Overview

overview

10

Static

static

STATEMENT ...29.exe

windows7_x64

10

STATEMENT ...29.exe

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    175s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    05-10-2021 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    STATEMENT OF ACCOUNT_2021-10-04989829.exe

  • Size

    415KB

  • MD5

    ba089fe4546d19803adad582ca6f2ec5

  • SHA1

    32c00e95b5f398c7bb7261feb35290e34c59d21f

  • SHA256

    014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

  • SHA512

    1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

176.126.86.243:2021

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 5 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_2021-10-04989829.exe
    "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_2021-10-04989829.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ExzJZVEPzsavn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpADDB.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1716
    • C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_2021-10-04989829.exe
      "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_2021-10-04989829.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\ProgramData\microsoftupdate.exe
        "C:\ProgramData\microsoftupdate.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1236
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ExzJZVEPzsavn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8E79.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:684
        • C:\ProgramData\microsoftupdate.exe
          "C:\ProgramData\microsoftupdate.exe"
          4⤵
          • Executes dropped EXE
          PID:752
        • C:\ProgramData\microsoftupdate.exe
          "C:\ProgramData\microsoftupdate.exe"
          4⤵
          • Executes dropped EXE
          • Modifies WinLogon
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1620
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            5⤵
              PID:1760

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Winlogon Helper DLL

    1
    T1004

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\microsoftupdate.exe
      MD5

      ba089fe4546d19803adad582ca6f2ec5

      SHA1

      32c00e95b5f398c7bb7261feb35290e34c59d21f

      SHA256

      014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

      SHA512

      1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

      Download Submit
    • C:\ProgramData\microsoftupdate.exe
      MD5

      ba089fe4546d19803adad582ca6f2ec5

      SHA1

      32c00e95b5f398c7bb7261feb35290e34c59d21f

      SHA256

      014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

      SHA512

      1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

      Download Submit
    • C:\ProgramData\microsoftupdate.exe
      MD5

      ba089fe4546d19803adad582ca6f2ec5

      SHA1

      32c00e95b5f398c7bb7261feb35290e34c59d21f

      SHA256

      014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

      SHA512

      1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

      Download Submit
    • C:\ProgramData\microsoftupdate.exe
      MD5

      ba089fe4546d19803adad582ca6f2ec5

      SHA1

      32c00e95b5f398c7bb7261feb35290e34c59d21f

      SHA256

      014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

      SHA512

      1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

      Download Submit
    • \Program Files\Microsoft DN1\sqlmap.dll
      MD5

      461ade40b800ae80a40985594e1ac236

      SHA1

      b3892eef846c044a2b0785d54a432b3e93a968c8

      SHA256

      798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

      SHA512

      421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

      Download Submit
    • \ProgramData\microsoftupdate.exe
      MD5

      ba089fe4546d19803adad582ca6f2ec5

      SHA1

      32c00e95b5f398c7bb7261feb35290e34c59d21f

      SHA256

      014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

      SHA512

      1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

      Download Submit
    • \ProgramData\microsoftupdate.exe
      MD5

      ba089fe4546d19803adad582ca6f2ec5

      SHA1

      32c00e95b5f398c7bb7261feb35290e34c59d21f

      SHA256

      014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

      SHA512

      1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

      Download Submit
    • \ProgramData\microsoftupdate.exe
      MD5

      ba089fe4546d19803adad582ca6f2ec5

      SHA1

      32c00e95b5f398c7bb7261feb35290e34c59d21f

      SHA256

      014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

      SHA512

      1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

      Download Submit
    • memory/684-79-0x0000000000000000-mapping.dmp
      Download
    • memory/1104-63-0x00000000003D0000-0x00000000003DA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1104-62-0x0000000004E50000-0x0000000004E51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1104-60-0x0000000001260000-0x0000000001261000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1104-64-0x0000000000DA0000-0x0000000000DE1000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1236-74-0x0000000001150000-0x0000000001151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1236-77-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1236-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1620-84-0x0000000000405CE2-mapping.dmp
      Download
    • memory/1620-87-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1716-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1760-88-0x0000000000000000-mapping.dmp
      Download
    • memory/1760-89-0x0000000000260000-0x0000000000261000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1876-66-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1876-67-0x0000000000405CE2-mapping.dmp
      Download
    • memory/1876-69-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1876-68-0x0000000075551000-0x0000000075553000-memory.dmp
      Filesize

      8KB

      Download