Overview

overview

10

Static

static

1

b84950024f...54.exe

windows7_x64

10

b84950024f...54.exe

windows10_x64

10

Analysis

  • max time kernel
    13s
  • max time network
    176s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    03-06-2021 12:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b84950024fc775f5e791071ccd562c2fca301354.exe

  • Size

    217KB

  • MD5

    f4b709d5bfad5c8f2aec0e6e62740adc

  • SHA1

    b84950024fc775f5e791071ccd562c2fca301354

  • SHA256

    7db51e62bdf1edf94ea2df17c46b9ee6c4c65f0988e1416f8280e9fde9dfd133

  • SHA512

    949331ee3c58674af9b9c3efa57545689a1bc6458f45f41de11078dd7c6c53abebec423c00c7e1e7240e29841feca542a7009dce7ebe4de957c5c46bb3369c7b

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

severdops.ddns.net:3311

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b84950024fc775f5e791071ccd562c2fca301354.exe
    "C:\Users\Admin\AppData\Local\Temp\b84950024fc775f5e791071ccd562c2fca301354.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Users\Admin\AppData\Local\Temp\b84950024fc775f5e791071ccd562c2fca301354.exe
      "C:\Users\Admin\AppData\Local\Temp\b84950024fc775f5e791071ccd562c2fca301354.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1844
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:768

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsiBD.tmp\System.dll
      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsiBD.tmp\System.dll
      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

      Download Submit

    • memory/768-66-0x0000000000000000-mapping.dmp

      Download

    • memory/1696-60-0x0000000075211000-0x0000000075213000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1844-63-0x0000000000405E28-mapping.dmp

      Download

    • memory/1844-65-0x0000000000400000-0x000000000055E000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1844-67-0x0000000003920000-0x0000000003A20000-memory.dmp

      Filesize

      1024KB

      Download