Overview

overview

10

Static

static

AV_21DE335...E1.exe

windows7_x64

10

AV_21DE335...E1.exe

windows10_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    191s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    28-06-2021 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AV_21DE335252288131E1.exe

  • Size

    1.4MB

  • MD5

    e28dedce9b9df8e6671e396057232c6c

  • SHA1

    5597ab651558b23cdcfab81ea207ad4bcd1dd11e

  • SHA256

    bfe57cd74019aabbb58cda55a091b4a72f7dff1b005af8e5a77eb89e834bea18

  • SHA512

    84fc981f7b7e19ad16ebad4b642e163ff58c9d924e8285b8b12e9025f864621884240bf99149dacce59d539bdbf3b212a926cb7ea01709d6c79b15c4e0e7ceb8

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

40.83.20.77:8700

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AV_21DE335252288131E1.exe
    "C:\Users\Admin\AppData\Local\Temp\AV_21DE335252288131E1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mSmttGYJD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD826.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1684
    • C:\Users\Admin\AppData\Local\Temp\AV_21DE335252288131E1.exe
      "C:\Users\Admin\AppData\Local\Temp\AV_21DE335252288131E1.exe"
      2⤵
        PID:744

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpD826.tmp
      MD5

      c66bb7a283c6abf87d4ad09707e6ce79

      SHA1

      33a28249e793f1ac9e656cdc78702674d928037e

      SHA256

      cf7516227f99cbad0f6ac36b1c7d478e925c10fa8416026663c817c163076e64

      SHA512

      d7fab50832cd227d5815f8e4c14a1626e699b9a90cbac528d7c2c3aa9a3aebbf0cbcdb033198975dfbec0dc28518ecb355962880a52057b81b5688d2f26b91fe

      Download Submit

    • memory/320-59-0x00000000008E0000-0x00000000008E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/320-61-0x0000000000370000-0x000000000038E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/320-62-0x0000000000300000-0x0000000000301000-memory.dmp

      Filesize

      4KB

      Download

    • memory/320-63-0x0000000004F80000-0x0000000004FF8000-memory.dmp

      Filesize

      480KB

      Download

    • memory/320-64-0x00000000008A0000-0x00000000008D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/744-68-0x0000000000405CE2-mapping.dmp

      Download

    • memory/744-67-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/744-69-0x0000000075051000-0x0000000075053000-memory.dmp

      Filesize

      8KB

      Download

    • memory/744-70-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1684-65-0x0000000000000000-mapping.dmp

      Download