Overview

overview

10

Static

static

Statement ...78.exe

windows7_x64

1

Statement ...78.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    23-07-2021 17:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Statement SKBMT 01078.exe

  • Size

    1.1MB

  • MD5

    2ac95d271159084b2f3f66ebe2fc1318

  • SHA1

    70c8964080fef2993c9a3f4cb3f6f9c8a0e10f54

  • SHA256

    af96538d76a53512e82dbb6683578b7d44577307722d1c9291cf047f5f471334

  • SHA512

    0619dbaa146a64851bd24c7afd04bbaf2c23e002e10a9f83a306079c6edff0e876c32c60e4fc74de64b05dd74aa24b27810572b18efdc4878426a82840649105

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

202.55.132.213:7744

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 01078.exe
    "C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 01078.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 01078.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3544
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yRSZtJF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3448
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRSZtJF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED20.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3960
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yRSZtJF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1888
    • C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 01078.exe
      "C:\Users\Admin\AppData\Local\Temp\Statement SKBMT 01078.exe"
      2⤵
        PID:2120

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      79ea2bcacda0e0704206d9c57f67dbe9

      SHA1

      88635077d2fe8bbe153a5ba10fbc66691690e9f9

      SHA256

      2e365f5a1a007d62f3a179bb5ff469fd8ad8523c4b3196f465689ea24f64ff93

      SHA512

      b6a52dc2873454ce5d2d725c5ea79264a82613bc05213988948c12fe66f4bfb46c076b227d70de45bcd7c2089f7c3a4ee0d1b3651a976e613b48bcc115368122

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      96456f560fdce1d4c4cc6f6b45366bc0

      SHA1

      e977911675d3d4d30ca1046d5b70e17e5856e367

      SHA256

      bc5dbd2a8422064e23b23a794e95bc45c3dbc8dc49b064aa7e52bd1582f19307

      SHA512

      b266800cb753e3a8f82f76eac43d8d19ee32a82aa83abdfd24873f45b1693b995747e7f755449e174d7cd574163565081b91de28b86ec275943eccff91d77497

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmpED20.tmp
      MD5

      60d2e68a60bd519db5144ad69d13ddf0

      SHA1

      217d44f26758e9f4cde5379e2ab4a253a482da17

      SHA256

      8aa735c4f4651d818e97103bb5e7fb7fa95c85223480ef512a59e070b68a3691

      SHA512

      530d23056c49f497ac1247f085a68c80f361dfe6e5673995427684074c9499f86f081ac2ab5102f1fe47bedd28bcf87b4c3861407025414f67dab199cec1495a

      Download Submit
    • memory/1888-166-0x0000000006E12000-0x0000000006E13000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1888-228-0x000000007E550000-0x000000007E551000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1888-139-0x0000000000000000-mapping.dmp
      Download
    • memory/1888-164-0x0000000006E10000-0x0000000006E11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1888-286-0x0000000006E13000-0x0000000006E14000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2120-162-0x0000000000400000-0x000000000055E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2120-143-0x0000000000405E28-mapping.dmp
      Download
    • memory/2120-141-0x0000000000400000-0x000000000055E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3448-232-0x0000000006833000-0x0000000006834000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3448-224-0x000000007F170000-0x000000007F171000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3448-126-0x0000000000000000-mapping.dmp
      Download
    • memory/3448-160-0x0000000006832000-0x0000000006833000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3448-158-0x0000000006830000-0x0000000006831000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-145-0x00000000077F0000-0x00000000077F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-167-0x0000000007F90000-0x0000000007F91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-137-0x0000000006D20000-0x0000000006D21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-142-0x0000000007650000-0x0000000007651000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-133-0x0000000007020000-0x0000000007021000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-226-0x0000000004663000-0x0000000004664000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-153-0x0000000004660000-0x0000000004661000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-156-0x00000000076E0000-0x00000000076E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-155-0x0000000004662000-0x0000000004663000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-161-0x00000000080F0000-0x00000000080F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-130-0x0000000000C90000-0x0000000000C91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-223-0x000000007EE50000-0x000000007EE51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-125-0x0000000000000000-mapping.dmp
      Download
    • memory/3544-218-0x00000000092E0000-0x00000000092E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-204-0x0000000008EE0000-0x0000000008EE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-140-0x0000000007730000-0x0000000007731000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3544-184-0x0000000008D60000-0x0000000008D93000-memory.dmp
      Filesize

      204KB

      Download
    • memory/3544-194-0x0000000008D40000-0x0000000008D41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3724-123-0x0000000012C10000-0x0000000012C82000-memory.dmp
      Filesize

      456KB

      Download
    • memory/3724-124-0x0000000000FF0000-0x000000000101D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3724-122-0x0000000005200000-0x000000000522D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3724-114-0x0000000000680000-0x0000000000681000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3724-121-0x0000000004F50000-0x0000000004FEC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3724-120-0x00000000052A0000-0x00000000052A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3724-119-0x0000000004FC0000-0x0000000004FC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3724-118-0x0000000005090000-0x0000000005091000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3724-117-0x0000000005590000-0x0000000005591000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3724-116-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3960-127-0x0000000000000000-mapping.dmp
      Download