Overview

overview

10

Static

static

2a2c1a9885...d2.exe

windows7_x64

10

2a2c1a9885...d2.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    13-07-2021 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a2c1a9885d3ef548f66188878a59fd2.exe

  • Size

    684KB

  • MD5

    2a2c1a9885d3ef548f66188878a59fd2

  • SHA1

    1d480783f56c4448f074cb55a4e2e01338bfdc3b

  • SHA256

    04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

  • SHA512

    8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

byx.z86.ru:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe
    "C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe
      C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:752
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
          4⤵
            PID:1872
        • C:\ProgramData\svchost.exe
          "C:\ProgramData\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:664
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            C:\Users\Admin\AppData\Local\Temp\svchost.exe
            4⤵
            • Executes dropped EXE
            PID:412
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            C:\Users\Admin\AppData\Local\Temp\svchost.exe
            4⤵
            • Executes dropped EXE
            PID:1640
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            C:\Users\Admin\AppData\Local\Temp\svchost.exe
            4⤵
            • Executes dropped EXE
            PID:616
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            C:\Users\Admin\AppData\Local\Temp\svchost.exe
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:812
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe"
              5⤵
                PID:1732

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\svchost.exe
        MD5

        2a2c1a9885d3ef548f66188878a59fd2

        SHA1

        1d480783f56c4448f074cb55a4e2e01338bfdc3b

        SHA256

        04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

        SHA512

        8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

        Download Submit
      • C:\ProgramData\svchost.exe
        MD5

        2a2c1a9885d3ef548f66188878a59fd2

        SHA1

        1d480783f56c4448f074cb55a4e2e01338bfdc3b

        SHA256

        04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

        SHA512

        8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        MD5

        2a2c1a9885d3ef548f66188878a59fd2

        SHA1

        1d480783f56c4448f074cb55a4e2e01338bfdc3b

        SHA256

        04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

        SHA512

        8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        MD5

        2a2c1a9885d3ef548f66188878a59fd2

        SHA1

        1d480783f56c4448f074cb55a4e2e01338bfdc3b

        SHA256

        04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

        SHA512

        8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        MD5

        2a2c1a9885d3ef548f66188878a59fd2

        SHA1

        1d480783f56c4448f074cb55a4e2e01338bfdc3b

        SHA256

        04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

        SHA512

        8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        MD5

        2a2c1a9885d3ef548f66188878a59fd2

        SHA1

        1d480783f56c4448f074cb55a4e2e01338bfdc3b

        SHA256

        04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

        SHA512

        8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        MD5

        2a2c1a9885d3ef548f66188878a59fd2

        SHA1

        1d480783f56c4448f074cb55a4e2e01338bfdc3b

        SHA256

        04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

        SHA512

        8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

        Download Submit
      • \ProgramData\svchost.exe
        MD5

        2a2c1a9885d3ef548f66188878a59fd2

        SHA1

        1d480783f56c4448f074cb55a4e2e01338bfdc3b

        SHA256

        04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

        SHA512

        8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

        Download Submit
      • \Users\Admin\AppData\Local\Temp\svchost.exe
        MD5

        2a2c1a9885d3ef548f66188878a59fd2

        SHA1

        1d480783f56c4448f074cb55a4e2e01338bfdc3b

        SHA256

        04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

        SHA512

        8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

        Download Submit
      • \Users\Admin\AppData\Local\Temp\svchost.exe
        MD5

        2a2c1a9885d3ef548f66188878a59fd2

        SHA1

        1d480783f56c4448f074cb55a4e2e01338bfdc3b

        SHA256

        04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

        SHA512

        8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

        Download Submit
      • \Users\Admin\AppData\Local\Temp\svchost.exe
        MD5

        2a2c1a9885d3ef548f66188878a59fd2

        SHA1

        1d480783f56c4448f074cb55a4e2e01338bfdc3b

        SHA256

        04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

        SHA512

        8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

        Download Submit
      • \Users\Admin\AppData\Local\Temp\svchost.exe
        MD5

        2a2c1a9885d3ef548f66188878a59fd2

        SHA1

        1d480783f56c4448f074cb55a4e2e01338bfdc3b

        SHA256

        04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

        SHA512

        8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

        Download Submit
      • memory/316-71-0x0000000075FE1000-0x0000000075FE3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/316-70-0x0000000000405E28-mapping.dmp
        Download
      • memory/316-72-0x0000000000400000-0x000000000055E000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/316-69-0x0000000000400000-0x000000000055E000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/664-78-0x0000000000890000-0x0000000000891000-memory.dmp
        Filesize

        4KB

        Download
      • memory/664-93-0x0000000004285000-0x0000000004296000-memory.dmp
        Filesize

        68KB

        Download
      • memory/664-81-0x0000000004280000-0x0000000004281000-memory.dmp
        Filesize

        4KB

        Download
      • memory/664-75-0x0000000000000000-mapping.dmp
        Download
      • memory/752-73-0x0000000000000000-mapping.dmp
        Download
      • memory/812-97-0x0000000000405E28-mapping.dmp
        Download
      • memory/812-100-0x0000000000400000-0x000000000055E000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/1732-102-0x0000000000000000-mapping.dmp
        Download
      • memory/1820-59-0x00000000000C0000-0x00000000000C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1820-68-0x00000000048A5000-0x00000000048B6000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1820-67-0x0000000005A60000-0x0000000005AC2000-memory.dmp
        Filesize

        392KB

        Download
      • memory/1820-62-0x00000000020D0000-0x000000000211B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/1820-61-0x00000000048A0000-0x00000000048A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1872-79-0x0000000000000000-mapping.dmp
        Download