Overview

overview

10

Static

static

1

New Order.xls.exe

windows7_x64

10

New Order.xls.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    28-10-2021 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Order.xls.exe

  • Size

    361KB

  • MD5

    0f3af49aed9b20bc69abe9f3c5b36364

  • SHA1

    73e825d30b8666d15b5d229e8a1f96c435bd8f9f

  • SHA256

    396cf03c5637b57c3b391d5bb7b8c05fce62d23ee9df51f99669268c5be28742

  • SHA512

    c70e515a227571eede0072316ce28180c8883c27ea469b6fb04101253b6e1b4a6e0ffb155c87a7a869f7aedeec7240ec1416f5f5b419612117e9ff7bba9f8274

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

alliedofficewarz.ddns.net:6060

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 5 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Order.xls.exe
    "C:\Users\Admin\AppData\Local\Temp\New Order.xls.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Users\Admin\AppData\Local\Temp\New Order.xls.exe
      "C:\Users\Admin\AppData\Local\Temp\New Order.xls.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3280
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:548
      • C:\ProgramData\images.exe
        "C:\ProgramData\images.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1344
        • C:\ProgramData\images.exe
          "C:\ProgramData\images.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1280
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Add-MpPreference -ExclusionPath C:\
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3936
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            5⤵
              PID:2128

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\images.exe
      MD5

      0f3af49aed9b20bc69abe9f3c5b36364

      SHA1

      73e825d30b8666d15b5d229e8a1f96c435bd8f9f

      SHA256

      396cf03c5637b57c3b391d5bb7b8c05fce62d23ee9df51f99669268c5be28742

      SHA512

      c70e515a227571eede0072316ce28180c8883c27ea469b6fb04101253b6e1b4a6e0ffb155c87a7a869f7aedeec7240ec1416f5f5b419612117e9ff7bba9f8274

      Download Submit
    • C:\ProgramData\images.exe
      MD5

      0f3af49aed9b20bc69abe9f3c5b36364

      SHA1

      73e825d30b8666d15b5d229e8a1f96c435bd8f9f

      SHA256

      396cf03c5637b57c3b391d5bb7b8c05fce62d23ee9df51f99669268c5be28742

      SHA512

      c70e515a227571eede0072316ce28180c8883c27ea469b6fb04101253b6e1b4a6e0ffb155c87a7a869f7aedeec7240ec1416f5f5b419612117e9ff7bba9f8274

      Download Submit
    • C:\ProgramData\images.exe
      MD5

      0f3af49aed9b20bc69abe9f3c5b36364

      SHA1

      73e825d30b8666d15b5d229e8a1f96c435bd8f9f

      SHA256

      396cf03c5637b57c3b391d5bb7b8c05fce62d23ee9df51f99669268c5be28742

      SHA512

      c70e515a227571eede0072316ce28180c8883c27ea469b6fb04101253b6e1b4a6e0ffb155c87a7a869f7aedeec7240ec1416f5f5b419612117e9ff7bba9f8274

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      41436467643a7f0816825471f05a8e6c

      SHA1

      f0df425123b8831a200cff896c6f3638c326cca5

      SHA256

      b785dbc8e9ef4380a666ae229b0548ac4882078fcdf3198ec68faa4f454ccdd4

      SHA512

      e66c81e6e1135863bafc0a7800ef588b67afc94e4d89420b950630d58dc57fd5a6cbcbda347a26500b40cee69abfa9f26eff9d5767a0b74a126f82ee30e6c653

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xs5zkg4aoo73
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsnBF4A.tmp\sczlg.dll
      MD5

      050c40e88dc3bd1657dc0f35058a95ad

      SHA1

      dcc74c0fbb382cf0eb0cc3177b17d9190635e753

      SHA256

      b50a1bae00a83af133e834a25fd298f561aaf8d6f3b5e2d79622305afdeb6977

      SHA512

      9e2e8e6e9c39a8af67cfa66fc4ada5f559f4e6e82abb45d8fc4e49b284fa2728fe205ba85705448e8a02bd802c0922b3d8edccfd0cb42c7273bef2bcd5b918c9

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsyCD25.tmp\sczlg.dll
      MD5

      050c40e88dc3bd1657dc0f35058a95ad

      SHA1

      dcc74c0fbb382cf0eb0cc3177b17d9190635e753

      SHA256

      b50a1bae00a83af133e834a25fd298f561aaf8d6f3b5e2d79622305afdeb6977

      SHA512

      9e2e8e6e9c39a8af67cfa66fc4ada5f559f4e6e82abb45d8fc4e49b284fa2728fe205ba85705448e8a02bd802c0922b3d8edccfd0cb42c7273bef2bcd5b918c9

      Download Submit
    • memory/548-160-0x0000000006B30000-0x0000000006B31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/548-167-0x0000000000A80000-0x0000000000A81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/548-130-0x0000000000A80000-0x0000000000A81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/548-129-0x0000000000A80000-0x0000000000A81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/548-211-0x0000000004523000-0x0000000004524000-memory.dmp
      Filesize

      4KB

      Download
    • memory/548-123-0x0000000000000000-mapping.dmp
      Download
    • memory/548-187-0x000000007F500000-0x000000007F501000-memory.dmp
      Filesize

      4KB

      Download
    • memory/548-139-0x0000000004430000-0x0000000004431000-memory.dmp
      Filesize

      4KB

      Download
    • memory/548-140-0x0000000006F90000-0x0000000006F91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/548-142-0x0000000004522000-0x0000000004523000-memory.dmp
      Filesize

      4KB

      Download
    • memory/548-141-0x0000000004520000-0x0000000004521000-memory.dmp
      Filesize

      4KB

      Download
    • memory/548-180-0x0000000008F30000-0x0000000008F63000-memory.dmp
      Filesize

      204KB

      Download
    • memory/548-151-0x00000000075C0000-0x00000000075C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1280-131-0x0000000000000000-mapping.dmp
      Download
    • memory/1280-138-0x0000000000450000-0x00000000005A4000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1344-124-0x0000000000000000-mapping.dmp
      Download
    • memory/2128-159-0x0000000000F90000-0x0000000000F91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2128-147-0x0000000000000000-mapping.dmp
      Download
    • memory/3280-116-0x0000000000000000-mapping.dmp
      Download
    • memory/3280-117-0x0000000000450000-0x00000000005A4000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3280-122-0x0000000000450000-0x00000000005A4000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3936-162-0x0000000008410000-0x0000000008411000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3936-184-0x000000007F700000-0x000000007F701000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3936-145-0x0000000000E00000-0x0000000000E01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3936-164-0x00000000082C0000-0x00000000082C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3936-155-0x0000000007C30000-0x0000000007C31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3936-166-0x0000000000E00000-0x0000000000E01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3936-143-0x0000000000000000-mapping.dmp
      Download
    • memory/3936-158-0x0000000006C02000-0x0000000006C03000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3936-157-0x0000000006C00000-0x0000000006C01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3936-196-0x0000000009050000-0x0000000009051000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3936-208-0x0000000006C03000-0x0000000006C04000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3936-153-0x0000000007AF0000-0x0000000007AF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3936-144-0x0000000000E00000-0x0000000000E01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3936-149-0x0000000007870000-0x0000000007871000-memory.dmp
      Filesize

      4KB

      Download