warzonerat | 3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe
Size

8.2MB
MD5

eb1008386e7f79d25d2d004377beec56
SHA1

c92c6ce8ba2c3b29af7805ee8731ddf8f8971b36
SHA256

3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982
SHA512

4055f76ade14950873423a4de92080f3937e223f2ebaf310ac482f212af9bfb577023e980b7ea332330730c6c59e82daede7b833a034eceb596260ccfdd8c94f
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNecW:V8e8e8f8e8e8l

Score

10^/10

warzonerat aspackv2 discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x00070000000186f8-43.dat	warzonerat
behavioral1/memory/2704-50-0x00000000032A0000-0x00000000033B4000-memory.dmp	warzonerat
behavioral1/files/0x00090000000175e7-81.dat	warzonerat
behavioral1/files/0x0007000000018742-95.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral1/files/0x00070000000186f8-43.dat	aspack_v212_v242
behavioral1/files/0x00090000000175e7-81.dat	aspack_v212_v242
behavioral1/files/0x0007000000018742-95.dat	aspack_v212_v242

Executes dropped EXE 13 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exe

pid	Process
2672	explorer.exe
2792	explorer.exe
2660	spoolsv.exe
2124	spoolsv.exe
552	spoolsv.exe
932	spoolsv.exe
2992	spoolsv.exe
2024	spoolsv.exe
2084	spoolsv.exe
2200	spoolsv.exe
2784	spoolsv.exe
2832	spoolsv.exe
2624	svchost.exe

Loads dropped DLL 64 IoCs

Processes:

3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exeexplorer.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	Process
2704	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe
2704	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2792	explorer.exe
2792	explorer.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
2792	explorer.exe
2792	explorer.exe
1356	WerFault.exe
1356	WerFault.exe
1356	WerFault.exe
1356	WerFault.exe
1356	WerFault.exe
1356	WerFault.exe
1356	WerFault.exe
2792	explorer.exe
2792	explorer.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
2792	explorer.exe
2792	explorer.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2792	explorer.exe
2792	explorer.exe
1152	WerFault.exe
1152	WerFault.exe
1152	WerFault.exe
1152	WerFault.exe
1152	WerFault.exe
1152	WerFault.exe
1152	WerFault.exe
2792	explorer.exe
2792	explorer.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exespoolsv.exe3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exeexplorer.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exeexplorer.exespoolsv.exe

description	pid	Process	procid_target
PID 2336 set thread context of 2704	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	31
PID 2336 set thread context of 2692	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	32
PID 2672 set thread context of 2792	2672	explorer.exe	35
PID 2672 set thread context of 2868	2672	explorer.exe	36
PID 2660 set thread context of 2832	2660	spoolsv.exe	54
PID 2660 set thread context of 2872	2660	spoolsv.exe	55

Drops file in Windows directory 5 IoCs

Processes:

3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exeexplorer.exespoolsv.exe

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2936	2124	WerFault.exe	38
1656	552	WerFault.exe
1356	932	WerFault.exe
1300	2992	WerFault.exe	44
2368	2024	WerFault.exe
1152	2084	WerFault.exe
2744	2200	WerFault.exe	50
2716	2784	WerFault.exe	52

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exesvchost.exe3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exespoolsv.exespoolsv.exeexplorer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exeexplorer.exe

pid	Process
2704	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid	Process
2792	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exeexplorer.exespoolsv.exe

pid	Process
2704	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe
2704	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2832	spoolsv.exe
2832	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	Process	procid_target
PID 2336 wrote to memory of 2704	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	31
PID 2336 wrote to memory of 2704	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	31
PID 2336 wrote to memory of 2704	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	31
PID 2336 wrote to memory of 2704	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	31
PID 2336 wrote to memory of 2704	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	31
PID 2336 wrote to memory of 2704	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	31
PID 2336 wrote to memory of 2704	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	31
PID 2336 wrote to memory of 2704	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	31
PID 2336 wrote to memory of 2704	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	31
PID 2336 wrote to memory of 2692	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	32
PID 2336 wrote to memory of 2692	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	32
PID 2336 wrote to memory of 2692	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	32
PID 2336 wrote to memory of 2692	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	32
PID 2336 wrote to memory of 2692	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	32
PID 2336 wrote to memory of 2692	2336	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	32
PID 2704 wrote to memory of 2672	2704	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	33
PID 2704 wrote to memory of 2672	2704	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	33
PID 2704 wrote to memory of 2672	2704	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	33
PID 2704 wrote to memory of 2672	2704	3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe	33
PID 2672 wrote to memory of 2792	2672	explorer.exe	35
PID 2672 wrote to memory of 2792	2672	explorer.exe	35
PID 2672 wrote to memory of 2792	2672	explorer.exe	35
PID 2672 wrote to memory of 2792	2672	explorer.exe	35
PID 2672 wrote to memory of 2792	2672	explorer.exe	35
PID 2672 wrote to memory of 2792	2672	explorer.exe	35
PID 2672 wrote to memory of 2792	2672	explorer.exe	35
PID 2672 wrote to memory of 2792	2672	explorer.exe	35
PID 2672 wrote to memory of 2792	2672	explorer.exe	35
PID 2672 wrote to memory of 2868	2672	explorer.exe	36
PID 2672 wrote to memory of 2868	2672	explorer.exe	36
PID 2672 wrote to memory of 2868	2672	explorer.exe	36
PID 2672 wrote to memory of 2868	2672	explorer.exe	36
PID 2672 wrote to memory of 2868	2672	explorer.exe	36
PID 2672 wrote to memory of 2868	2672	explorer.exe	36
PID 2792 wrote to memory of 2660	2792	explorer.exe	37
PID 2792 wrote to memory of 2660	2792	explorer.exe	37
PID 2792 wrote to memory of 2660	2792	explorer.exe	37
PID 2792 wrote to memory of 2660	2792	explorer.exe	37
PID 2792 wrote to memory of 2124	2792	explorer.exe	38
PID 2792 wrote to memory of 2124	2792	explorer.exe	38
PID 2792 wrote to memory of 2124	2792	explorer.exe	38
PID 2792 wrote to memory of 2124	2792	explorer.exe	38
PID 2124 wrote to memory of 2936	2124	spoolsv.exe	39
PID 2124 wrote to memory of 2936	2124	spoolsv.exe	39
PID 2124 wrote to memory of 2936	2124	spoolsv.exe	39
PID 2124 wrote to memory of 2936	2124	spoolsv.exe	39
PID 2792 wrote to memory of 552	2792	explorer.exe	40
PID 2792 wrote to memory of 552	2792	explorer.exe	40
PID 2792 wrote to memory of 552	2792	explorer.exe	40
PID 2792 wrote to memory of 552	2792	explorer.exe	40
PID 552 wrote to memory of 1656	552	spoolsv.exe	41
PID 552 wrote to memory of 1656	552	spoolsv.exe	41
PID 552 wrote to memory of 1656	552	spoolsv.exe	41
PID 552 wrote to memory of 1656	552	spoolsv.exe	41
PID 2792 wrote to memory of 932	2792	explorer.exe	42
PID 2792 wrote to memory of 932	2792	explorer.exe	42
PID 2792 wrote to memory of 932	2792	explorer.exe	42
PID 2792 wrote to memory of 932	2792	explorer.exe	42
PID 932 wrote to memory of 1356	932	spoolsv.exe	43
PID 932 wrote to memory of 1356	932	spoolsv.exe	43
PID 932 wrote to memory of 1356	932	spoolsv.exe	43
PID 932 wrote to memory of 1356	932	spoolsv.exe	43
PID 2792 wrote to memory of 2992	2792	explorer.exe	44
PID 2792 wrote to memory of 2992	2792	explorer.exe	44

C:\Users\Admin\AppData\Local\Temp\3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe
"C:\Users\Admin\AppData\Local\Temp\3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe
  "C:\Users\Admin\AppData\Local\Temp\3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2704
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2660
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2624
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:932
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2992
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2024
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2084
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2784
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 36
        6⤵
        Program crash
        
        PID:2716
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:2868
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.2MB

MD5
eb1008386e7f79d25d2d004377beec56

SHA1
c92c6ce8ba2c3b29af7805ee8731ddf8f8971b36

SHA256
3cd3b1ea8bb9bd13dbfd45e84ae69e37563f104bad1cf6b963e8d7c8b0254982

SHA512
4055f76ade14950873423a4de92080f3937e223f2ebaf310ac482f212af9bfb577023e980b7ea332330730c6c59e82daede7b833a034eceb596260ccfdd8c94f

Download Submit
\Windows\system\explorer.exe

Filesize
8.2MB

MD5
0386601dff7c5b028196993d5aba6908

SHA1
7fba6561092eb5178a7ac02d5731f4daf1858fa2

SHA256
1eadca5b0dc2d29477717997367ffb1b424eaf1b13c425125a5a0f7d58429e36

SHA512
f8b7e4883394aaac3fc05dec0ef3916ca674ed30accdf614a8f07a4e66f9bb39cc1631b8cfa5e4b1d41a25c21245d6bdeb09080cff3e01cb2c52371bf4667182

Download Submit
\Windows\system\spoolsv.exe

Filesize
8.2MB

MD5
5a059c0d58747c9e9644aedd5363aed6

SHA1
ea3877474679f77acc77172552735f8a93a9d365

SHA256
a8f30cacfb20096a4888ec7fc9fc4cc71d03be754777d4dff61931de853a50ee

SHA512
75358e895c7c01ad99b91383266d6e7423b762be22060737ddd06c58032eaffc3d61313d9478cbf0361e560347f2a4a7963b2652e7d87a73da26efecc4676290

Download Submit
memory/552-136-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/932-157-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2024-194-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2124-125-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2200-220-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2336-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2336-24-0x0000000003220000-0x0000000003334000-memory.dmp

Filesize
1.1MB

Download
memory/2336-6-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2336-39-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2336-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2336-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2336-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2336-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2624-265-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2660-103-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2660-144-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2660-104-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2660-251-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2672-53-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2672-52-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2672-51-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2672-59-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2672-89-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2672-55-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2692-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2692-42-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2692-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2692-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2692-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-54-0x00000000032A0000-0x00000000033B4000-memory.dmp

Filesize
1.1MB

Download
memory/2704-56-0x0000000000440000-0x000000000051F000-memory.dmp

Filesize
892KB

Download
memory/2704-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-50-0x00000000032A0000-0x00000000033B4000-memory.dmp

Filesize
1.1MB

Download
memory/2704-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2792-114-0x0000000003320000-0x0000000003434000-memory.dmp

Filesize
1.1MB

Download
memory/2792-135-0x0000000003320000-0x0000000003434000-memory.dmp

Filesize
1.1MB

Download
memory/2792-146-0x0000000003320000-0x0000000003434000-memory.dmp

Filesize
1.1MB

Download
memory/2792-147-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2792-134-0x0000000003320000-0x0000000003434000-memory.dmp

Filesize
1.1MB

Download
memory/2792-158-0x0000000003320000-0x0000000003434000-memory.dmp

Filesize
1.1MB

Download
memory/2792-166-0x0000000003320000-0x0000000003434000-memory.dmp

Filesize
1.1MB

Download
memory/2792-183-0x0000000003320000-0x0000000003434000-memory.dmp

Filesize
1.1MB

Download
memory/2792-195-0x0000000003320000-0x0000000003434000-memory.dmp

Filesize
1.1MB

Download
memory/2792-145-0x0000000003320000-0x0000000003434000-memory.dmp

Filesize
1.1MB

Download
memory/2792-193-0x0000000003320000-0x0000000003434000-memory.dmp

Filesize
1.1MB

Download
memory/2792-219-0x0000000003320000-0x0000000003434000-memory.dmp

Filesize
1.1MB

Download
memory/2792-124-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2792-115-0x0000000003320000-0x0000000003434000-memory.dmp

Filesize
1.1MB

Download
memory/2792-267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2792-102-0x0000000003320000-0x0000000003434000-memory.dmp

Filesize
1.1MB

Download
memory/2832-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-258-0x0000000003290000-0x00000000033A4000-memory.dmp

Filesize
1.1MB

Download