Overview

overview

10

Static

static

New purcha...ry.exe

windows7_x64

10

New purcha...ry.exe

windows10_x64

10

Analysis

  • max time kernel
    1198s
  • max time network
    1223s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    27-07-2021 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New purchase order August Delivery.exe

  • Size

    627KB

  • MD5

    6759995c0cf74f1bc16b6f9c25b5809f

  • SHA1

    0834e5ea4a9b329adf6da984eb295e3132df4819

  • SHA256

    a2d837828437033b57d7fec2fd462bdbcc833a683abc71c85f05a0d56a89746b

  • SHA512

    e5200b6691a77ab425420fffce6306e4c1d6e0b1dffcc1d7df0b200099302de788233abdb0c4a5a9a4c20d545233be6e72823d0ca346f8f67191ff36bb786fa2

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

51.210.65.37:4141

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Warzone RAT Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New purchase order August Delivery.exe
    "C:\Users\Admin\AppData\Local\Temp\New purchase order August Delivery.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qooajdcEa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD365.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:908
    • C:\Users\Admin\AppData\Local\Temp\New purchase order August Delivery.exe
      "C:\Users\Admin\AppData\Local\Temp\New purchase order August Delivery.exe"
      2⤵
        PID:652
      • C:\Users\Admin\AppData\Local\Temp\New purchase order August Delivery.exe
        "C:\Users\Admin\AppData\Local\Temp\New purchase order August Delivery.exe"
        2⤵
          PID:1796

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpD365.tmp
        MD5

        46e957b821d71a2108c83b2c03520d63

        SHA1

        d474ed9a91d49e7a348dbf669210a482aa3f6c07

        SHA256

        5f7519f91bc96617aea0c0210c2cbc8ca20d70f8eb50bba7fbf12b3326ced855

        SHA512

        5cf923c0098245d4b767e3825988de9bb0fd6ffaba71ba93ce271a47f8c85dae3faf84a6929f893411f4c99491d6f4fd42bace3f4bd5e0eac2f102880d3079d8

        Download Submit

      • memory/908-66-0x0000000000000000-mapping.dmp

        Download

      • memory/1796-68-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1796-69-0x0000000000405CE2-mapping.dmp

        Download

      • memory/1796-70-0x00000000754F1000-0x00000000754F3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1796-71-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2004-60-0x0000000000310000-0x0000000000311000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2004-62-0x00000000005A0000-0x00000000005A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2004-63-0x00000000003C0000-0x00000000003CB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2004-64-0x0000000004F40000-0x0000000004FA5000-memory.dmp

        Filesize

        404KB

        Download

      • memory/2004-65-0x00000000007E0000-0x0000000000804000-memory.dmp

        Filesize

        144KB

        Download