Overview

overview

10

Static

static

JANUARY QU...MM.exe

windows7_x64

10

JANUARY QU...MM.exe

windows10_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    101s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-01-2021 16:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe

  • Size

    994KB

  • MD5

    86c59d1e4de693a0f5d2ffe3b1cd8ef9

  • SHA1

    64e5247411bbeff10fb09f0f8efe3d923d13f0a5

  • SHA256

    ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

  • SHA512

    1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

urchy.duckdns.org:30251

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
    "C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\biBtzY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6384.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1292
    • C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
      "C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:572
      • C:\ProgramData\images.exe
        "C:\ProgramData\images.exe"
        3⤵
        • Executes dropped EXE
        PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\images.exe
    MD5

    86c59d1e4de693a0f5d2ffe3b1cd8ef9

    SHA1

    64e5247411bbeff10fb09f0f8efe3d923d13f0a5

    SHA256

    ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

    SHA512

    1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

    Download Submit
  • C:\ProgramData\images.exe
    MD5

    86c59d1e4de693a0f5d2ffe3b1cd8ef9

    SHA1

    64e5247411bbeff10fb09f0f8efe3d923d13f0a5

    SHA256

    ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

    SHA512

    1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp6384.tmp
    MD5

    f66f77bcf974f87db0a55bdc3ea95e39

    SHA1

    48b6e70ab1643271fedcde9fcea33a73adcb31ae

    SHA256

    6078cc1f37dec442f9cbe20191e0c3bf25db024672a19c795c579375054a1274

    SHA512

    7ee118c1ae6d87cd3be33b293a36a0170f2685c9fab9895c4cf767ef0bb5214322d5f183ce5d089fa769841ede7746e6e951b70099d7e6931b4f86c3715fa02a

    Download Submit
  • \ProgramData\images.exe
    MD5

    86c59d1e4de693a0f5d2ffe3b1cd8ef9

    SHA1

    64e5247411bbeff10fb09f0f8efe3d923d13f0a5

    SHA256

    ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

    SHA512

    1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

    Download Submit
  • memory/572-47-0x0000000006280000-0x0000000006281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/572-14-0x0000000000000000-mapping.dmp
    Download
  • memory/572-48-0x0000000006220000-0x0000000006221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/572-40-0x0000000006140000-0x0000000006141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/572-39-0x0000000006040000-0x0000000006041000-memory.dmp
    Filesize

    4KB

    Download
  • memory/572-34-0x0000000005FE0000-0x0000000005FE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/572-31-0x0000000005280000-0x0000000005281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/572-26-0x0000000000990000-0x0000000000991000-memory.dmp
    Filesize

    4KB

    Download
  • memory/572-62-0x0000000006300000-0x0000000006301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/572-30-0x0000000002480000-0x0000000002481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/572-63-0x0000000006310000-0x0000000006311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/572-64-0x000000007EF30000-0x000000007EF31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/572-29-0x0000000002902000-0x0000000002903000-memory.dmp
    Filesize

    4KB

    Download
  • memory/572-28-0x0000000002900000-0x0000000002901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/572-27-0x0000000004990000-0x0000000004991000-memory.dmp
    Filesize

    4KB

    Download
  • memory/572-25-0x0000000074620000-0x0000000074D0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/864-11-0x0000000000405CE2-mapping.dmp
    Download
  • memory/864-13-0x0000000000400000-0x0000000000554000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/864-12-0x0000000076371000-0x0000000076373000-memory.dmp
    Filesize

    8KB

    Download
  • memory/864-10-0x0000000000400000-0x0000000000554000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1292-8-0x0000000000000000-mapping.dmp
    Download
  • memory/1476-21-0x0000000000B10000-0x0000000000B11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1476-20-0x0000000074620000-0x0000000074D0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1476-16-0x0000000000000000-mapping.dmp
    Download
  • memory/1476-24-0x0000000000730000-0x0000000000731000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1832-2-0x0000000074900000-0x0000000074FEE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1832-7-0x00000000048E0000-0x0000000004935000-memory.dmp
    Filesize

    340KB

    Download
  • memory/1832-6-0x0000000004B90000-0x0000000004B91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1832-5-0x00000000003A0000-0x00000000003C3000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1832-3-0x0000000001180000-0x0000000001181000-memory.dmp
    Filesize

    4KB

    Download