Analysis
-
max time kernel
118s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
23/08/2024, 14:16
General
-
Target
5558a8614292ac1a9280d8e77aee87c0N.exe
-
Size
2.9MB
-
MD5
5558a8614292ac1a9280d8e77aee87c0
-
SHA1
8af08ac2e231394eefe907c387bee84f67408b14
-
SHA256
3e47b5df6434b6115b80b087e782f9d0117e06fffdac2d9fc093f9b8b3614e31
-
SHA512
8516145b5293cfe9323bd0193a0c539a732eb63dedbb3516f6e0a4f8d6511586c90974ced3da7a0e3b9537598d290a6ae7258075a9f6aaa1023f85860c524bf8
-
SSDEEP
24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHu:7v97AXmw4gxeOw46fUbNecCCFbNecx
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops startup file 4 IoCs
-
Executes dropped EXE 16 IoCs
-
Loads dropped DLL 22 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 12 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of SetWindowsHookEx 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5558a8614292ac1a9280d8e77aee87c0N.exe"C:\Users\Admin\AppData\Local\Temp\5558a8614292ac1a9280d8e77aee87c0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\5558a8614292ac1a9280d8e77aee87c0N.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\5558a8614292ac1a9280d8e77aee87c0N.exeC:\Users\Admin\AppData\Local\Temp\5558a8614292ac1a9280d8e77aee87c0N.exe2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5558a8614292ac1a9280d8e77aee87c0N.exeC:\Users\Admin\AppData\Local\Temp\5558a8614292ac1a9280d8e77aee87c0N.exe3⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"5⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
-
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"6⤵
-
-
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD55558a8614292ac1a9280d8e77aee87c0
SHA18af08ac2e231394eefe907c387bee84f67408b14
SHA2563e47b5df6434b6115b80b087e782f9d0117e06fffdac2d9fc093f9b8b3614e31
SHA5128516145b5293cfe9323bd0193a0c539a732eb63dedbb3516f6e0a4f8d6511586c90974ced3da7a0e3b9537598d290a6ae7258075a9f6aaa1023f85860c524bf8
-
Filesize
92B
MD513222a4bb413aaa8b92aa5b4f81d2760
SHA1268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140
-
Filesize
93B
MD58445bfa5a278e2f068300c604a78394b
SHA19fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA2565ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA5128ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822
-
Filesize
2.9MB
MD5379bff83561af3a7e4247760e9a9d802
SHA1748ae473e6eed370fae3056c824823d94cca04ff
SHA256536143fc73faef3808ef8a63c4332e69aeabf93733ae80cd67b8ed59e6a1a154
SHA5126659b8afcc94777435f10e2b3d90e09818c737577d4fb18ba8c6491f473729bb159e406485e378e7e2cabc4903d2a9e3359b5467b5360b0dd0c5c1abc0e2f2f3
-
Filesize
2.3MB
MD5cce4f43d3a7a4a66297e4684fed2c57b
SHA14eba6f65c3a55df2d5894c75e8e99726bba0accf
SHA256e12241b12f6f5198c5334f40af2a700aa665372a6eca7e91d617ea06f2971f56
SHA512b6dac68a4c2d7a25e4bda8e05dff9741f3a28214b179616ffad58b9b43d68aeb4bd8e403a4c2dd34a2f9a08198248ddd8f24ebec2a6a14d1ab77033e36d4a4d4
-
Filesize
2.9MB
MD5f32c2f50c35eb516d496a894b9ded01e
SHA1e7683eed10280e42db5efbcad2c5f4b7e3f4184d
SHA2560eb7e05d7226c588aeab284f2a0033a8f320953d5643414f13940286c2ab1e7c
SHA5125f4a421a008f5667942bff106fe89860c869142dd49eef2fd31f8d9c77e321ee8778cc2d38e723536ce2bd819c5ddf4216df088029ba496ff27cf82c88df829b
-
Filesize
1.1MB
MD53aa0b47b71831e7fc39c3cd8cdd0f794
SHA1e23a1904ca0b4c377e5295ab2df1f48ab7a8c163
SHA25670146758bf952e8f5fb7e2d06025528dcc7da9682632854a790855ad6a2461b6
SHA51242f768d0de0c90b600f575ba6174ac6c3fce084d6b8703fed3f171b662ea8774300ea89af02f9d985cb91739b5ce01c9f4299e10a762b2a351cf0a3e2df2b642
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
21.6MB
-
Filesize
2.2MB
-
Filesize
21.6MB
-
Filesize
16.0MB
-
Filesize
2.2MB
-
Filesize
16.0MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
2.2MB
-
Filesize
16.0MB
-
Filesize
2.2MB
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
176KB
-
Filesize
2.2MB
-
Filesize
16.0MB
-
Filesize
176KB
-
Filesize
2.2MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
1024KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB