Overview

overview

10

Static

static

SF40_DOC.EXE

windows7_x64

10

SF40_DOC.EXE

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    09-07-2021 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SF40_DOC.EXE

  • Size

    859KB

  • MD5

    378b91450d386cf5916fb645b143d89d

  • SHA1

    e34a417e9a6a4985de8cf1877d542364c7255dcd

  • SHA256

    bfb41f621f57bccd1923f8437a21329666ebd4f826c7ed0f7540d54f464ad7b5

  • SHA512

    c5db058ddfae775203c41fcf29a69e5420017722b32ca446f019e8f15cc9a4c7aa07f64fb95b5ecac5fcd6ffc8020dfb093d869f6f853bfccd1f512253d3f2dd

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

165.22.5.66:6666

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SF40_DOC.EXE
    "C:\Users\Admin\AppData\Local\Temp\SF40_DOC.EXE"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QBlHdeDC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF69E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:340
    • C:\Users\Admin\AppData\Local\Temp\SF40_DOC.EXE
      "C:\Users\Admin\AppData\Local\Temp\SF40_DOC.EXE"
      2⤵
        PID:1332
      • C:\Users\Admin\AppData\Local\Temp\SF40_DOC.EXE
        "C:\Users\Admin\AppData\Local\Temp\SF40_DOC.EXE"
        2⤵
          PID:1060

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpF69E.tmp
        MD5

        bcc069e675795dd2302e0dde8255319a

        SHA1

        64613ec82b0a5d1b1bc07725a5f3defd06ab8458

        SHA256

        e88cd5c9b1e840dcf7c4b24676c097cff52f5359290de28b440e1b479f825beb

        SHA512

        5d4a2c5c3e2d9b79514f2ac2481b6594a7c6e6e07d03f4915333b522ca55dea8e7b5144b0d15fd662fcd8a82eede0840a719144cd0927da5ba370f1e627b9d6c

        Download Submit

      • memory/340-68-0x0000000000000000-mapping.dmp

        Download

      • memory/1060-70-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1060-71-0x0000000000405CE2-mapping.dmp

        Download

      • memory/1060-72-0x00000000757D1000-0x00000000757D3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1060-73-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1100-60-0x00000000013A0000-0x00000000013A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1100-62-0x0000000004960000-0x0000000004961000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1100-63-0x00000000281E0000-0x00000000481C8000-memory.dmp

        Filesize

        511.9MB

        Download

      • memory/1100-64-0x0000000004880000-0x00000000048C7000-memory.dmp

        Filesize

        284KB

        Download

      • memory/1100-65-0x0000000000A20000-0x0000000000A28000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1100-67-0x00000000011D0000-0x00000000011F9000-memory.dmp

        Filesize

        164KB

        Download