Overview

overview

10

Static

static

Quotation9...df.exe

windows7_x64

10

Quotation9...df.exe

windows10_x64

10

Analysis

  • max time kernel
    128s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10-20220310-en
  • submitted
    06-04-2022 05:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation9011332.pdf.exe

  • Size

    419KB

  • MD5

    5016a372458c81a13e1adaa0baf5aa15

  • SHA1

    5a491e0c563d0838d15bf3933b663cb10a285523

  • SHA256

    0bb09b028f6802d5f9a967dd0a51f89f3b8fb939315abad0706c22e21651e376

  • SHA512

    80025833be31737ee86b365563c7d33931a128ec6f09d2153ecf77aa17c2de9402c2538e631589e5f8c0eac916a84b027b351ee55d2e1b522bd27926cf5d4e7e

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

185.183.98.169:20911

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation9011332.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation9011332.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3632
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cnLTZKlLCDiW.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2008
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cnLTZKlLCDiW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5FEB.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3608
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
        PID:160
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 160 -s 540
          3⤵
          • Program crash
          PID:1796

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp5FEB.tmp
      Filesize

      1KB

      MD5

      aabe5cd795048f146d3e8efbe16088d2

      SHA1

      bd46090554af5ee2ee017596d08d8b79103d664a

      SHA256

      fdb15499152f1fb6ac01d366b1e65b382b3aff585016cff24fa0769de30a4acc

      SHA512

      69dc9ee11910683fb804e117978362aedc6f1054b473a71e7a22acee592aa1d357e2f81527eb1bd80ebe4b23fef64ef3d452544df66e5e412e9973a0fb74d9d1

      Download Submit
    • memory/160-137-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/160-135-0x0000000000405CE2-mapping.dmp
      Download
    • memory/160-134-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2008-142-0x0000000007F40000-0x0000000007F8B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/2008-138-0x0000000007610000-0x0000000007632000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2008-357-0x00000000093D0000-0x00000000093D8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2008-352-0x00000000093E0000-0x00000000093FA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2008-126-0x0000000000000000-mapping.dmp
      Download
    • memory/2008-159-0x0000000009430000-0x00000000094C4000-memory.dmp
      Filesize

      592KB

      Download
    • memory/2008-158-0x0000000009280000-0x0000000009325000-memory.dmp
      Filesize

      660KB

      Download
    • memory/2008-131-0x0000000000EE0000-0x0000000000F16000-memory.dmp
      Filesize

      216KB

      Download
    • memory/2008-132-0x0000000006FB0000-0x00000000075D8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/2008-153-0x0000000008F10000-0x0000000008F2E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2008-152-0x0000000009150000-0x0000000009183000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2008-143-0x00000000080A0000-0x0000000008116000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2008-141-0x0000000007C50000-0x0000000007C6C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/2008-140-0x0000000007900000-0x0000000007C50000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2008-139-0x0000000007890000-0x00000000078F6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3608-127-0x0000000000000000-mapping.dmp
      Download
    • memory/3632-123-0x0000000008050000-0x00000000080EC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3632-119-0x0000000005E20000-0x000000000631E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3632-118-0x0000000000FB0000-0x0000000001020000-memory.dmp
      Filesize

      448KB

      Download
    • memory/3632-120-0x0000000005920000-0x00000000059B2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3632-121-0x0000000005830000-0x000000000583A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3632-133-0x00000000017E0000-0x0000000001804000-memory.dmp
      Filesize

      144KB

      Download
    • memory/3632-122-0x0000000005B10000-0x0000000005B1A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3632-125-0x0000000001850000-0x00000000018B6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3632-124-0x0000000008290000-0x00000000082F6000-memory.dmp
      Filesize

      408KB

      Download