Overview

overview

10

Static

static

2a2c1a9885...d2.exe

windows7_x64

10

2a2c1a9885...d2.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    179s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    13-07-2021 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a2c1a9885d3ef548f66188878a59fd2.exe

  • Size

    684KB

  • MD5

    2a2c1a9885d3ef548f66188878a59fd2

  • SHA1

    1d480783f56c4448f074cb55a4e2e01338bfdc3b

  • SHA256

    04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

  • SHA512

    8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

byx.z86.ru:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe
    "C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe
      C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe
      2⤵
        PID:1700
      • C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe
        C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe
        2⤵
          PID:112
        • C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe
          C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe
          2⤵
            PID:268
          • C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe
            C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe
            2⤵
              PID:548
            • C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe
              C:\Users\Admin\AppData\Local\Temp\2a2c1a9885d3ef548f66188878a59fd2.exe
              2⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:592
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1072
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
                  4⤵
                    PID:1576
                • C:\ProgramData\svchost.exe
                  "C:\ProgramData\svchost.exe"
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1516
                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                    C:\Users\Admin\AppData\Local\Temp\svchost.exe
                    4⤵
                    • Executes dropped EXE
                    PID:928
                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                    C:\Users\Admin\AppData\Local\Temp\svchost.exe
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:1372
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe"
                      5⤵
                        PID:1396

              Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\svchost.exe
                MD5

                2a2c1a9885d3ef548f66188878a59fd2

                SHA1

                1d480783f56c4448f074cb55a4e2e01338bfdc3b

                SHA256

                04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

                SHA512

                8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

                Download Submit
              • C:\ProgramData\svchost.exe
                MD5

                2a2c1a9885d3ef548f66188878a59fd2

                SHA1

                1d480783f56c4448f074cb55a4e2e01338bfdc3b

                SHA256

                04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

                SHA512

                8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                MD5

                2a2c1a9885d3ef548f66188878a59fd2

                SHA1

                1d480783f56c4448f074cb55a4e2e01338bfdc3b

                SHA256

                04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

                SHA512

                8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                MD5

                2a2c1a9885d3ef548f66188878a59fd2

                SHA1

                1d480783f56c4448f074cb55a4e2e01338bfdc3b

                SHA256

                04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

                SHA512

                8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                MD5

                2a2c1a9885d3ef548f66188878a59fd2

                SHA1

                1d480783f56c4448f074cb55a4e2e01338bfdc3b

                SHA256

                04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

                SHA512

                8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

                Download Submit
              • \ProgramData\svchost.exe
                MD5

                2a2c1a9885d3ef548f66188878a59fd2

                SHA1

                1d480783f56c4448f074cb55a4e2e01338bfdc3b

                SHA256

                04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

                SHA512

                8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

                Download Submit
              • \Users\Admin\AppData\Local\Temp\svchost.exe
                MD5

                2a2c1a9885d3ef548f66188878a59fd2

                SHA1

                1d480783f56c4448f074cb55a4e2e01338bfdc3b

                SHA256

                04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

                SHA512

                8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

                Download Submit
              • \Users\Admin\AppData\Local\Temp\svchost.exe
                MD5

                2a2c1a9885d3ef548f66188878a59fd2

                SHA1

                1d480783f56c4448f074cb55a4e2e01338bfdc3b

                SHA256

                04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d

                SHA512

                8fb432a4c3d21fcb165e0c8c42700f171cfff554045b6a3e1491db70c506bc7cbfa06ee4a18618af5c5dbf3559abb1f703b60acf88c6c5cc5c40c36d7854d1cf

                Download Submit
              • memory/592-69-0x0000000000400000-0x000000000055E000-memory.dmp
                Filesize

                1.4MB

                Download
              • memory/592-72-0x0000000000400000-0x000000000055E000-memory.dmp
                Filesize

                1.4MB

                Download
              • memory/592-70-0x0000000000405E28-mapping.dmp
                Download
              • memory/592-71-0x0000000075721000-0x0000000075723000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1036-68-0x0000000004CB5000-0x0000000004CC6000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1036-61-0x0000000004CB0000-0x0000000004CB1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1036-62-0x00000000004F0000-0x000000000053B000-memory.dmp
                Filesize

                300KB

                Download
              • memory/1036-59-0x0000000000290000-0x0000000000291000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1036-67-0x0000000005AE0000-0x0000000005B42000-memory.dmp
                Filesize

                392KB

                Download
              • memory/1072-73-0x0000000000000000-mapping.dmp
                Download
              • memory/1372-93-0x0000000000405E28-mapping.dmp
                Download
              • memory/1372-96-0x0000000000400000-0x000000000055E000-memory.dmp
                Filesize

                1.4MB

                Download
              • memory/1396-98-0x0000000000000000-mapping.dmp
                Download
              • memory/1516-75-0x0000000000000000-mapping.dmp
                Download
              • memory/1516-88-0x0000000000685000-0x0000000000696000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1516-81-0x0000000000680000-0x0000000000681000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1516-78-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1576-79-0x0000000000000000-mapping.dmp
                Download