Analysis
-
max time kernel
29s -
max time network
37s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-12-2021 02:03
Static task
static1
Behavioral task
behavioral1
Sample
New-Order_2021-12-14_01-44.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
New-Order_2021-12-14_01-44.exe
-
Size
198KB
-
MD5
db2f1ed0345766e080940d66d31e6757
-
SHA1
31ec6cd22db735c0695fe64aac87e138d2f3978b
-
SHA256
a1831c0238db7a6a5ae73a0c3e9c8be6075b20a3c9e393fc2a54fe830a923951
-
SHA512
fbaade57cf8ff2c93a45f24654a756bb038600314d6e658f241e3359d7c5f3f869071d60f777421f9d8e9d7b8adf143c14900399134572209e5e731759635936
Score
10/10
Malware Config
Extracted
Family
warzonerat
C2
huhuhu.ooguy.com:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1608-55-0x0000000000220000-0x000000000023E000-memory.dmp warzonerat behavioral1/memory/1608-56-0x0000000000400000-0x0000000000824000-memory.dmp warzonerat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
Processes:
New-Order_2021-12-14_01-44.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New-Order_2021-12-14_01-44.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New-Order_2021-12-14_01-44.exe -
outlook_office_path 1 IoCs
Processes:
New-Order_2021-12-14_01-44.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New-Order_2021-12-14_01-44.exe -
outlook_win_path 1 IoCs
Processes:
New-Order_2021-12-14_01-44.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New-Order_2021-12-14_01-44.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1608-53-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB
-
memory/1608-55-0x0000000000220000-0x000000000023E000-memory.dmpFilesize
120KB
-
memory/1608-54-0x0000000000020000-0x0000000000032000-memory.dmpFilesize
72KB
-
memory/1608-56-0x0000000000400000-0x0000000000824000-memory.dmpFilesize
4.1MB
-
memory/1608-57-0x0000000003AF0000-0x0000000003B74000-memory.dmpFilesize
528KB