Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 14:00
Behavioral task
behavioral1
Sample
be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe
Resource
win10v2004-20241007-en
General
-
Target
be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe
-
Size
3.9MB
-
MD5
540352fcd47bd5ef2995dd278b6590b0
-
SHA1
b63bca3fa7be1f9f2c918422d5cb833687b64d77
-
SHA256
be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544e
-
SHA512
da6bceb97a5621567defd275c4e4bb40826b748f2778941adaffa5827c3ec05930ad101df41c5181f11aa7361757e66aeb98e3a229a650699699e48aa35c59dc
-
SSDEEP
24576:GIbGD2JTu0GoWQDbGV6eH8tkxIbGD2JTu0GoWQDbGV6eH8tkxIbGD2JTu0GoWQDc:7C0bNechC0bNechC0bNecE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload 3 IoCs
resource yara_rule behavioral1/files/0x0009000000016dc8-42.dat warzonerat behavioral1/files/0x0008000000016dbc-76.dat warzonerat behavioral1/files/0x000a000000016dc0-95.dat warzonerat -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
resource yara_rule behavioral1/files/0x0009000000016dc8-42.dat aspack_v212_v242 behavioral1/files/0x0008000000016dbc-76.dat aspack_v212_v242 behavioral1/files/0x000a000000016dc0-95.dat aspack_v212_v242 -
Executes dropped EXE 9 IoCs
pid Process 752 explorer.exe 2888 explorer.exe 2520 spoolsv.exe 288 spoolsv.exe 804 spoolsv.exe 1232 spoolsv.exe 2348 spoolsv.exe 2432 spoolsv.exe 1612 spoolsv.exe -
Loads dropped DLL 58 IoCs
pid Process 2976 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 2976 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 2888 explorer.exe 2888 explorer.exe 2888 explorer.exe 2888 explorer.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2888 explorer.exe 2888 explorer.exe 2332 WerFault.exe 2332 WerFault.exe 2332 WerFault.exe 2332 WerFault.exe 2332 WerFault.exe 2332 WerFault.exe 2332 WerFault.exe 2888 explorer.exe 2888 explorer.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 2888 explorer.exe 2888 explorer.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 2888 explorer.exe 2888 explorer.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2888 explorer.exe 2888 explorer.exe 1876 WerFault.exe 1876 WerFault.exe 1876 WerFault.exe 1876 WerFault.exe 1876 WerFault.exe 1876 WerFault.exe 1876 WerFault.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2036 set thread context of 2976 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 31 PID 2036 set thread context of 2928 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 32 PID 752 set thread context of 2888 752 explorer.exe 34 PID 752 set thread context of 2236 752 explorer.exe 35 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
pid pid_target Process procid_target 2000 288 WerFault.exe 37 2332 804 WerFault.exe 39 1332 1232 WerFault.exe 41 1924 2348 WerFault.exe 43 2612 2432 WerFault.exe 45 1876 1612 WerFault.exe 47 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2976 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 2888 explorer.exe 2888 explorer.exe 2888 explorer.exe 2888 explorer.exe 2888 explorer.exe 2888 explorer.exe 2888 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2976 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 2976 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 2888 explorer.exe 2888 explorer.exe 2888 explorer.exe 2888 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2976 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 31 PID 2036 wrote to memory of 2976 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 31 PID 2036 wrote to memory of 2976 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 31 PID 2036 wrote to memory of 2976 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 31 PID 2036 wrote to memory of 2976 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 31 PID 2036 wrote to memory of 2976 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 31 PID 2036 wrote to memory of 2976 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 31 PID 2036 wrote to memory of 2976 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 31 PID 2036 wrote to memory of 2976 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 31 PID 2036 wrote to memory of 2928 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 32 PID 2036 wrote to memory of 2928 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 32 PID 2036 wrote to memory of 2928 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 32 PID 2036 wrote to memory of 2928 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 32 PID 2036 wrote to memory of 2928 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 32 PID 2036 wrote to memory of 2928 2036 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 32 PID 2976 wrote to memory of 752 2976 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 33 PID 2976 wrote to memory of 752 2976 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 33 PID 2976 wrote to memory of 752 2976 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 33 PID 2976 wrote to memory of 752 2976 be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe 33 PID 752 wrote to memory of 2888 752 explorer.exe 34 PID 752 wrote to memory of 2888 752 explorer.exe 34 PID 752 wrote to memory of 2888 752 explorer.exe 34 PID 752 wrote to memory of 2888 752 explorer.exe 34 PID 752 wrote to memory of 2888 752 explorer.exe 34 PID 752 wrote to memory of 2888 752 explorer.exe 34 PID 752 wrote to memory of 2888 752 explorer.exe 34 PID 752 wrote to memory of 2888 752 explorer.exe 34 PID 752 wrote to memory of 2888 752 explorer.exe 34 PID 752 wrote to memory of 2236 752 explorer.exe 35 PID 752 wrote to memory of 2236 752 explorer.exe 35 PID 752 wrote to memory of 2236 752 explorer.exe 35 PID 752 wrote to memory of 2236 752 explorer.exe 35 PID 752 wrote to memory of 2236 752 explorer.exe 35 PID 752 wrote to memory of 2236 752 explorer.exe 35 PID 2888 wrote to memory of 2520 2888 explorer.exe 36 PID 2888 wrote to memory of 2520 2888 explorer.exe 36 PID 2888 wrote to memory of 2520 2888 explorer.exe 36 PID 2888 wrote to memory of 2520 2888 explorer.exe 36 PID 2888 wrote to memory of 288 2888 explorer.exe 37 PID 2888 wrote to memory of 288 2888 explorer.exe 37 PID 2888 wrote to memory of 288 2888 explorer.exe 37 PID 2888 wrote to memory of 288 2888 explorer.exe 37 PID 288 wrote to memory of 2000 288 spoolsv.exe 38 PID 288 wrote to memory of 2000 288 spoolsv.exe 38 PID 288 wrote to memory of 2000 288 spoolsv.exe 38 PID 288 wrote to memory of 2000 288 spoolsv.exe 38 PID 2888 wrote to memory of 804 2888 explorer.exe 39 PID 2888 wrote to memory of 804 2888 explorer.exe 39 PID 2888 wrote to memory of 804 2888 explorer.exe 39 PID 2888 wrote to memory of 804 2888 explorer.exe 39 PID 804 wrote to memory of 2332 804 spoolsv.exe 40 PID 804 wrote to memory of 2332 804 spoolsv.exe 40 PID 804 wrote to memory of 2332 804 spoolsv.exe 40 PID 804 wrote to memory of 2332 804 spoolsv.exe 40 PID 2888 wrote to memory of 1232 2888 explorer.exe 41 PID 2888 wrote to memory of 1232 2888 explorer.exe 41 PID 2888 wrote to memory of 1232 2888 explorer.exe 41 PID 2888 wrote to memory of 1232 2888 explorer.exe 41 PID 1232 wrote to memory of 1332 1232 spoolsv.exe 42 PID 1232 wrote to memory of 1332 1232 spoolsv.exe 42 PID 1232 wrote to memory of 1332 1232 spoolsv.exe 42 PID 1232 wrote to memory of 1332 1232 spoolsv.exe 42 PID 2888 wrote to memory of 2348 2888 explorer.exe 43 PID 2888 wrote to memory of 2348 2888 explorer.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe"C:\Users\Admin\AppData\Local\Temp\be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe"C:\Users\Admin\AppData\Local\Temp\be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544eN.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 366⤵
- Loads dropped DLL
- Program crash
PID:2000
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 366⤵
- Loads dropped DLL
- Program crash
PID:2332
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 366⤵
- Loads dropped DLL
- Program crash
PID:1332
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 366⤵
- Loads dropped DLL
- Program crash
PID:1924
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 366⤵
- Loads dropped DLL
- Program crash
PID:2612
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 366⤵
- Loads dropped DLL
- Program crash
PID:1876
-
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"4⤵PID:2236
-
-
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"2⤵PID:2928
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5540352fcd47bd5ef2995dd278b6590b0
SHA1b63bca3fa7be1f9f2c918422d5cb833687b64d77
SHA256be1d80f9db1bdf2aa493d775b0b554dbf3c8baf820318114679a8ca18605544e
SHA512da6bceb97a5621567defd275c4e4bb40826b748f2778941adaffa5827c3ec05930ad101df41c5181f11aa7361757e66aeb98e3a229a650699699e48aa35c59dc
-
Filesize
3.9MB
MD5f34f6834691e0587e83545b39a18c27d
SHA15168a62d2f0a33bf7e1ad4d64e5fa9272902d576
SHA2564b9b0921ffdbf1dffbf7233ba6f0e6ce057fe89c94054fde9e454fd7c8f0699b
SHA51267ecee940341c9a8299c964ca124c652f29688ddb11b9e0eddb85773df36fc0fa020ce1a4aee9a60dc8032bfa40ec36bcf604035d3a2ccb4d5e668608625f975
-
Filesize
3.9MB
MD5cbbf20643c5784dedcab6d652dc021ca
SHA15384c200343696e1d0c1d8a88e1ac295746c07ee
SHA256e7d85fa377f96bce3ea3115cdbd645769584b63aca2c62cf8bf54c21f7ef292a
SHA512e309fdbec9af42c7a21947d6e7757688224131e5186df5fb6399dbcbd13248fb0f962406db7ebfb382510cec44c05cec78b85f6903b00764a68ef60d8a78ce9d