Overview

overview

10

Static

static

PAYMENT DETAILS.exe

windows7_x64

10

PAYMENT DETAILS.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    131s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 18:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAYMENT DETAILS.exe

  • Size

    1.3MB

  • MD5

    2232dfdb7c3927d73d832bb782821eae

  • SHA1

    dba1ac5f1cf909ce1a6cb6c860d50e6e86f7ea13

  • SHA256

    785c0d4d25629a52bf22014d5e21c10dbd19e6e7958eb400ea445182a827578f

  • SHA512

    a3c194f33643d3a7e8b23443bae754d35a21f37d7b0bb454e41933fbdabaffee3e7ba6e1b5b2f16f353b9df7ccfd61f358f5b5099559eaf38975111abfa8666b

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

52.168.163.161:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS.exe
    "C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1992
    • C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      2⤵
      • Executes dropped EXE
      PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\ProgramData\images.exe
    Filesize

    1.3MB

    MD5

    2232dfdb7c3927d73d832bb782821eae

    SHA1

    dba1ac5f1cf909ce1a6cb6c860d50e6e86f7ea13

    SHA256

    785c0d4d25629a52bf22014d5e21c10dbd19e6e7958eb400ea445182a827578f

    SHA512

    a3c194f33643d3a7e8b23443bae754d35a21f37d7b0bb454e41933fbdabaffee3e7ba6e1b5b2f16f353b9df7ccfd61f358f5b5099559eaf38975111abfa8666b

    Download Submit
  • \ProgramData\images.exe
    Filesize

    1.3MB

    MD5

    2232dfdb7c3927d73d832bb782821eae

    SHA1

    dba1ac5f1cf909ce1a6cb6c860d50e6e86f7ea13

    SHA256

    785c0d4d25629a52bf22014d5e21c10dbd19e6e7958eb400ea445182a827578f

    SHA512

    a3c194f33643d3a7e8b23443bae754d35a21f37d7b0bb454e41933fbdabaffee3e7ba6e1b5b2f16f353b9df7ccfd61f358f5b5099559eaf38975111abfa8666b

    Download Submit
  • memory/784-54-0x0000000076391000-0x0000000076393000-memory.dmp
    Filesize

    8KB

    Download
  • memory/784-55-0x0000000000630000-0x0000000000783000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/784-61-0x0000000000250000-0x0000000000350000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1988-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1988-70-0x0000000000450000-0x00000000005A3000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1992-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1992-68-0x0000000074250000-0x00000000747FB000-memory.dmp
    Filesize

    5.7MB

    Download