Overview

overview

10

Static

static

Quotation9...df.exe

windows7_x64

10

Quotation9...df.exe

windows10_x64

10

Analysis

  • max time kernel
    66s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220331-en
  • submitted
    06-04-2022 05:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation9011332.pdf.exe

  • Size

    419KB

  • MD5

    5016a372458c81a13e1adaa0baf5aa15

  • SHA1

    5a491e0c563d0838d15bf3933b663cb10a285523

  • SHA256

    0bb09b028f6802d5f9a967dd0a51f89f3b8fb939315abad0706c22e21651e376

  • SHA512

    80025833be31737ee86b365563c7d33931a128ec6f09d2153ecf77aa17c2de9402c2538e631589e5f8c0eac916a84b027b351ee55d2e1b522bd27926cf5d4e7e

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

185.183.98.169:20911

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 7 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation9011332.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation9011332.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cnLTZKlLCDiW.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1920
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cnLTZKlLCDiW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD78B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1192
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
        PID:648
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        2⤵
          PID:1728
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:896
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 200
            3⤵
            • Program crash
            PID:1028

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpD78B.tmp
        Filesize

        1KB

        MD5

        10fffb8b3341b8c95a83f53cbe32c07a

        SHA1

        1c1a96eec2a712b732f0add97999dd54b4f164c4

        SHA256

        8aef835c9cabaf513f38059826792d62a48f99c6727d14f362c0d7bc24c6c67e

        SHA512

        dc7af499375b4161b34b4946e07923b6aa050c683eb718b7c4d60cd6e5001ac1f0bc2d0498017de2c68c9e082988cdf27c242e56347fe08cee8f7608986a1518

        Download Submit
      • memory/896-72-0x0000000000400000-0x0000000000554000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/896-62-0x0000000000400000-0x0000000000554000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/896-63-0x0000000000400000-0x0000000000554000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/896-65-0x0000000000400000-0x0000000000554000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/896-76-0x0000000000400000-0x0000000000554000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/896-73-0x0000000000405CE2-mapping.dmp
        Download
      • memory/896-71-0x0000000000400000-0x0000000000554000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/896-67-0x0000000000400000-0x0000000000554000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/896-70-0x0000000000400000-0x0000000000554000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/896-68-0x0000000000400000-0x0000000000554000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1028-77-0x0000000000000000-mapping.dmp
        Download
      • memory/1192-58-0x0000000000000000-mapping.dmp
        Download
      • memory/1528-56-0x00000000054B0000-0x0000000005516000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1528-61-0x0000000004330000-0x0000000004354000-memory.dmp
        Filesize

        144KB

        Download
      • memory/1528-54-0x00000000000F0000-0x0000000000160000-memory.dmp
        Filesize

        448KB

        Download
      • memory/1528-55-0x0000000000530000-0x000000000053A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1920-79-0x00000000022B2000-0x00000000022B4000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1920-59-0x0000000075F11000-0x0000000075F13000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1920-78-0x000000006E980000-0x000000006EF2B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1920-57-0x0000000000000000-mapping.dmp
        Download