Overview

overview

10

Static

static

ISF form =...32.scr

windows7_x64

10

ISF form =...32.scr

windows10-2004_x64

10

Invoice & ...32.scr

windows7_x64

10

Invoice & ...32.scr

windows10-2004_x64

10

VGM ==#EGL...32.scr

windows7_x64

10

VGM ==#EGL...32.scr

windows10-2004_x64

10

Analysis

  • max time kernel
    160s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice & Packing list EGLV003090032432.scr

  • Size

    571KB

  • MD5

    165255e7fef985bb6a76cdd5dc0f3efe

  • SHA1

    4d4f455814cb607ae530fa589c6d1d3ed9e4173d

  • SHA256

    3266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207

  • SHA512

    10bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice & Packing list EGLV003090032432.scr
    "C:\Users\Admin\AppData\Local\Temp\Invoice & Packing list EGLV003090032432.scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Users\Admin\AppData\Local\Temp\Invoice & Packing list EGLV003090032432.scr
      "C:\Users\Admin\AppData\Local\Temp\Invoice & Packing list EGLV003090032432.scr" /S
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4132
      • C:\ProgramData\images.exe
        "C:\ProgramData\images.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:5076
        • C:\ProgramData\images.exe
          "C:\ProgramData\images.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1076
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Add-MpPreference -ExclusionPath C:\
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4756
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            5⤵
              PID:4768

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\images.exe
      Filesize

      571KB

      MD5

      165255e7fef985bb6a76cdd5dc0f3efe

      SHA1

      4d4f455814cb607ae530fa589c6d1d3ed9e4173d

      SHA256

      3266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207

      SHA512

      10bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818

      Download Submit
    • C:\ProgramData\images.exe
      Filesize

      571KB

      MD5

      165255e7fef985bb6a76cdd5dc0f3efe

      SHA1

      4d4f455814cb607ae530fa589c6d1d3ed9e4173d

      SHA256

      3266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207

      SHA512

      10bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818

      Download Submit
    • C:\ProgramData\images.exe
      Filesize

      571KB

      MD5

      165255e7fef985bb6a76cdd5dc0f3efe

      SHA1

      4d4f455814cb607ae530fa589c6d1d3ed9e4173d

      SHA256

      3266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207

      SHA512

      10bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818

      Download Submit
    • memory/1076-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2216-130-0x0000000000000000-mapping.dmp
      Download
    • memory/3396-131-0x0000000000400000-0x0000000000495000-memory.dmp
      Filesize

      596KB

      Download
    • memory/4132-152-0x0000000007850000-0x0000000007ECA000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4132-156-0x0000000007440000-0x000000000744E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4132-148-0x00000000064D0000-0x0000000006502000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4132-139-0x0000000004960000-0x0000000004996000-memory.dmp
      Filesize

      216KB

      Download
    • memory/4132-140-0x0000000005150000-0x0000000005778000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4132-141-0x0000000004F60000-0x0000000004F82000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4132-142-0x0000000005830000-0x0000000005896000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4132-143-0x0000000005910000-0x0000000005976000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4132-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4132-150-0x00000000064B0000-0x00000000064CE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4132-146-0x0000000005F00000-0x0000000005F1E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4132-149-0x00000000745F0000-0x000000007463C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4756-144-0x0000000000000000-mapping.dmp
      Download
    • memory/4756-151-0x00000000745F0000-0x000000007463C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4756-153-0x00000000070F0000-0x000000000710A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4756-154-0x0000000007160000-0x000000000716A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4756-155-0x0000000007370000-0x0000000007406000-memory.dmp
      Filesize

      600KB

      Download
    • memory/4756-157-0x0000000007430000-0x000000000744A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4756-158-0x0000000007410000-0x0000000007418000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4768-147-0x0000000000D50000-0x0000000000D51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4768-145-0x0000000000000000-mapping.dmp
      Download
    • memory/5076-138-0x0000000000400000-0x0000000000495000-memory.dmp
      Filesize

      596KB

      Download
    • memory/5076-133-0x0000000000000000-mapping.dmp
      Download