Overview

overview

10

Static

static

Quotation ...er.exe

windows7_x64

3

Quotation ...er.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    14-07-2021 02:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation for named specification new order.exe

  • Size

    786KB

  • MD5

    b8f0f94f760baa38503ac7da4faab222

  • SHA1

    2775a004ef8bfdb79ed2fae45066b49d740b1afc

  • SHA256

    d3147c430d999a7e8337cfb4120dff3079eef4bf51abc0c979f424eff86f1845

  • SHA512

    1c789c724bd67ea1b5a0ee365b8bb40768e87cef7f861f76bdfa9ec7bf99be507d3233b8450722e63378eaa3f841deb94a643925747ad6bb491401b26b5715ec

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

princekelvin.ddns.net:4545

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LGAkOTDdgeJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5082.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3944
    • C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe"
      2⤵
        PID:1972

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp5082.tmp
      MD5

      91be7d6c6801a5239dea617717f2e194

      SHA1

      2f61c53f4f96c2678bab3f6cfe0844fd21ecb229

      SHA256

      bfcef985bf357d074d823b08fce498160367c8efedde65b7767e57326303ec69

      SHA512

      1aeb347dc0d58387542a0628a397c5aea4883b4a760d286938881fcb1538aa0e6c49764bab7ee1020d2187e9ed8afccf773efd9bcc24631c2e0e9bd094959114

      Download Submit
    • memory/1972-128-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1972-127-0x0000000000405CE2-mapping.dmp
      Download
    • memory/1972-126-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3036-121-0x0000000002650000-0x0000000002660000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3036-120-0x0000000004C50000-0x0000000004CE2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3036-114-0x00000000003F0000-0x00000000003F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3036-122-0x0000000009D30000-0x0000000009DB7000-memory.dmp
      Filesize

      540KB

      Download
    • memory/3036-123-0x0000000009E00000-0x0000000009E43000-memory.dmp
      Filesize

      268KB

      Download
    • memory/3036-119-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3036-118-0x0000000004E40000-0x0000000004E41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3036-117-0x0000000004D90000-0x0000000004D91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3036-116-0x0000000005290000-0x0000000005291000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3944-124-0x0000000000000000-mapping.dmp
      Download