Overview

overview

10

Static

static

oder mcdq.exe

windows7_x64

10

oder mcdq.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    07-05-2021 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    oder mcdq.exe

  • Size

    3.0MB

  • MD5

    a46e5071e79ad0c6977059d8e7979b9b

  • SHA1

    a0991039e331052b1ec81402a932ccfb7b9a2677

  • SHA256

    3416c2ee1eb4d7c1e64b7bba4e336d5de068992d0a4b09c114ba574c057c2eb7

  • SHA512

    b3b8e542b8c0d2f12689e28ee2956869b1ebdd0b4d5d6103972da1179bc87cea473cb5284643189592c03e015f4e7450eefd7609a1eb2c60b4d2ad3a4d4e1c0f

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

193.169.255.128:2626

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 2 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\oder mcdq.exe
    "C:\Users\Admin\AppData\Local\Temp\oder mcdq.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:644
    • C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:64
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:196

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\images.exe
      MD5

      a46e5071e79ad0c6977059d8e7979b9b

      SHA1

      a0991039e331052b1ec81402a932ccfb7b9a2677

      SHA256

      3416c2ee1eb4d7c1e64b7bba4e336d5de068992d0a4b09c114ba574c057c2eb7

      SHA512

      b3b8e542b8c0d2f12689e28ee2956869b1ebdd0b4d5d6103972da1179bc87cea473cb5284643189592c03e015f4e7450eefd7609a1eb2c60b4d2ad3a4d4e1c0f

      Download Submit
    • C:\ProgramData\images.exe
      MD5

      a46e5071e79ad0c6977059d8e7979b9b

      SHA1

      a0991039e331052b1ec81402a932ccfb7b9a2677

      SHA256

      3416c2ee1eb4d7c1e64b7bba4e336d5de068992d0a4b09c114ba574c057c2eb7

      SHA512

      b3b8e542b8c0d2f12689e28ee2956869b1ebdd0b4d5d6103972da1179bc87cea473cb5284643189592c03e015f4e7450eefd7609a1eb2c60b4d2ad3a4d4e1c0f

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      a100b54ed38b9b4f605d98d6da44d094

      SHA1

      1efc84ab6df66fbd7db3ea971b4cf7ede1e7d2a1

      SHA256

      17e6f1804350fa7d9ee4694b207f8bbe71be7240cded827c33766d50036695bd

      SHA512

      a542f2e399a1c3df3c7c9ff626477bc648d938f7e2562814cae7959f5137cf7c079b9ca14cd5ecac876e06282d4a32e18a1252788583c82057ba7988b9b09082

      Download Submit
    • memory/64-188-0x0000000000000000-mapping.dmp
      Download
    • memory/64-195-0x0000000001103000-0x0000000001104000-memory.dmp
      Filesize

      4KB

      Download
    • memory/64-194-0x000000007E780000-0x000000007E781000-memory.dmp
      Filesize

      4KB

      Download
    • memory/64-193-0x0000000001102000-0x0000000001103000-memory.dmp
      Filesize

      4KB

      Download
    • memory/64-192-0x0000000001100000-0x0000000001101000-memory.dmp
      Filesize

      4KB

      Download
    • memory/196-190-0x0000000000000000-mapping.dmp
      Download
    • memory/644-134-0x0000000006DE0000-0x0000000006DE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-158-0x0000000009090000-0x0000000009091000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-132-0x00000000075B0000-0x00000000075B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-133-0x00000000076B0000-0x00000000076B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-120-0x0000000000000000-mapping.dmp
      Download
    • memory/644-135-0x0000000007F80000-0x0000000007F81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-136-0x0000000007D90000-0x0000000007D91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-144-0x0000000008B20000-0x0000000008B53000-memory.dmp
      Filesize

      204KB

      Download
    • memory/644-152-0x0000000008B00000-0x0000000008B01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-151-0x000000007F7A0000-0x000000007F7A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-157-0x0000000008E60000-0x0000000008E61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-131-0x0000000007540000-0x0000000007541000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-159-0x0000000001113000-0x0000000001114000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-130-0x0000000006DB0000-0x0000000006DB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-128-0x0000000001110000-0x0000000001111000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-129-0x0000000001112000-0x0000000001113000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-127-0x0000000006E10000-0x0000000006E11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-126-0x0000000001160000-0x0000000001161000-memory.dmp
      Filesize

      4KB

      Download
    • memory/768-121-0x0000000000000000-mapping.dmp
      Download
    • memory/900-114-0x0000000003240000-0x0000000003394000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/900-119-0x00000000035D0000-0x00000000040D0000-memory.dmp
      Filesize

      11.0MB

      Download