Analysis
-
max time kernel
40s -
max time network
104s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
15-07-2021 20:13
Static task
static1
Behavioral task
behavioral1
Sample
KINDLY QUOTE COMPETITIVE PRICE.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
KINDLY QUOTE COMPETITIVE PRICE.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
KINDLY QUOTE COMPETITIVE PRICE.exe
-
Size
634KB
-
MD5
24cdb20f9b57a58becd8db704caaec1a
-
SHA1
1420f8d5e00c7294cc1ef249cd159852f574b96c
-
SHA256
20b8d427a1603e1262b0c7d9a5119d0ea775cb69c690098ecd12a1037a443892
-
SHA512
39f492af2fb5dc53820cb641263e41e1c1ab808cf0d9010748ea4aabf77798d9df381100d62e447bad4cbb861c623f8e06a3a24b442a3ab144144757f1edbf6f
Score
10/10
Malware Config
Extracted
Family
warzonerat
C2
dar123.hopto.org:5032
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1964-72-0x00000000005B0000-0x0000000000704000-memory.dmp warzonerat -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
KINDLY QUOTE COMPETITIVE PRICE.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ztntyju = "C:\\Users\\Public\\Libraries\\ujytntZ.url" KINDLY QUOTE COMPETITIVE PRICE.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
KINDLY QUOTE COMPETITIVE PRICE.exedescription pid process target process PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe PID 1084 wrote to memory of 1964 1084 KINDLY QUOTE COMPETITIVE PRICE.exe mobsync.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KINDLY QUOTE COMPETITIVE PRICE.exe"C:\Users\Admin\AppData\Local\Temp\KINDLY QUOTE COMPETITIVE PRICE.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mobsync.exeC:\Windows\System32\mobsync.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1084-61-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/1084-62-0x0000000000240000-0x000000000025A000-memory.dmpFilesize
104KB
-
memory/1084-65-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1964-66-0x0000000000000000-mapping.dmp
-
memory/1964-69-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1964-68-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1964-70-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1964-71-0x0000000010670000-0x00000000107C6000-memory.dmpFilesize
1.3MB
-
memory/1964-72-0x00000000005B0000-0x0000000000704000-memory.dmpFilesize
1.3MB