Overview

overview

10

Static

static

New purcha...ry.exe

windows7_x64

10

New purcha...ry.exe

windows10_x64

10

Analysis

  • max time kernel
    1197s
  • max time network
    1199s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-07-2021 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New purchase order August Delivery.exe

  • Size

    627KB

  • MD5

    6759995c0cf74f1bc16b6f9c25b5809f

  • SHA1

    0834e5ea4a9b329adf6da984eb295e3132df4819

  • SHA256

    a2d837828437033b57d7fec2fd462bdbcc833a683abc71c85f05a0d56a89746b

  • SHA512

    e5200b6691a77ab425420fffce6306e4c1d6e0b1dffcc1d7df0b200099302de788233abdb0c4a5a9a4c20d545233be6e72823d0ca346f8f67191ff36bb786fa2

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

51.210.65.37:4141

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Warzone RAT Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New purchase order August Delivery.exe
    "C:\Users\Admin\AppData\Local\Temp\New purchase order August Delivery.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4428
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qooajdcEa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC51B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4120
    • C:\Users\Admin\AppData\Local\Temp\New purchase order August Delivery.exe
      "C:\Users\Admin\AppData\Local\Temp\New purchase order August Delivery.exe"
      2⤵
        PID:4164
      • C:\Users\Admin\AppData\Local\Temp\New purchase order August Delivery.exe
        "C:\Users\Admin\AppData\Local\Temp\New purchase order August Delivery.exe"
        2⤵
          PID:4172

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpC51B.tmp
        MD5

        0e7f5e3d2468c85780d8966717869505

        SHA1

        f1ed1b1c3799ac1d10857faf5021f7bc4c7e6ad7

        SHA256

        d080c5e31fb22667c1cb17bf6a9b07c16e01091a3a175a682be9c3644540a95f

        SHA512

        9260c9a12a5eb452b125de2903f2d4c7af49b516cc5b53cb29de45040dcb63d67730ccfaf3ab5293fdccafa09748bbfc00852c5b8dad4b8cbc14716b55997bb9

        Download Submit

      • memory/4120-124-0x0000000000000000-mapping.dmp

        Download

      • memory/4172-128-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4172-126-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4172-127-0x0000000000405CE2-mapping.dmp

        Download

      • memory/4428-118-0x00000000052C0000-0x00000000052C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-121-0x0000000007560000-0x000000000756B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/4428-122-0x0000000008AF0000-0x0000000008B55000-memory.dmp

        Filesize

        404KB

        Download

      • memory/4428-123-0x0000000008B70000-0x0000000008B94000-memory.dmp

        Filesize

        144KB

        Download

      • memory/4428-120-0x0000000005180000-0x000000000567E000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/4428-119-0x00000000051E0000-0x00000000051E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-114-0x0000000000900000-0x0000000000901000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-117-0x0000000005220000-0x0000000005221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-116-0x0000000005680000-0x0000000005681000-memory.dmp

        Filesize

        4KB

        Download