll LisectAVT_2403002A_44.exe -
Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
Processes:
LisectAVT_2403002A_44.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\bKHvndn = "0" LisectAVT_2403002A_44.exe -
Drops file in Program Files directory 2 IoCs
Processes:
LisectAVT_2403002A_44.exedescription ioc process File created C:\Program Files\Microsoft DN1\sqlmap.dll LisectAVT_2403002A_44.exe File created C:\Program Files\Microsoft DN1\rdpwrap.ini LisectAVT_2403002A_44.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
LisectAVT_2403002A_44.exe30.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LisectAVT_2403002A_44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 30.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 2612 2612 2612 2612 2612 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
LisectAVT_2403002A_44.exedescription pid process Token: SeDebugPrivilege 2520 LisectAVT_2403002A_44.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LisectAVT_2403002A_44.exepid process 2520 LisectAVT_2403002A_44.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
LisectAVT_2403002A_44.exe30.exedescription pid process target process PID 2520 wrote to memory of 3060 2520 LisectAVT_2403002A_44.exe 30.exe PID 2520 wrote to memory of 3060 2520 LisectAVT_2403002A_44.exe 30.exe PID 2520 wrote to memory of 3060 2520 LisectAVT_2403002A_44.exe 30.exe PID 2520 wrote to memory of 3060 2520 LisectAVT_2403002A_44.exe 30.exe PID 3060 wrote to memory of 1132 3060 30.exe netsh.exe PID 3060 wrote to memory of 1132 3060 30.exe netsh.exe PID 3060 wrote to memory of 1132 3060 30.exe netsh.exe PID 3060 wrote to memory of 1132 3060 30.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
LisectAVT_2403002A_44.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LisectAVT_2403002A_44.exe -
outlook_win_path 1 IoCs
Processes:
LisectAVT_2403002A_44.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LisectAVT_2403002A_44.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_44.exe"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_44.exe"1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Modifies WinLogon
- Drops file in System32 directory
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\30.exe"C:\Users\Admin\AppData\Local\Temp\30.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=33893⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1132
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Users
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
326KB
MD5ef12ab9d0b231b8f898067b2114b1bc0
SHA16d90f27b2105945f9bb77039e8b892070a5f9442
SHA2562b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA5122aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193
-
Filesize
133KB
MD575f8cc548cabf0cc800c25047e4d3124
SHA1602676768f9faecd35b48c38a0632781dfbde10c
SHA256fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f
-
Filesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
Filesize
1.2MB
MD5d7858e8449004e21b01d468e9fd04b82
SHA19524352071ede21c167e7e4f106e9526dc23ef4e
SHA25678758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db
SHA5121e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440
-
Filesize
141KB
MD5471c983513694ac3002590345f2be0da
SHA16612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f