Overview

overview

10

Static

static

pdf file.exe

windows7_x64

3

pdf file.exe

windows10_x64

10

Analysis

  • max time kernel
    94s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    07-07-2021 09:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pdf file.exe

  • Size

    1.1MB

  • MD5

    3cbd781f564cf84ffef48e204f447b2d

  • SHA1

    62a79b0bde60d2b46ceb204bd127065d64c66d3d

  • SHA256

    686f4b4a55d410762e893e7caccfe000ff0b927339a4da65b3076ac932d8b409

  • SHA512

    5ae28a6458f9368ce0a5f08b189903171372514b3aeb218a21affd4448d4c4d97e382dd6153e63e1bfbde0d675438544125153f9530f234198a783d6e6d027ac

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

185.157.160.215:2211

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pdf file.exe
    "C:\Users\Admin\AppData\Local\Temp\pdf file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZsTxZSAorIA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC351.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1468
    • C:\Users\Admin\AppData\Local\Temp\pdf file.exe
      "C:\Users\Admin\AppData\Local\Temp\pdf file.exe"
      2⤵
        PID:3280

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpC351.tmp
      MD5

      60280c8412cd707d9bce0cf7dcf80f1c

      SHA1

      078cf2320b2f6fee49aa43ec59e1cfc87a15f07d

      SHA256

      bfb21b1ea4c760f8e954fefb8a275b9e2cc30847197643c8dbe82d12d8af1776

      SHA512

      f440260e9967546ed1a8dfc58bf91f43fa829d99b761d947c2557f7d2349e48d46b4094b4864ab73f9c46598e5c17a427753acefd4c1f1e6602912aa5bc106e4

      Download Submit

    • memory/1468-125-0x0000000000000000-mapping.dmp

      Download

    • memory/3280-129-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3280-127-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3280-128-0x0000000000405CE2-mapping.dmp

      Download

    • memory/3540-121-0x00000000059C0000-0x0000000005EBE000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/3540-114-0x0000000000F60000-0x0000000000F61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3540-122-0x0000000005B80000-0x0000000005B8F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/3540-123-0x000000000A400000-0x000000000A49B000-memory.dmp

      Filesize

      620KB

      Download

    • memory/3540-124-0x000000000CCE0000-0x000000000CD49000-memory.dmp

      Filesize

      420KB

      Download

    • memory/3540-120-0x0000000005C00000-0x0000000005C01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3540-119-0x00000000058A0000-0x00000000058A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3540-118-0x00000000059C0000-0x00000000059C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3540-117-0x0000000005EC0000-0x0000000005EC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3540-116-0x0000000005920000-0x0000000005921000-memory.dmp

      Filesize

      4KB

      Download