Overview

overview

10

Static

static

d80ef35398...in.exe

windows7_x64

10

d80ef35398...in.exe

windows10_x64

10

Analysis

  • max time kernel
    105s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    24-05-2021 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d80ef3539826be2df8fc985eada5f191b3ae9eb9eb53dfbb054651d25daafe23.bin.exe

  • Size

    946KB

  • MD5

    9ff1b2088f56e257a002e806a181a3b8

  • SHA1

    af0ac66cf6c48c7b8429acb8053f99160eea5c8c

  • SHA256

    d80ef3539826be2df8fc985eada5f191b3ae9eb9eb53dfbb054651d25daafe23

  • SHA512

    fe1b9266eca9168462ac4904f5ebda1c8830340a1b1f23066f715616ed2c5fcd472efb0214c95de14b13f5f8180ddfd7edfb24a2e16fde6101c834c93c9ea75e

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

157.55.136.23:5300

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d80ef3539826be2df8fc985eada5f191b3ae9eb9eb53dfbb054651d25daafe23.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\d80ef3539826be2df8fc985eada5f191b3ae9eb9eb53dfbb054651d25daafe23.bin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pldAtNWNb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9849.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1860
    • C:\Users\Admin\AppData\Local\Temp\d80ef3539826be2df8fc985eada5f191b3ae9eb9eb53dfbb054651d25daafe23.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\d80ef3539826be2df8fc985eada5f191b3ae9eb9eb53dfbb054651d25daafe23.bin.exe"
      2⤵
        PID:2160

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp9849.tmp
      MD5

      bf4438a55f4055994c478bab53dfed88

      SHA1

      64d337ff468f97a09aabb9a4bf14604f5e69c428

      SHA256

      375672bd65e297cb758827e0020351eec6dd946b0160fd58f39586d38b3e996d

      SHA512

      27fa7abbed034bcc55814951776fa10b840b1a27000b2dbdce0ae302e22faccc749c0a7c298214c429cd6d9c5071dad84f2927639ddb3c65b32bd4aaccc4c487

      Download Submit

    • memory/1860-125-0x0000000000000000-mapping.dmp

      Download

    • memory/1892-122-0x000000007EF30000-0x000000007EF31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1892-118-0x0000000004D50000-0x0000000004D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1892-119-0x0000000004C60000-0x0000000004C61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1892-120-0x0000000004F30000-0x0000000004F35000-memory.dmp

      Filesize

      20KB

      Download

    • memory/1892-114-0x0000000000340000-0x0000000000341000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1892-121-0x0000000004BE0000-0x0000000004C72000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1892-123-0x0000000005990000-0x0000000005A2A000-memory.dmp

      Filesize

      616KB

      Download

    • memory/1892-124-0x0000000007F20000-0x0000000007F74000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1892-117-0x0000000004C80000-0x0000000004C81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1892-116-0x0000000005250000-0x0000000005251000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2160-128-0x0000000000405CE2-mapping.dmp

      Download

    • memory/2160-127-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2160-129-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download