Overview

overview

10

Static

static

pdf.exe

windows7_x64

10

pdf.exe

windows10_x64

10

Analysis

  • max time kernel
    127s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-01-2021 09:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pdf.exe

  • Size

    1016KB

  • MD5

    10b0b1473ceb303ef6b03214fbc76919

  • SHA1

    4178d9f4bee32035f30e888e38565290c2919d68

  • SHA256

    6764633b19998476bdf7ced0b5197a292c545a9e8068b44b40afd720bbbb62d9

  • SHA512

    2f8df799d3d9b022d6a0fbc20259ad3905b7800fcd54516f76d8de9261f509cc864f4c7347edfaf7a22fc83082613e63a1a9f74918c421a313bdf64e5bf20592

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

ofenja.zapto.org:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 5 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Users\Admin\AppData\Local\Temp\pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\pdf.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:496
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:796
      • C:\ProgramData\images.exe
        "C:\ProgramData\images.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:992
        • C:\ProgramData\images.exe
          "C:\ProgramData\images.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2528
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Add-MpPreference -ExclusionPath C:\
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2824
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            5⤵
              PID:3048

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • C:\ProgramData\images.exe
      MD5

      10b0b1473ceb303ef6b03214fbc76919

      SHA1

      4178d9f4bee32035f30e888e38565290c2919d68

      SHA256

      6764633b19998476bdf7ced0b5197a292c545a9e8068b44b40afd720bbbb62d9

      SHA512

      2f8df799d3d9b022d6a0fbc20259ad3905b7800fcd54516f76d8de9261f509cc864f4c7347edfaf7a22fc83082613e63a1a9f74918c421a313bdf64e5bf20592

      Download Submit
    • C:\ProgramData\images.exe
      MD5

      10b0b1473ceb303ef6b03214fbc76919

      SHA1

      4178d9f4bee32035f30e888e38565290c2919d68

      SHA256

      6764633b19998476bdf7ced0b5197a292c545a9e8068b44b40afd720bbbb62d9

      SHA512

      2f8df799d3d9b022d6a0fbc20259ad3905b7800fcd54516f76d8de9261f509cc864f4c7347edfaf7a22fc83082613e63a1a9f74918c421a313bdf64e5bf20592

      Download Submit
    • C:\ProgramData\images.exe
      MD5

      10b0b1473ceb303ef6b03214fbc76919

      SHA1

      4178d9f4bee32035f30e888e38565290c2919d68

      SHA256

      6764633b19998476bdf7ced0b5197a292c545a9e8068b44b40afd720bbbb62d9

      SHA512

      2f8df799d3d9b022d6a0fbc20259ad3905b7800fcd54516f76d8de9261f509cc864f4c7347edfaf7a22fc83082613e63a1a9f74918c421a313bdf64e5bf20592

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      MD5

      db01a2c1c7e70b2b038edf8ad5ad9826

      SHA1

      540217c647a73bad8d8a79e3a0f3998b5abd199b

      SHA256

      413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

      SHA512

      c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      43922db62da18ebd56174a7d1c746da4

      SHA1

      26f2957831f0c75aa2e93281070eb9db8ba29058

      SHA256

      55fdd5d2e8cb5ef524da5bda7cced9eca77401a8555b4dfdfee86d036efd25d5

      SHA512

      344aacec26e5a45093d2c1662fb6dca3f7e8dfa2cf724f23e3cb700c8c93919334d59341f2abb46613a04d196eb933adf00a8ecbfd45d05a41abed9d58f12d4f

      Download Submit
    • memory/496-12-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/496-14-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/496-13-0x0000000000405CE2-mapping.dmp
      Download
    • memory/796-32-0x00000000080A0000-0x00000000080A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-40-0x0000000009910000-0x0000000009943000-memory.dmp
      Filesize

      204KB

      Download
    • memory/796-52-0x0000000009BB0000-0x0000000009BB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-15-0x0000000000000000-mapping.dmp
      Download
    • memory/796-50-0x0000000009BC0000-0x0000000009BC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-49-0x0000000009C10000-0x0000000009C11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-48-0x0000000009A50000-0x0000000009A51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-47-0x00000000098F0000-0x00000000098F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-38-0x00000000088C0000-0x00000000088C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-20-0x0000000073330000-0x0000000073A1E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/796-27-0x0000000004E50000-0x0000000004E51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-28-0x0000000007990000-0x0000000007991000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-31-0x0000000007830000-0x0000000007831000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-37-0x0000000008A00000-0x0000000008A01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-33-0x0000000007FC0000-0x0000000007FC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-34-0x0000000008210000-0x0000000008211000-memory.dmp
      Filesize

      4KB

      Download
    • memory/796-36-0x00000000074D0000-0x00000000074D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/992-16-0x0000000000000000-mapping.dmp
      Download
    • memory/992-19-0x0000000073330000-0x0000000073A1E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2528-58-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2528-56-0x0000000000405CE2-mapping.dmp
      Download
    • memory/2824-68-0x00000000075D0000-0x00000000075D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2824-62-0x00000000733D0000-0x0000000073ABE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2824-83-0x0000000008E90000-0x0000000008E91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2824-72-0x0000000007AF0000-0x0000000007AF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2824-59-0x0000000000000000-mapping.dmp
      Download
    • memory/3048-60-0x0000000000000000-mapping.dmp
      Download
    • memory/3048-71-0x0000000003020000-0x0000000003021000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4700-6-0x0000000005130000-0x0000000005131000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4700-7-0x0000000004C30000-0x0000000004C31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4700-11-0x0000000005930000-0x000000000598A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/4700-5-0x0000000004B90000-0x0000000004B91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4700-8-0x0000000004B10000-0x0000000004B11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4700-2-0x0000000073430000-0x0000000073B1E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4700-3-0x0000000000200000-0x0000000000201000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4700-10-0x0000000004B20000-0x0000000004B32000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4700-9-0x0000000004E10000-0x0000000004E11000-memory.dmp
      Filesize

      4KB

      Download