Overview

overview

10

Static

static

fa1bf2c3e9...e9.exe

windows7_x64

10

fa1bf2c3e9...e9.exe

windows10_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    16-01-2021 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa1bf2c3e92bf67c61bd482b3b4e20e9.exe

  • Size

    847KB

  • MD5

    fa1bf2c3e92bf67c61bd482b3b4e20e9

  • SHA1

    d0f8938c1249fca3eb5d0ecb76a21bcfc3cd5bb4

  • SHA256

    8186a0a03d0def9de9dce80543f12336eb276a7404e9da4680c170cfdd58b03d

  • SHA512

    47d9a06b14652ed54dfa0cfa09b6a918537dbb3fed10ed14a313b94f66b9dbcd15d3c4cf13aa0f6b5bb3292ae91ecef4d0a4de8061af29e5a18db4bc9c3c29fd

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.23:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 22 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
    "C:\Users\Admin\AppData\Local\Temp\fa1bf2c3e92bf67c61bd482b3b4e20e9.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -executionpolicy bypass C:\Users\Admin\AppData\Local\Temp\hrructiRk.ps1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iyltyzjf\iyltyzjf.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2248
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC818.tmp" "c:\Users\Admin\AppData\Local\Temp\iyltyzjf\CSC9A4770D6CF95428082A43D1DE29E1E30.TMP"
          4⤵
            PID:2204
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2320
          • C:\ProgramData\images.exe
            "C:\ProgramData\images.exe"
            4⤵
            • Executes dropped EXE
            PID:3872

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\images.exe
      MD5

      9af17c8393f0970ee5136bd3ffa27001

      SHA1

      4b285b72c1a11285a25f31f2597e090da6bbc049

      SHA256

      71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

      SHA512

      b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

      Download Submit
    • C:\ProgramData\images.exe
      MD5

      9af17c8393f0970ee5136bd3ffa27001

      SHA1

      4b285b72c1a11285a25f31f2597e090da6bbc049

      SHA256

      71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

      SHA512

      b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RESC818.tmp
      MD5

      1e2d78d6952e1acefca11a495bc88f8e

      SHA1

      4a6df7635d6a484e7b9e8f492e056ff002a2b7c5

      SHA256

      a019e269dc86125520741d8f3d624e56fff4c61e6a5c3be9cce2c96e7812d199

      SHA512

      a05c2f487e4ff97a39ca4f85d15988963c5f8ecd9e1a208dfd1adb0ddd46267381692ab0e469bf218e0a838599fe909a1b18d037075fbe8606e8c6cad7f950ef

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\hrructiRk.ps1
      MD5

      4756913fe47c2d12e5cc12bd27925afb

      SHA1

      b6d8060008e27091b794ddd39b7b6aa2fc907d0c

      SHA256

      0adf93292bc449eab420a088740f62f9e73d00ffc4ce8f8f33c3a05f17fe2629

      SHA512

      20af4bc153c56c66ed46a8b129fd822769eddfe6e812e7999aeb522d5d6363bccb088dbd69e585d755fa69c9678eedf0e619f1a3c81dbf1c3d326b6016c773b5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\iyltyzjf\iyltyzjf.dll
      MD5

      1f0b4b4917a85dbc28b4d356634f1f6d

      SHA1

      0023fc6333ab9990e62ad2cf6fd9ed6f53942912

      SHA256

      fc839dc82d7e823376a2f671b2895451928c086c9091329cd3167cfff6f94cba

      SHA512

      4baea31ddaae9019c337a7d683636038eb79b76269bd0d7f8fb1474f99ffad45f6fa20276a35089416128bfd39103ce82ff2a59d950c0a871f28172a9a3ddc6c

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\iyltyzjf\CSC9A4770D6CF95428082A43D1DE29E1E30.TMP
      MD5

      2459807f1883965c0ae830d3ea314b3e

      SHA1

      6b35f838691d743483961688fa2671dcb781d23e

      SHA256

      ce2918bdedd32bd019cf3e7768c3ea2a965751aa1bb67c4c857d5367943ce1cc

      SHA512

      5ce31f76746a2c611cef25e0b159b3c4be1431e6d636193e18de6f2a67d9e926e70e8eb959f553b26e75537f5db3477ad8ec21e9de24559ed3423a109c2abc4e

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\iyltyzjf\iyltyzjf.0.cs
      MD5

      e8c41bf3708cc4bd505851f38966151a

      SHA1

      ab943b19fb2e837904c97a3c52309c1f2c20dc9c

      SHA256

      54dc97b3a24a8137d2b4dcb052b104ffde93bd4a89297ee2fb522fa346bb01e9

      SHA512

      40a0f9f82cfed1e51feeeda8f790b1bffb5dc7f878fd86fc8bb3fca9d5133383e3d801bdddc97907361712b9bef75062860ab2b9add12188737d8f0418cd4cc4

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\iyltyzjf\iyltyzjf.cmdline
      MD5

      5bfe29a8a38a7308eeba1aa9df892250

      SHA1

      152e95b8abcdbe0d1dcade49ab399881b510dfbc

      SHA256

      43fd50a6ff4906516709e7b150b29befc4479f2a9cb02cf59b333263f4867e38

      SHA512

      5269c5d58e825a1f9d5e9cdd03bdd9fe15aee5776792d5688f1c943231b635ad32cd15f317f7be9382dd8e29bff784d60646b2964c1b0ce27970e54433d9e1de

      Download Submit
    • memory/748-10-0x0000000007E30000-0x0000000007E31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-9-0x0000000007A00000-0x0000000007A01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-12-0x0000000008220000-0x0000000008221000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-2-0x0000000000000000-mapping.dmp
      Download
    • memory/748-14-0x000000000D800000-0x000000000D801000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-15-0x000000000CEA0000-0x000000000CEA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-11-0x00000000081D0000-0x00000000081D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-4-0x0000000001200000-0x0000000001201000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-8-0x0000000007920000-0x0000000007921000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-7-0x0000000007990000-0x0000000007991000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-6-0x0000000007180000-0x0000000007181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-3-0x00000000730E0000-0x00000000737CE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/748-23-0x0000000006C80000-0x0000000006C81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-5-0x00000000071F0000-0x00000000071F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2204-19-0x0000000000000000-mapping.dmp
      Download
    • memory/2248-16-0x0000000000000000-mapping.dmp
      Download
    • memory/2320-26-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2320-25-0x0000000000405CE2-mapping.dmp
      Download
    • memory/2320-24-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3872-27-0x0000000000000000-mapping.dmp
      Download
    • memory/3872-30-0x0000000073FC0000-0x00000000746AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3872-31-0x00000000009C0000-0x00000000009C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3872-32-0x0000000005150000-0x0000000005151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3872-33-0x0000000005320000-0x0000000005321000-memory.dmp
      Filesize

      4KB

      Download