Overview

overview

10

Static

static

CLEW enqui...DF.exe

windows7_x64

10

CLEW enqui...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    15-03-2021 07:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CLEW enquiry 2021.PDF.exe

  • Size

    472KB

  • MD5

    4387f93e0d45409c4397bc25312ac979

  • SHA1

    0f02a839cdac526bd40d7fb62f792947f2ffe76b

  • SHA256

    f92db9d719cb7053b1b814f4a3a31c30572e83dd51b549da36d32b473361c30a

  • SHA512

    54f6761a0bcd495a8c7d6fe31859271515044fe9750df726bd7f51045f03450481f015152ba06b39adc3852ea1f129fadaab4a9634b200d91d3d22aca4da1ccf

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.26:3141

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CLEW enquiry 2021.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\CLEW enquiry 2021.PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsQrFjjPrfyT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp222F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1328
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
        PID:420
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        2⤵
          PID:1352

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp222F.tmp
        MD5

        43b2d005b2476e9d265a4626e285c369

        SHA1

        258e0e4bd18911f55ecc00c930920a0e2addc117

        SHA256

        b3412fe8780fc49b3ee185ca3f9dc6e3cb09c60de1b1b325db6d1336c9c74f24

        SHA512

        21fe9b6119573895539846a2ab55701f7e235b7253aff765cb15941a87d789590eef3eb563313d5e9178e5e1f4a75614de2f82c1ed70e01d9d6a9b5fc525a78f

        Download Submit
      • memory/1048-7-0x00000000048E0000-0x00000000048E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1048-12-0x0000000006700000-0x0000000006772000-memory.dmp
        Filesize

        456KB

        Download
      • memory/1048-6-0x0000000004930000-0x0000000004931000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1048-2-0x0000000073460000-0x0000000073B4E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1048-8-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1048-9-0x0000000007F10000-0x0000000007F11000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1048-5-0x0000000004F50000-0x0000000004F51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1048-11-0x0000000008140000-0x0000000008142000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1048-10-0x000000007EDE0000-0x000000007EDE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1048-13-0x0000000006780000-0x00000000067B2000-memory.dmp
        Filesize

        200KB

        Download
      • memory/1048-3-0x0000000000040000-0x0000000000041000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1328-14-0x0000000000000000-mapping.dmp
        Download
      • memory/1352-16-0x0000000000400000-0x000000000055E000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/1352-17-0x0000000000405E28-mapping.dmp
        Download
      • memory/1352-18-0x0000000000400000-0x000000000055E000-memory.dmp
        Filesize

        1.4MB

        Download