Overview

overview

10

Static

static

New Order.exe

windows7_x64

10

New Order.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 18:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Order.exe

  • Size

    1.3MB

  • MD5

    fb5b35716632d1ec30f13ea6c1c8ac69

  • SHA1

    c4a066ecb0e73b431561eb5f209af51e361f0467

  • SHA256

    a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578

  • SHA512

    c1028ab4f4830c1166ba393ac1fff986e6c6cb9ada84af54c707998342005297e3abb16129368c2420cecebd4877d11edc9dca1ed118eabe349521e58139245b

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.40:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Order.exe
    "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:828
    • C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3976
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:4308

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\images.exe
      Filesize

      1.3MB

      MD5

      fb5b35716632d1ec30f13ea6c1c8ac69

      SHA1

      c4a066ecb0e73b431561eb5f209af51e361f0467

      SHA256

      a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578

      SHA512

      c1028ab4f4830c1166ba393ac1fff986e6c6cb9ada84af54c707998342005297e3abb16129368c2420cecebd4877d11edc9dca1ed118eabe349521e58139245b

      Download Submit
    • C:\ProgramData\images.exe
      Filesize

      1.3MB

      MD5

      fb5b35716632d1ec30f13ea6c1c8ac69

      SHA1

      c4a066ecb0e73b431561eb5f209af51e361f0467

      SHA256

      a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578

      SHA512

      c1028ab4f4830c1166ba393ac1fff986e6c6cb9ada84af54c707998342005297e3abb16129368c2420cecebd4877d11edc9dca1ed118eabe349521e58139245b

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      b0a5824f88e32f364473ce6987c15d59

      SHA1

      00b2951c5c593e61ce112f08acd15acb6c2f97e0

      SHA256

      f448c6a7498d2559174f3cb71d0291e70380276fd7421fd7b4bf03f76736fe34

      SHA512

      f8f58d2275dfbfe8cc06ba35a0e777906422f6afbe20cf10dbc62c5cbc0fcdd35ab6a81eba11d7e750a813d567f91c773e94dd48068f6b115e4e14af5f4d1157

      Download Submit
    • memory/828-149-0x0000000006780000-0x000000000679E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/828-152-0x0000000007540000-0x000000000754A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/828-141-0x00000000028A0000-0x00000000028D6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/828-142-0x00000000053E0000-0x0000000005A08000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/828-143-0x0000000005320000-0x0000000005342000-memory.dmp
      Filesize

      136KB

      Download
    • memory/828-144-0x0000000005B00000-0x0000000005B66000-memory.dmp
      Filesize

      408KB

      Download
    • memory/828-145-0x0000000005BE0000-0x0000000005C46000-memory.dmp
      Filesize

      408KB

      Download
    • memory/828-146-0x00000000061D0000-0x00000000061EE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/828-147-0x00000000067A0000-0x00000000067D2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/828-148-0x00000000707A0000-0x00000000707EC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/828-137-0x0000000000000000-mapping.dmp
      Download
    • memory/828-150-0x0000000007B20000-0x000000000819A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/828-151-0x00000000074D0000-0x00000000074EA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/828-156-0x00000000077F0000-0x00000000077F8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/828-153-0x0000000007750000-0x00000000077E6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/828-154-0x0000000007700000-0x000000000770E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/828-155-0x0000000007810000-0x000000000782A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2052-130-0x0000000000BB0000-0x0000000000D03000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2052-132-0x0000000000AB0000-0x0000000000BB0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3976-163-0x0000000000000000-mapping.dmp
      Download
    • memory/3976-167-0x0000000070620000-0x000000007066C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4308-166-0x0000000000000000-mapping.dmp
      Download
    • memory/4308-168-0x00000000009F0000-0x00000000009F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4484-138-0x0000000000000000-mapping.dmp
      Download
    • memory/4484-157-0x0000000001030000-0x0000000001183000-memory.dmp
      Filesize

      1.3MB

      Download