Overview

overview

10

Static

static

neue beste...DF.exe

windows7_x64

10

neue beste...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    23-02-2021 12:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    neue bestellung.PDF.exe

  • Size

    652KB

  • MD5

    a0b16d3a4ce67631e8681b3d3069772c

  • SHA1

    28f64d87e10a9d5f4fe4c508f431b0b0e6ca9103

  • SHA256

    6131d15e138a07ea92924656ba389ef9ad1001ec1ca144be9e7f335b46b1ae9f

  • SHA512

    8c3134360a12e0154cc789cb363ec8ac287ca3066c85366c633a998a4ec349e6daf8e8134459eeb9b19c4fdc13135fb032957f2dfa010bd71061d8f048cd0ebe

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

194.5.97.48:3141

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Loads dropped DLL 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\neue bestellung.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\neue bestellung.PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3584
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FneGezvKbr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C91.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3024
    • C:\Users\Admin\AppData\Local\Temp\neue bestellung.PDF.exe
      "{path}"
      2⤵
      • Loads dropped DLL
      PID:3744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 1028
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1C91.tmp
    MD5

    9f8cb78643262e98ef014382df42898f

    SHA1

    f8aed6d191b769aa7b291ddd97d516a7e45325e4

    SHA256

    a78d89d63e4a651f611d32b2b7e04345ce3bd23e3b59040dcef037e7af4bf825

    SHA512

    fa6e016eb5b5798c5a06350c57f47643c7887d12283a3f838ec05ba2d884de231d3039faff2fd535921295f7c009f245cb7020c62840c99e050083d46bd91ef1

    Download Submit
  • \Users\Admin\AppData\Local\Temp\freebl3.dll
    MD5

    ef12ab9d0b231b8f898067b2114b1bc0

    SHA1

    6d90f27b2105945f9bb77039e8b892070a5f9442

    SHA256

    2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

    SHA512

    2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

    Download Submit
  • \Users\Admin\AppData\Local\Temp\freebl3.dll
    MD5

    ef12ab9d0b231b8f898067b2114b1bc0

    SHA1

    6d90f27b2105945f9bb77039e8b892070a5f9442

    SHA256

    2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

    SHA512

    2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

    Download Submit
  • \Users\Admin\AppData\Local\Temp\mozglue.dll
    MD5

    75f8cc548cabf0cc800c25047e4d3124

    SHA1

    602676768f9faecd35b48c38a0632781dfbde10c

    SHA256

    fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0

    SHA512

    ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\msvcp140.dll
    MD5

    109f0f02fd37c84bfc7508d4227d7ed5

    SHA1

    ef7420141bb15ac334d3964082361a460bfdb975

    SHA256

    334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

    SHA512

    46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss3.dll
    MD5

    16b971f7fd59efd41624cb3683e2757b

    SHA1

    ecd3e0f5fca9ed1bdc33c9bac6777743cb3412c1

    SHA256

    f55f8485a5164144fcaf3ce4b833e192a9bfeb5c84171021001d849b1d3343bc

    SHA512

    ca8a455b1d62d913dad3ab9ed1bcb899feb4a5c41d86a215d2cc37f9964a36faef5d9e8d8d7b6024cb61e4bfac97f6cc58542c68802e8438ef11956e8bf82443

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss3.dll
    MD5

    16b971f7fd59efd41624cb3683e2757b

    SHA1

    ecd3e0f5fca9ed1bdc33c9bac6777743cb3412c1

    SHA256

    f55f8485a5164144fcaf3ce4b833e192a9bfeb5c84171021001d849b1d3343bc

    SHA512

    ca8a455b1d62d913dad3ab9ed1bcb899feb4a5c41d86a215d2cc37f9964a36faef5d9e8d8d7b6024cb61e4bfac97f6cc58542c68802e8438ef11956e8bf82443

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss3.dll
    MD5

    16b971f7fd59efd41624cb3683e2757b

    SHA1

    ecd3e0f5fca9ed1bdc33c9bac6777743cb3412c1

    SHA256

    f55f8485a5164144fcaf3ce4b833e192a9bfeb5c84171021001d849b1d3343bc

    SHA512

    ca8a455b1d62d913dad3ab9ed1bcb899feb4a5c41d86a215d2cc37f9964a36faef5d9e8d8d7b6024cb61e4bfac97f6cc58542c68802e8438ef11956e8bf82443

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss3.dll
    MD5

    16b971f7fd59efd41624cb3683e2757b

    SHA1

    ecd3e0f5fca9ed1bdc33c9bac6777743cb3412c1

    SHA256

    f55f8485a5164144fcaf3ce4b833e192a9bfeb5c84171021001d849b1d3343bc

    SHA512

    ca8a455b1d62d913dad3ab9ed1bcb899feb4a5c41d86a215d2cc37f9964a36faef5d9e8d8d7b6024cb61e4bfac97f6cc58542c68802e8438ef11956e8bf82443

    Download Submit
  • memory/3024-12-0x0000000000000000-mapping.dmp
    Download
  • memory/3584-9-0x0000000008B10000-0x0000000008B11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3584-7-0x0000000005690000-0x0000000005691000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3584-3-0x0000000000A60000-0x0000000000A61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3584-5-0x00000000059E0000-0x00000000059E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3584-6-0x00000000054E0000-0x00000000054E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3584-8-0x0000000005480000-0x0000000005481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3584-11-0x0000000006FE0000-0x000000000702A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/3584-10-0x00000000059C0000-0x00000000059CB000-memory.dmp
    Filesize

    44KB

    Download
  • memory/3584-2-0x0000000073900000-0x0000000073FEE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3744-18-0x0000000004FD0000-0x0000000005054000-memory.dmp
    Filesize

    528KB

    Download
  • memory/3744-14-0x0000000000400000-0x0000000000554000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3744-17-0x0000000004660000-0x00000000046E4000-memory.dmp
    Filesize

    528KB

    Download
  • memory/3744-16-0x0000000000400000-0x0000000000554000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3744-15-0x0000000000405CE2-mapping.dmp
    Download
  • memory/3812-27-0x00000000042E0000-0x00000000042E1000-memory.dmp
    Filesize

    4KB

    Download