Overview

overview

10

Static

static

POVdRnvBDNdZ0tZ.exe

windows7_x64

10

POVdRnvBDNdZ0tZ.exe

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    07-04-2021 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    POVdRnvBDNdZ0tZ.exe

  • Size

    727KB

  • MD5

    9710a8a9857b099694317f05c4da703e

  • SHA1

    3faa03b1a2f63f42008c0a736b8faad86f114f5e

  • SHA256

    d266e212f266cc2c64e151d3543e34beaed2a3666fa215c2a88d8a042b6e9a4a

  • SHA512

    e9efa72bc615bc66a1747bd4db1a979a5f70eee68e859d0d807f26b5f11018000ac4b4d953d1133a3a719dd53cf4ea1710da9a37f2da3f95f88e0cd163a50efc

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

genasispony.hopto.org:4477

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\POVdRnvBDNdZ0tZ.exe
    "C:\Users\Admin\AppData\Local\Temp\POVdRnvBDNdZ0tZ.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SfyomJVdjkYkZC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD365.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1564
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "{path}"
      2⤵
        PID:436

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpD365.tmp
      MD5

      2c007a92e62669cae8bd33088f63ddd9

      SHA1

      72401451b39c6c123cfff9cae755ba3fe53bc7f9

      SHA256

      0210d9448feed12a29696547175302bacbbf3253528f6069a14c472f8bf9d601

      SHA512

      e9b706d06c480cf39be098b80d6d6070578e2f936d9cb6fe411e22cdfa0d9e60bd5ec8a4ea91bb1495ca05204167b7b6cdb191d4aa865ad35080dc8671341d97

      Download Submit
    • memory/296-16-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/436-15-0x0000000002830000-0x00000000028B4000-memory.dmp
      Filesize

      528KB

      Download
    • memory/436-14-0x0000000000400000-0x000000000041D000-memory.dmp
      Filesize

      116KB

      Download
    • memory/436-13-0x00000000760A1000-0x00000000760A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/436-12-0x0000000000405738-mapping.dmp
      Download
    • memory/436-11-0x0000000000400000-0x000000000041D000-memory.dmp
      Filesize

      116KB

      Download
    • memory/1044-6-0x00000000002A0000-0x00000000002A5000-memory.dmp
      Filesize

      20KB

      Download
    • memory/1044-8-0x0000000000630000-0x0000000000680000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1044-7-0x0000000005F20000-0x0000000005FBE000-memory.dmp
      Filesize

      632KB

      Download
    • memory/1044-2-0x0000000074110000-0x00000000747FE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1044-5-0x0000000004FC0000-0x0000000004FC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1044-3-0x0000000000950000-0x0000000000951000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-9-0x0000000000000000-mapping.dmp
      Download