Overview

overview

10

Static

static

neue beste...DF.exe

windows7_x64

10

neue beste...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    23-02-2021 12:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    neue bestellung.PDF.exe

  • Size

    652KB

  • MD5

    a0b16d3a4ce67631e8681b3d3069772c

  • SHA1

    28f64d87e10a9d5f4fe4c508f431b0b0e6ca9103

  • SHA256

    6131d15e138a07ea92924656ba389ef9ad1001ec1ca144be9e7f335b46b1ae9f

  • SHA512

    8c3134360a12e0154cc789cb363ec8ac287ca3066c85366c633a998a4ec349e6daf8e8134459eeb9b19c4fdc13135fb032957f2dfa010bd71061d8f048cd0ebe

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

194.5.97.48:3141

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\neue bestellung.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\neue bestellung.PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FneGezvKbr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE9AA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:520
    • C:\Users\Admin\AppData\Local\Temp\neue bestellung.PDF.exe
      "{path}"
      2⤵
        PID:880
      • C:\Users\Admin\AppData\Local\Temp\neue bestellung.PDF.exe
        "{path}"
        2⤵
          PID:928
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 1008
            3⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1584

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpE9AA.tmp
        MD5

        e2ac3adfcb65f94f8d9ba0bbc269dc6b

        SHA1

        27fb12d20ca2c3f55201998e026e6d2e38866355

        SHA256

        af85bd3e4e6ee0f475aa53248b336d0abef8dfb9593b1842146f1ce4f441bf16

        SHA512

        a6cb71d2430920d0f85b3e5637bdad8d323df5a4ba79586fc9a5ea0c99c85e7a21657828643fea7f41fa2da4d32a1359baf98772eb42835380ecf8c5b6530aa8

        Download Submit
      • memory/520-12-0x0000000000000000-mapping.dmp
        Download
      • memory/928-16-0x0000000000400000-0x0000000000554000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/928-15-0x0000000000405CE2-mapping.dmp
        Download
      • memory/928-14-0x0000000000400000-0x0000000000554000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1584-17-0x00000000050F0000-0x00000000050F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-6-0x0000000004F90000-0x0000000004F91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-10-0x0000000005480000-0x000000000548B000-memory.dmp
        Filesize

        44KB

        Download
      • memory/4764-11-0x0000000006B90000-0x0000000006BDA000-memory.dmp
        Filesize

        296KB

        Download
      • memory/4764-9-0x0000000008540000-0x0000000008541000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-8-0x0000000005170000-0x0000000005171000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-7-0x0000000005040000-0x0000000005041000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-2-0x0000000073150000-0x000000007383E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/4764-5-0x0000000005490000-0x0000000005491000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4764-3-0x00000000005E0000-0x00000000005E1000-memory.dmp
        Filesize

        4KB

        Download