Overview

overview

10

Static

static

text.exe

windows7_x64

10

text.exe

windows10_x64

10

Analysis

  • max time kernel
    238s
  • max time network
    311s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    23-07-2021 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    text.exe

  • Size

    1.1MB

  • MD5

    08e321e2f7a4fceebed7d9330c7e627b

  • SHA1

    2049c1f290d542fba9690958d97c25c0f9d2b39d

  • SHA256

    670a52daaf17c5925d5cb33c03e849a863f11f153d438519ec3c71083a90167b

  • SHA512

    f3ed6cf7f15f65878d547be2853376602236d4364f6d53566b8169fc05b26454c031f3b7b5630c5dd340054fdca81fe69f569aad9b1cc06cdef751f7eac3d1f1

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

5.226.138.94:6621

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\text.exe
    "C:\Users\Admin\AppData\Local\Temp\text.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZQNDQxDJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp31DA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:888
    • C:\Users\Admin\AppData\Local\Temp\text.exe
      "C:\Users\Admin\AppData\Local\Temp\text.exe"
      2⤵
        PID:384

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp31DA.tmp
      MD5

      ba3e1cafa69b4032b31d5156003e044a

      SHA1

      af950a7ee0e49b0e9099781b5561ed9393d611da

      SHA256

      5ffe0f638a44ccb5e8e03750889f65a0d744e6b31e5f3e2fc93b36f81fffb98b

      SHA512

      2231a57a3cd02a905e9afa6ff73c8e1ed622a5b37b1dd9b52df9b6fe81bc528f33fd7b620e06d1eb6ff8028e53e0e9334a513adf5193cb77156da68560e89e0f

      Download Submit
    • memory/384-67-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/384-68-0x0000000000405CE2-mapping.dmp
      Download
    • memory/384-69-0x0000000075FE1000-0x0000000075FE3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/384-70-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/888-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1820-59-0x00000000002D0000-0x00000000002D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1820-61-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1820-62-0x00000000004E0000-0x000000000050D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1820-63-0x0000000006FC0000-0x0000000007027000-memory.dmp
      Filesize

      412KB

      Download
    • memory/1820-64-0x0000000000810000-0x0000000000832000-memory.dmp
      Filesize

      136KB

      Download