Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
17/08/2024, 01:45
General
-
Target
e9615671d02b16f25444360f643b059cfa117f6ce3097d4fd70e581a668cf56d.exe
-
Size
2.0MB
-
MD5
eabb6cc837e7978ae6b92c4f14856bd2
-
SHA1
b5407903a7b34dd1cfeac9596d6b6137190fefc0
-
SHA256
e9615671d02b16f25444360f643b059cfa117f6ce3097d4fd70e581a668cf56d
-
SHA512
03dd4d2f3d2a13cc02fd2ee90f0ff0b1ad5e2ff67a02f75807328ce7aba8b91846106e24d6c139796c98cf7245a30c1347786e7229a2bbaa5fc3e62f3265c2c6
-
SSDEEP
24576:E4Y7zy/0BmAIElMHz+noppfDCUVhUNiLkwOVy8586SgjxrCHiCG5dtBTH4:YyGJITz/ppfD1mA8DdrCy5XBTY
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Windows security bypass 2 TTPs 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Warzone RAT payload 6 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9615671d02b16f25444360f643b059cfa117f6ce3097d4fd70e581a668cf56d.exe"C:\Users\Admin\AppData\Local\Temp\e9615671d02b16f25444360f643b059cfa117f6ce3097d4fd70e581a668cf56d.exe"1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e9615671d02b16f25444360f643b059cfa117f6ce3097d4fd70e581a668cf56d.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"2⤵
- Runs regedit.exe
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_ngen.exe"C:\Users\Admin\AppData\Local\Temp\._cache_ngen.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD545f125b592c34161732bfae855c17628
SHA1959eab169395284f92717e7785ca9c7a2936cc60
SHA256c555cf03bcbc780f8a39cbf8b95254fd3798a703ba71b84af84ef33e36d0d761
SHA512b31e5ead08f82f70618198dbea2312822258ca8f58441a02b96f474623f8aefe16cff8a4ae75ec53e514283b308fcc8602c623d748b47075f54ccd8dae41b9e7
-
Filesize
132KB
MD5b7d1a9faf64911bc6429be983d82668f
SHA109b5f838d19a2e82b86ec751bfe726e3d89b1017
SHA256a1364f6fcb74ff76b1038e6c8871b23c1d5e2e28324bc365af512c04d791003c
SHA512e5965d492bcf7da9a456ac4dc087a7164842d9d6ca6e359f67455341f979731e176db67f8e2734da4d4c141c36e78d26080a6b1cfb99b06b2b6a5f46182c86b1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
1.2MB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
908KB
-
Filesize
908KB
-
Filesize
908KB
-
Filesize
908KB
-
Filesize
908KB