Resubmissions
01/11/2024, 12:33
241101-pradyaypdv 1027/10/2024, 23:08
241027-24hmasskhj 1020/10/2024, 16:28
241020-tyzdvsxgqb 320/10/2024, 16:26
241020-tx2gtszekk 302/10/2024, 11:53
241002-n2j6fsycqb 313/09/2024, 04:59
240913-fmwxpswcpb 311/09/2024, 15:54
240911-tcmg6sygmm 311/09/2024, 15:53
240911-tbsmsszbnh 1025/08/2024, 22:53
240825-2t6als1gll 10Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
13/08/2024, 23:49
General
-
Target
dl2.exe
-
Size
849KB
-
MD5
c2055b7fbaa041d9f68b9d5df9b45edd
-
SHA1
e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
-
SHA256
342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
-
SHA512
18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
-
SSDEEP
12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2
Malware Config
Extracted
warzonerat
168.61.222.215:5400
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Warzone RAT payload 2 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
NSIS installer 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
NTFS ADS 5 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 58 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dl2.exe"C:\Users\Admin\AppData\Local\Temp\dl2.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffced7746f8,0x7ffced774708,0x7ffced7747182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5388 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3488 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2676 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6380 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6872 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\AdwereCleaner.exe"C:\Users\Admin\Downloads\AdwereCleaner.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Downloads\AdwereCleaner.exe"C:\Users\Admin\Downloads\AdwereCleaner.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1324 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7068 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6212 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,4523746523530845228,182247529667055318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\dl2.exeC:\Users\Admin\AppData\Local\Temp\dl2.exe {814B58BC-5EE5-408F-AE0E-75A2A1A38DC7}1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\VanToM-Rat.bat"C:\Users\Admin\Downloads\VanToM-Rat.bat"1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\WarzoneRAT.exe"C:\Users\Admin\Downloads\WarzoneRAT.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDFF6.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD56b2ed06baf301013f6da09dfb36f48db
SHA1e090ce64d90c3c00841c2bc196c2dbddb9dfe821
SHA25635137ab08a83c939208355d93956eff9651817bbb308112d4fa3370392c98d88
SHA512160f7bdc73d915b7e2808b20a918202e7dc697e9b26610ac655d2609b93456d6ac795c02b5fe2f2c61a9acdea403cc17d72f045eac9aec8caa8839a779880ebf
-
Filesize
5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
Filesize
1KB
MD552c9f653a4509e45f712e376a4260eca
SHA1e5a11579e903b1048718b231b1a3dd0230883a73
SHA256257785e481ab3f69a9d316f40bab6bf7ed75f19f3bc5059ce30eae3d2139f535
SHA5121485f2b0ed248a98ceab2000e2b1d69bf8a55e951bc2f53e3aa0d5ba8c416e5a97f83c1bc8f3805733f95e7923d03baf642357c7a81deed8c63f3d6c8b459a1c
-
Filesize
509B
MD59fbb2bd1e6e383194fa4ae215e4ab349
SHA18843e43b5bbce2acc7df7286a319cae0ad2b0097
SHA25647756f19fdbb0f8e368d31cf5ea3d6d38ea3c879d7c70ba398952a52636a55e2
SHA51267df0642694a12af096e50d7fa0acda31223e2be9e1d0fdee4a9b5e3267403f22da46c58d21c5cd27f85157add943bcfae07bafa399771250177590f9008e69c
-
Filesize
300B
MD54fffff14f3649db6c1f433110a4d3919
SHA1c30e777f0f2b339e438334445073b7bdae568b87
SHA256403e9d16d11e2b9441dd646260ce23b0193a026a64f2c8e95f6b50ad7adf3e89
SHA51258a6995fe81b0cc0a0cbf06a2429e5be42ffca404eed1f00d238d08f41f6e3f4f18747bbc25686e84cb2e9f3dde75fcc29f4fbb3ca5f7108d7e9ccf5233dcd34
-
Filesize
398B
MD5fbe0b7155504267cda22d597bac22f5e
SHA187274fa93c8c49373127a29b20634e907dd6e715
SHA256d7a23895f7377b6da23c47e84705bd12c8eb29346f5d20fb4b8bc507ca6960f3
SHA512ef990bf979857304c56307cc5f009cbac6477d5fae20567e0ef47e1fe91695747e2e492c61e4f104b6f118723de13dd3405395d9f14266a181eab15808966254
-
Filesize
500B
MD51ebce50e4378be13aad00f87d1f568b9
SHA1dcf04f0bbf7921b50b3c428805de7e7634976c24
SHA256875add8464e2a460f94c6e795ca528602feed1d913c647da6033679c47a1fb35
SHA512089637e66a26e50ecf2f7e7f37acc350eeb3e481061fa5e8784acd4a2965ae5638f30a193a1ea0b0d80d1d385a24ce30b0575fe8a1c93a31e3bfb93829e8a47b
-
Filesize
486B
MD550afed29195936023dc38c17e03c197c
SHA1c5c86e862079cea43fe6db3aefcffd7e4a7c1d23
SHA256114b86c7d9a698363f3909bf4278be2365b70a697d1aec7b9d904cb500d99486
SHA5121b0328f7854e669b5245178f3832ecf465e7a0b1ab2b56b68c6d78a86a5a8bccece0602757f95c45f35d59b899e7185755d77ce012759583663a4ffcef8a1c33
-
Filesize
168KB
MD587e4959fefec297ebbf42de79b5c88f6
SHA1eba50d6b266b527025cd624003799bdda9a6bc86
SHA2564f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9
-
Filesize
152B
MD54dd2754d1bea40445984d65abee82b21
SHA14b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA51292d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1
-
Filesize
152B
MD5ecf7ca53c80b5245e35839009d12f866
SHA1a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696
-
Filesize
3KB
MD56ecb596d7f0142efb91bd23dbe53afcf
SHA14c5699deec1ff8ccfb2cbe30b7596b2c467d7aae
SHA2560f933e0c9b3a29cb960be4beaf88bf6ee803062f0f7e2af7c169d9d00dc2a6aa
SHA512f2d4d61a3f2127de3df5e1b900e4b08ed802d23dd567fa713bea1c62349bdff160b75fe420880593df46a85453076d91f844d23ad8b5a176c7b1532a58372d6d
-
Filesize
1KB
MD5ca6022b66877e41c1945ea1dafc9d7ee
SHA1ea6b9e9c2510708fbd1fa88a9434b486e60a4c60
SHA2567d8fbd8a9d35d411dc569a826d6590071c3e6f5ee505f007a3f8e600d73ba6a4
SHA512e1df8c23e7bb2cb8dd89a592ed2d7c7ddca879519621943e27d56e8ab2ffe3d8e85b7bfb571f39c26449712f55d84b0f2ee0aec5d871126985427770b49f241e
-
Filesize
1KB
MD5d8c5d3d7224e0e2f51a1d1f122b58bf7
SHA12f392aaffb2a45abfa519e3993045e298abe13de
SHA2560854ad13e8644e783228b45c5c7596170d433c971866d5fd42054e7cefc714b6
SHA5120f889e9f09a81f70525f1d11c02139a983bee67425ed763ae96265f77d43c8830d0601bb9555165594466c178add2698d0da8d7703cd19f03703a912427ed9f8
-
Filesize
6KB
MD5ddf73e863dc29509a3169e2786af0652
SHA173211a724d777179b63912ca22403e8e0ae46b55
SHA2561483f4a396ba8a53a6e1abca51ebba81b9779f2daacf24ddff96233f15553e2a
SHA5121eaddad388bce82e45abee12c76c26f5ea7c2c1adac868adf2acbe6096674061feba930a88ed1aa2164b520e388a82208c5960f9522632dabd3fdfd946262aae
-
Filesize
6KB
MD553eb32191c60031973636f479049f15a
SHA1e229fd82ddb98c9dc0cf59a40f24fb2afc60e89a
SHA256c4037ae1e021f16c1e325a7614428f6c651a8eb07a865b803ff32c300b105088
SHA512ac0513ac948e8b85cdea3157d16f6f98d3cab29cffffd1aecdd6f290c4dddc52da7b05675cdd7c1c3e89ac63a63dd06ef171da789c8af571cb6e5c2ecb12dd73
-
Filesize
7KB
MD5c8dc82f76918ee4c7bbb34aa2319538d
SHA1d5f0ea4eb5755879414e1e732d2745c31ee62764
SHA25631caa5d005304f7f62b6dfcddde13651037e178a413cf7b517e069a8483bf4ed
SHA5127f6920cf43d1a4a8d99c2dd4dbb85274b79da65d451cadb50ded2ae764c4d8a22cf44c7f0684f560931f8120b2f159ad0d23da32d02cf374a270f15dad01b47c
-
Filesize
6KB
MD53879d0830817527ac5c92a6dc3bf028c
SHA1ab5c92fad2afaf628d45235a0744d98786a5e79d
SHA2561992b0302e2cf42b3d30e82252d7826ffe4b2b4bb077ad2894bca7fd80d50451
SHA5129f4a526fc36c7a58ece22f769177eb7137dd541049ace86fd88c3f418de81c5711be46af8deed8e886e289ecdaee1d4dc1d372907fb053ed91de473936d38751
-
Filesize
1KB
MD5b07504a486bc3ff5fafcecc5839402a8
SHA14146c896d71614f9beccaa5948dc4c7c1b3f8a69
SHA2565ef20c80d56075bd85bfe35a8a71165934e10d0d544c420df8c88d70da6c00cb
SHA512d09aa1c265559b4095a573d2953ffd9728a97d7ebc0241688d35d648855d0ae2a2dd2bbf105498d7118356c9234bdafe0ccbed3bbd42cf2e78939790896c0c55
-
Filesize
1KB
MD5f92b985804bada15a4b3e7188fd7b021
SHA10e067f89b4c26e1f5ba38ee933eac710cd29de48
SHA2568d69433388c50a90bf4ab4aeec67141609a3d686520664471773410981bbe0cc
SHA5125f5550df23eb23d55531ce8d3d9e3646263958bfb10f0d2378af81be92ba22890b85d90567b11a494ba03d496450a9b07f63832cc87d123537e47e110bd8b780
-
Filesize
1KB
MD5371fd94bc2a09dc26333e21d0b16b690
SHA1903c296bb9ea9f37c6f91c8a033957058f8d3496
SHA256a1d08214c0815d890354e1328df0c89b88bfd9d03c79486c67bc01628348d5b5
SHA5125553ff672c0fc8d9330254fabdc69d6a306d507c27452de54f4be44d596782d40a0ea5c9616c2fab0737ba3e3255f54f2e4a43a9d7e8f45dfbaa2573c8c01eaf
-
Filesize
1KB
MD5771ea945e485e0582f6808f8ca7b30c5
SHA19aeb6cef430b627bb0e185ee3badaf3e49622103
SHA2561bc19b38a1046e2dd56c7b78e83067370354a08dc95532e397a21a58dcf108c7
SHA51297c0b18caf1a62521a14074f0bab572d1feaf5f338d408dcb592964451473a71a83ad31ebfaf5e167c69cffab8b46218e1d18152e177afbcbb5049c7ed0ef0f3
-
Filesize
1KB
MD5cf4d62b852f237a902961e4797d1813b
SHA1fb5209d5ac13951e484763084909a4f3792948d3
SHA2560a3f2d9b97fa781222eec03976ad574637443f378d9a1dbd3b662c82a4ca564b
SHA512063839f095b9f0102b4d7e3c49b9f954546d03f6c7871c149fc1b2379525502e024f4582bfe3648c14d87598c7a4fac7f4f7590dee9cbdaa651bb056114d8ea1
-
Filesize
1KB
MD51b7115a91d2a808c875bdade9e16e734
SHA14d7e291bd3066fbe0cd39e309bf57ccdd83c6124
SHA25675c1379163ee3bf36f76466668272ed27a78aede2a9428a15e63fe64f2dd185b
SHA512ca2a50fd34bd727491958e53dcb7301b8328dfa40f781c0e92decb4f18d3410384ff42d4eea1df57f6867995e094fa0642ac626ab3e705773dde30d28f6357bb
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD53cf1fd01263233c085cda807e4fb3417
SHA1ffcef0e796f6ba6bc8932d05aef8a13a0e86eeb6
SHA256534f49d41ae3451f8cba2ee1cd960512c7fac683a8c4bc9ee629af63201892af
SHA512f517f0f4df84e6bfc2d1d0ae1becea5a1109f39c20362681e09b55f2f9cc7cbc519efb647daf5d09f249cb26e9dbc6137866b218478ba03f6048cab3cc921d51
-
Filesize
11KB
MD5d3cbb7f5ad237651600926dec8b54abd
SHA1cb471387aea3590145d21e0f2ccbda68b2c007d7
SHA256b20cd499f3e70ef7c64e0afe90b29ed9b69594fba088f84ba4aa13ca4aaa95a6
SHA512c7a507b992a39134feeb6979fae85dbc419b3c3557236e5f580254623de5c3d619def963336468d4a9eae4e7afdd9483c6f9a081e4d5b3cb6c7dd8791a33ff5f
-
Filesize
12KB
MD5f1c5db0e5569a2cba67606383aa4e51e
SHA175c771f3da427ddb1d883ef1f402c75088e68ed4
SHA2567be3c1e8958efb132c469886a0c5494fb45e102d8ff659824d42190ba33dd26c
SHA512a779469f71e80fa159fc65eae6fc254910a7f165572967572d5d39ad39e227328f9719f9fbaaa2de0b30f7459c36aa6a259fa77ade6819f682eecc0c8bfc8661
-
Filesize
39B
MD57b3afea60421bbb95c700f49165bf550
SHA1ba0e7a079884966f14c04789008a1b3ba2253d9e
SHA2563f331c4de18b623e9ce3d32ad470bfdf8769642693b453e8d9af9b258ca28c7e
SHA512c96097c961a643b99c2148f29df5338cce83042704cbfd55e9d4aef3f723b0a93d7fc893c3ec1ff031890e21f4912dd63f09391c944fe46f79d0fd7b46b8187d
-
Filesize
1KB
MD5641e9f653830fd06b3369ed7c4040daf
SHA1b8947234bf0cbdb56a35c9b8e8a6916f70e36141
SHA256e8cacfcfb7cbb8ca543d8094910ff099686c93cbf675e060900e9ea9dad499eb
SHA51278b595d9994b24583b403bb7de45772bbc7bd4023130d12c5b24825c8b3e010f1ca211e5738eb3049ede8a846272e562923cbcac65089412a1facdef50558d07
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
190KB
MD5248aadd395ffa7ffb1670392a9398454
SHA1c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA25651290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e
-
Filesize
321KB
MD5600e0dbaefc03f7bf50abb0def3fb465
SHA11b5f0ac48e06edc4ed8243be61d71077f770f2b4
SHA25661e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2
SHA512151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9
-
Filesize
183KB
MD53d4e3f149f3d0cdfe76bf8b235742c97
SHA10e0e34b5fd8c15547ca98027e49b1dcf37146d95
SHA256b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a
SHA5128c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff
-
Filesize
184KB
-
Filesize
1024KB
-
Filesize
192KB
-
Filesize
184KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
1024KB
-
Filesize
192KB
-
Filesize
1024KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
344KB
-
Filesize
32KB
-
Filesize
624KB
-
Filesize
160KB
-
Filesize
3.1MB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
624KB
-
Filesize
4.8MB
-
Filesize
664KB