Overview

overview

10

Static

static

Statement ...78.exe

windows7_x64

1

Statement ...78.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    23-07-2021 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Statement SKBMT 01078.exe

  • Size

    1.1MB

  • MD5

    2ac95d271159084b2f3f66ebe2fc1318

  • SHA1

    70c8964080fef2993c9a3f4cb3f6f9c8a0e10f54

  • SHA256

    af96538d76a53512e82dbb6683578b7d44577307722d1c9291cf047f5f471334

  • SHA512

    0619dbaa146a64851bd24c7afd04bbaf2c23e002e10a9f83a306079c6edff0e876c32c60e4fc74de64b05dd74aa24b27810572b18efdc4878426a82840649105

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

202.55.132.213:7744

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 01078.exe
    "C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 01078.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3972
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 01078.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3120
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yRSZtJF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1548
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRSZtJF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp763A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1228
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yRSZtJF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
    • C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 01078.exe
      "C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 01078.exe"
      2⤵
        PID:2228
      • C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 01078.exe
        "C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 01078.exe"
        2⤵
          PID:4060

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        MD5

        1c19c16e21c97ed42d5beabc93391fc5

        SHA1

        8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

        SHA256

        1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

        SHA512

        7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        e7033be7ec00916a3493db917ad6cace

        SHA1

        a059f299224914a95902b7bcffda11c941db9204

        SHA256

        2e3561998f78ffc75785bf88e9766d7d1481b655276fe9181f32db53c82ed529

        SHA512

        8216834ced3cc6991bfb5abf6c923f3088da3f38a7c1c36ed15e48ee57cb6e31f92d4e96c3c84c56bbeac26eaa046753dfffe71b715d85fe9687d04cb06c262a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        c2890eaaf381fda082ce862097548442

        SHA1

        5c57512495dfbe66b5a3674446d545bdccdc371f

        SHA256

        9b92891f45abc65c70356b32d306d761cb8e24d789fdfac76163b2f031647e94

        SHA512

        64471fa422c88e6f4480ddc48c6eefefc4277a8e1853ede262f4594609ada183a0cec88318b8f27ecdeda8ddb1816d409c0a723bcecba27141679047927a38ac

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp763A.tmp
        MD5

        60d2e68a60bd519db5144ad69d13ddf0

        SHA1

        217d44f26758e9f4cde5379e2ab4a253a482da17

        SHA256

        8aa735c4f4651d818e97103bb5e7fb7fa95c85223480ef512a59e070b68a3691

        SHA512

        530d23056c49f497ac1247f085a68c80f361dfe6e5673995427684074c9499f86f081ac2ab5102f1fe47bedd28bcf87b4c3861407025414f67dab199cec1495a

        Download Submit

      • memory/1228-127-0x0000000000000000-mapping.dmp

        Download

      • memory/1548-187-0x0000000008CF0000-0x0000000008D23000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1548-158-0x0000000000E10000-0x0000000000E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1548-159-0x0000000000E12000-0x0000000000E13000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1548-257-0x0000000000E13000-0x0000000000E14000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1548-167-0x0000000007D60000-0x0000000007D61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1548-205-0x0000000008AA0000-0x0000000008AA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1548-201-0x000000007F450000-0x000000007F451000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1548-126-0x0000000000000000-mapping.dmp

        Download

      • memory/1548-220-0x0000000008E20000-0x0000000008E21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-137-0x0000000000000000-mapping.dmp

        Download

      • memory/2092-161-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-162-0x0000000006BC2000-0x0000000006BC3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-259-0x0000000006BC3000-0x0000000006BC4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-251-0x000000007FBE0000-0x000000007FBE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3120-147-0x00000000083D0000-0x00000000083D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3120-125-0x0000000000000000-mapping.dmp

        Download

      • memory/3120-141-0x0000000007B00000-0x0000000007B01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3120-133-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3120-157-0x0000000004FE2000-0x0000000004FE3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3120-139-0x0000000007A90000-0x0000000007A91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3120-155-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3120-204-0x000000007F260000-0x000000007F261000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3120-138-0x00000000078F0000-0x00000000078F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3120-254-0x0000000004FE3000-0x0000000004FE4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3120-131-0x0000000004F90000-0x0000000004F91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3120-163-0x0000000008240000-0x0000000008241000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3120-165-0x0000000008D20000-0x0000000008D21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3972-119-0x0000000005460000-0x0000000005461000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3972-114-0x0000000000920000-0x0000000000921000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3972-121-0x00000000053C0000-0x00000000058BE000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3972-120-0x0000000005500000-0x0000000005501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3972-124-0x00000000056F0000-0x000000000571D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/3972-123-0x0000000011140000-0x00000000111B2000-memory.dmp

        Filesize

        456KB

        Download

      • memory/3972-122-0x0000000005560000-0x000000000558D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/3972-118-0x00000000053C0000-0x00000000053C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3972-117-0x00000000058C0000-0x00000000058C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3972-116-0x0000000005320000-0x0000000005321000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4060-160-0x0000000000400000-0x000000000055E000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/4060-142-0x0000000000405E28-mapping.dmp

        Download

      • memory/4060-140-0x0000000000400000-0x000000000055E000-memory.dmp

        Filesize

        1.4MB

        Download