Overview

overview

10

Static

static

PO#11-1701...df.exe

windows7_x64

10

PO#11-1701...df.exe

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-01-2021 09:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO#11-17012021,pdf.exe

  • Size

    317KB

  • MD5

    883f037f8db0d45f1dab5dbd539326d2

  • SHA1

    ab9b5572188b37c10eed0b76163667494fb4cc57

  • SHA256

    b6d76a6dd8898fcd223678eec6835de53da6b2af1fc84c90dc502082eb6d8729

  • SHA512

    5336c34028c972118fe8f20ae6beee20ec92c5413450abfdef0a3033edb026ed714ed8bc19772440bc4184ec4385165382d5c8a1551abccebf79a2230349749f

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

206.123.129.103:4565

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3084
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\c27cce5ac8d84c439ec7501fa8096513.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\c27cce5ac8d84c439ec7501fa8096513.xml"
        3⤵
        • Creates scheduled task(s)
        PID:3452
    • C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe"
      2⤵
        PID:2768

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\c27cce5ac8d84c439ec7501fa8096513.xml
      MD5

      a36564afc14b3eb0849c01a3afdb9944

      SHA1

      4dcee9fae3fde4e46b08529bc0ba067150686f07

      SHA256

      9d4342f763c5d62a06f69aa6fdcb1caa376ff2f2c0972f36b487f73b4d221996

      SHA512

      782082aa36ae056734e90fc079c813dfef59420571a1b70cde4cf15eb6c870f85b2bfe0748ef4db9df3d010c08671bff744d78178ba75bf2ba02b665f044ae89

      Download Submit
    • memory/2752-2-0x0000000000000000-mapping.dmp
      Download
    • memory/2768-3-0x0000000000405CE2-mapping.dmp
      Download
    • memory/2768-6-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3452-4-0x0000000000000000-mapping.dmp
      Download