Overview

overview

10

Static

static

ISF form =...32.scr

windows7_x64

10

ISF form =...32.scr

windows10-2004_x64

10

Invoice & ...32.scr

windows7_x64

10

Invoice & ...32.scr

windows10-2004_x64

10

VGM ==#EGL...32.scr

windows7_x64

10

VGM ==#EGL...32.scr

windows10-2004_x64

10

Analysis

  • max time kernel
    131s
  • max time network
    169s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice & Packing list EGLV003090032432.scr

  • Size

    571KB

  • MD5

    165255e7fef985bb6a76cdd5dc0f3efe

  • SHA1

    4d4f455814cb607ae530fa589c6d1d3ed9e4173d

  • SHA256

    3266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207

  • SHA512

    10bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice & Packing list EGLV003090032432.scr
    "C:\Users\Admin\AppData\Local\Temp\Invoice & Packing list EGLV003090032432.scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Users\Admin\AppData\Local\Temp\Invoice & Packing list EGLV003090032432.scr
      "C:\Users\Admin\AppData\Local\Temp\Invoice & Packing list EGLV003090032432.scr" /S
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1796
      • C:\ProgramData\images.exe
        "C:\ProgramData\images.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1600
        • C:\ProgramData\images.exe
          "C:\ProgramData\images.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:112
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Add-MpPreference -ExclusionPath C:\
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1360
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            5⤵
              PID:476

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\images.exe
      Filesize

      571KB

      MD5

      165255e7fef985bb6a76cdd5dc0f3efe

      SHA1

      4d4f455814cb607ae530fa589c6d1d3ed9e4173d

      SHA256

      3266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207

      SHA512

      10bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818

      Download Submit
    • C:\ProgramData\images.exe
      Filesize

      571KB

      MD5

      165255e7fef985bb6a76cdd5dc0f3efe

      SHA1

      4d4f455814cb607ae530fa589c6d1d3ed9e4173d

      SHA256

      3266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207

      SHA512

      10bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818

      Download Submit
    • C:\ProgramData\images.exe
      Filesize

      571KB

      MD5

      165255e7fef985bb6a76cdd5dc0f3efe

      SHA1

      4d4f455814cb607ae530fa589c6d1d3ed9e4173d

      SHA256

      3266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207

      SHA512

      10bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      ffed901eff6e5167adb3f640dea958ad

      SHA1

      401e4e5f0e77f43e3d98fde4b863af1a13014313

      SHA256

      712e8cf6dd4d7ec7c69bcd24ba0558f9c9b3a8fd6678b42d56d03b972b3cb8c4

      SHA512

      177b994ede186f8b3f8c38a7844c38a0b13188e9e1c4a9ef3ef30c3abf741cbfde0307a0e9c42921c35a663db5a10cdc7cc5dd6bd6e83ac3d637e8f6cb96591d

      Download Submit
    • \ProgramData\images.exe
      Filesize

      571KB

      MD5

      165255e7fef985bb6a76cdd5dc0f3efe

      SHA1

      4d4f455814cb607ae530fa589c6d1d3ed9e4173d

      SHA256

      3266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207

      SHA512

      10bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818

      Download Submit
    • \ProgramData\images.exe
      Filesize

      571KB

      MD5

      165255e7fef985bb6a76cdd5dc0f3efe

      SHA1

      4d4f455814cb607ae530fa589c6d1d3ed9e4173d

      SHA256

      3266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207

      SHA512

      10bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818

      Download Submit
    • memory/112-66-0x0000000000405907-mapping.dmp
      Download
    • memory/476-72-0x0000000000000000-mapping.dmp
      Download
    • memory/476-76-0x0000000000160000-0x0000000000161000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-56-0x0000000000400000-0x0000000000495000-memory.dmp
      Filesize

      596KB

      Download
    • memory/1312-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1360-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1360-75-0x0000000074060000-0x000000007460B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1600-69-0x0000000000400000-0x0000000000495000-memory.dmp
      Filesize

      596KB

      Download
    • memory/1600-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1796-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1796-70-0x0000000074040000-0x00000000745EB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1944-55-0x0000000000405907-mapping.dmp
      Download