Overview

overview

10

Static

static

10

nope.exe

windows7_x64

10

nope.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    07-05-2021 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nope.exe

  • Size

    323KB

  • MD5

    05cb7c989fa115270895dbadf7598a1b

  • SHA1

    cfa9ac127090cc5826a6e7b6e2b13cceb82ba751

  • SHA256

    dbdfbca2dcc01a530cd7c449500dc0f6b564c11f9ed9dc8d746709a235d6826f

  • SHA512

    849c96876d37043a95f828ac3587b2049c0217d826f07724330f6d8d9a613868ff79352da8b74078101796d2ddf62037544db8faa680bf77ebdbd6c034fbdca9

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

149.28.124.150:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3120
      • C:\Users\Admin\AppData\Local\Temp\nope.exe
        "C:\Users\Admin\AppData\Local\Temp\nope.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3560
        • C:\Users\Admin\Documents\ph88AcgfPIO.exe
          "C:\Users\Admin\Documents\ph88AcgfPIO.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:580
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1736
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
              5⤵
                PID:2288
            • C:\ProgramData\images.exe
              "C:\ProgramData\images.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1832

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\images.exe
        MD5

        49e8a6ee9c5dd808767d4753639bb045

        SHA1

        63739f2feff8d277d53b9af26df46c77d4088cf6

        SHA256

        9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

        SHA512

        8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06

        Download Submit
      • C:\ProgramData\images.exe
        MD5

        49e8a6ee9c5dd808767d4753639bb045

        SHA1

        63739f2feff8d277d53b9af26df46c77d4088cf6

        SHA256

        9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

        SHA512

        8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06

        Download Submit
      • C:\Users\Admin\Documents\ph88AcgfPIO.exe
        MD5

        49e8a6ee9c5dd808767d4753639bb045

        SHA1

        63739f2feff8d277d53b9af26df46c77d4088cf6

        SHA256

        9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

        SHA512

        8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06

        Download Submit
      • C:\Users\Admin\Documents\ph88AcgfPIO.exe
        MD5

        49e8a6ee9c5dd808767d4753639bb045

        SHA1

        63739f2feff8d277d53b9af26df46c77d4088cf6

        SHA256

        9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

        SHA512

        8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06

        Download Submit
      • \Users\Admin\AppData\Local\Temp\6372a841-9f92-4355-be7d-f72f94928f4d\test.dll
        MD5

        e8641f344213ca05d8b5264b5f4e2dee

        SHA1

        96729e31f9b805800b2248fd22a4b53e226c8309

        SHA256

        85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24

        SHA512

        3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109

        Download Submit
      • memory/580-119-0x0000000000000000-mapping.dmp
        Download
      • memory/1736-122-0x0000000000000000-mapping.dmp
        Download
      • memory/1832-123-0x0000000000000000-mapping.dmp
        Download
      • memory/2288-126-0x0000000000000000-mapping.dmp
        Download
      • memory/3560-114-0x0000000000010000-0x0000000000011000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3560-117-0x00007FF960E10000-0x00007FF960F3C000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/3560-118-0x000000001AAB0000-0x000000001AAB2000-memory.dmp
        Filesize

        8KB

        Download