Overview

overview

10

Static

static

sample & list.exe

windows7_x64

10

sample & list.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    22-07-2021 07:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample & list.exe

  • Size

    675KB

  • MD5

    e5d9171fcddcb7ad12ba356039f961ae

  • SHA1

    a093a11278a11d9db0d648fec160ad1b8217ffe4

  • SHA256

    52477714f4d4870a73c7ea42a240b4191e895860f0268ef16b5f0c49d338447d

  • SHA512

    dfe707354f4c8bac9f9190e04f6775ddaeb9ac1e04baf54f341617cb56e4b10fee63a0df746cff0d1f8b6380e7bb7c097f1235e0779f28d9f17dbb83d649e975

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

msteel1759.ddns.net:47680

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 5 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample & list.exe
    "C:\Users\Admin\AppData\Local\Temp\sample & list.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:656
    • C:\Users\Admin\AppData\Local\Temp\sample & list.exe
      "C:\Users\Admin\AppData\Local\Temp\sample & list.exe"
      2⤵
        PID:2880
      • C:\Users\Admin\AppData\Local\Temp\sample & list.exe
        "C:\Users\Admin\AppData\Local\Temp\sample & list.exe"
        2⤵
          PID:3992
        • C:\Users\Admin\AppData\Local\Temp\sample & list.exe
          "C:\Users\Admin\AppData\Local\Temp\sample & list.exe"
          2⤵
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:508
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Add-MpPreference -ExclusionPath C:\
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:200
          • C:\ProgramData\images.exe
            "C:\ProgramData\images.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2956
            • C:\ProgramData\images.exe
              "C:\ProgramData\images.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3444
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell Add-MpPreference -ExclusionPath C:\
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:908
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe"
                5⤵
                  PID:3508

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\images.exe
          MD5

          e5d9171fcddcb7ad12ba356039f961ae

          SHA1

          a093a11278a11d9db0d648fec160ad1b8217ffe4

          SHA256

          52477714f4d4870a73c7ea42a240b4191e895860f0268ef16b5f0c49d338447d

          SHA512

          dfe707354f4c8bac9f9190e04f6775ddaeb9ac1e04baf54f341617cb56e4b10fee63a0df746cff0d1f8b6380e7bb7c097f1235e0779f28d9f17dbb83d649e975

          Download Submit
        • C:\ProgramData\images.exe
          MD5

          e5d9171fcddcb7ad12ba356039f961ae

          SHA1

          a093a11278a11d9db0d648fec160ad1b8217ffe4

          SHA256

          52477714f4d4870a73c7ea42a240b4191e895860f0268ef16b5f0c49d338447d

          SHA512

          dfe707354f4c8bac9f9190e04f6775ddaeb9ac1e04baf54f341617cb56e4b10fee63a0df746cff0d1f8b6380e7bb7c097f1235e0779f28d9f17dbb83d649e975

          Download Submit
        • C:\ProgramData\images.exe
          MD5

          e5d9171fcddcb7ad12ba356039f961ae

          SHA1

          a093a11278a11d9db0d648fec160ad1b8217ffe4

          SHA256

          52477714f4d4870a73c7ea42a240b4191e895860f0268ef16b5f0c49d338447d

          SHA512

          dfe707354f4c8bac9f9190e04f6775ddaeb9ac1e04baf54f341617cb56e4b10fee63a0df746cff0d1f8b6380e7bb7c097f1235e0779f28d9f17dbb83d649e975

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          717e7c7013b501396e818c9481b75c20

          SHA1

          3ef98652b9b0e888d70f7e6052cf3da9f27dfe73

          SHA256

          383e2c68d827da8ce1fc510adeb87da5cfe812e853621114753374c97ff0f540

          SHA512

          82c5e015faed57384f7480db79509be7789ce57b979a97e556eaade1a2d3047e3057273ecfa2877008c7e7944f86b7a62b4bb1a5a523163ead5ffdf7cefe261e

          Download Submit
        • memory/200-190-0x0000000008E10000-0x0000000008E11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/200-151-0x00000000078B0000-0x00000000078B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/200-183-0x0000000008E30000-0x0000000008E63000-memory.dmp
          Filesize

          204KB

          Download
        • memory/200-155-0x0000000008290000-0x0000000008291000-memory.dmp
          Filesize

          4KB

          Download
        • memory/200-154-0x0000000007D90000-0x0000000007D91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/200-153-0x0000000007920000-0x0000000007921000-memory.dmp
          Filesize

          4KB

          Download
        • memory/200-152-0x0000000007840000-0x0000000007841000-memory.dmp
          Filesize

          4KB

          Download
        • memory/200-146-0x00000000046C2000-0x00000000046C3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/200-127-0x0000000000000000-mapping.dmp
          Download
        • memory/200-150-0x00000000070D0000-0x00000000070D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/200-214-0x000000007F1B0000-0x000000007F1B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/200-216-0x0000000009380000-0x0000000009381000-memory.dmp
          Filesize

          4KB

          Download
        • memory/200-136-0x0000000004580000-0x0000000004581000-memory.dmp
          Filesize

          4KB

          Download
        • memory/200-138-0x0000000007110000-0x0000000007111000-memory.dmp
          Filesize

          4KB

          Download
        • memory/200-143-0x00000000046C0000-0x00000000046C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/200-243-0x00000000046C3000-0x00000000046C4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/508-126-0x0000000000400000-0x0000000000554000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/508-125-0x0000000000405CE2-mapping.dmp
          Download
        • memory/508-124-0x0000000000400000-0x0000000000554000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/656-121-0x0000000005470000-0x0000000005471000-memory.dmp
          Filesize

          4KB

          Download
        • memory/656-116-0x0000000005260000-0x0000000005261000-memory.dmp
          Filesize

          4KB

          Download
        • memory/656-117-0x0000000005240000-0x0000000005241000-memory.dmp
          Filesize

          4KB

          Download
        • memory/656-114-0x00000000008C0000-0x00000000008C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/656-123-0x0000000005510000-0x000000000551F000-memory.dmp
          Filesize

          60KB

          Download
        • memory/656-118-0x0000000005300000-0x0000000005348000-memory.dmp
          Filesize

          288KB

          Download
        • memory/656-122-0x00000000055B0000-0x00000000055B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/656-119-0x0000000005380000-0x0000000005381000-memory.dmp
          Filesize

          4KB

          Download
        • memory/656-120-0x0000000005890000-0x0000000005891000-memory.dmp
          Filesize

          4KB

          Download
        • memory/908-169-0x00000000072B2000-0x00000000072B3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/908-168-0x00000000072B0000-0x00000000072B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/908-212-0x00000000099B0000-0x00000000099B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/908-158-0x0000000000000000-mapping.dmp
          Download
        • memory/908-215-0x000000007F550000-0x000000007F551000-memory.dmp
          Filesize

          4KB

          Download
        • memory/908-246-0x00000000072B3000-0x00000000072B4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/908-604-0x0000000007440000-0x0000000007441000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2956-128-0x0000000000000000-mapping.dmp
          Download
        • memory/2956-145-0x0000000005510000-0x0000000005511000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3444-148-0x0000000000405CE2-mapping.dmp
          Download
        • memory/3444-156-0x0000000000400000-0x0000000000554000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3508-175-0x0000000000B60000-0x0000000000B61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3508-159-0x0000000000000000-mapping.dmp
          Download