Overview

overview

10

Static

static

PAYMENT DETAILS.exe

windows7_x64

10

PAYMENT DETAILS.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 18:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAYMENT DETAILS.exe

  • Size

    1.3MB

  • MD5

    2232dfdb7c3927d73d832bb782821eae

  • SHA1

    dba1ac5f1cf909ce1a6cb6c860d50e6e86f7ea13

  • SHA256

    785c0d4d25629a52bf22014d5e21c10dbd19e6e7958eb400ea445182a827578f

  • SHA512

    a3c194f33643d3a7e8b23443bae754d35a21f37d7b0bb454e41933fbdabaffee3e7ba6e1b5b2f16f353b9df7ccfd61f358f5b5099559eaf38975111abfa8666b

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

52.168.163.161:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS.exe
    "C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:4960
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4100
    • C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4536
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:2024

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\images.exe
      Filesize

      1.3MB

      MD5

      2232dfdb7c3927d73d832bb782821eae

      SHA1

      dba1ac5f1cf909ce1a6cb6c860d50e6e86f7ea13

      SHA256

      785c0d4d25629a52bf22014d5e21c10dbd19e6e7958eb400ea445182a827578f

      SHA512

      a3c194f33643d3a7e8b23443bae754d35a21f37d7b0bb454e41933fbdabaffee3e7ba6e1b5b2f16f353b9df7ccfd61f358f5b5099559eaf38975111abfa8666b

      Download Submit
    • C:\ProgramData\images.exe
      Filesize

      1.3MB

      MD5

      2232dfdb7c3927d73d832bb782821eae

      SHA1

      dba1ac5f1cf909ce1a6cb6c860d50e6e86f7ea13

      SHA256

      785c0d4d25629a52bf22014d5e21c10dbd19e6e7958eb400ea445182a827578f

      SHA512

      a3c194f33643d3a7e8b23443bae754d35a21f37d7b0bb454e41933fbdabaffee3e7ba6e1b5b2f16f353b9df7ccfd61f358f5b5099559eaf38975111abfa8666b

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      1e6ba17681698100c5bf29f42254ac90

      SHA1

      adbd62a97328df42f7adbd174d8d95fcd41bd307

      SHA256

      a06fed81e80b7ced89b36636be53bf36c8a77d332bee1d79c528cc64b72c6daa

      SHA512

      713f6b714134031a319e0d7fed9c75bf91e8a36a9a353b565e113b8eb4800f23569764e586eb168b940df9358e774d829186788ee3b9d78f540ff1b615ffcdc4

      Download Submit
    • memory/2024-167-0x0000000000850000-0x0000000000851000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2024-164-0x0000000000000000-mapping.dmp
      Download
    • memory/3872-157-0x0000000001040000-0x0000000001193000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3872-138-0x0000000000000000-mapping.dmp
      Download
    • memory/4100-149-0x0000000006B20000-0x0000000006B3E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4100-142-0x00000000057C0000-0x0000000005DE8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4100-145-0x0000000005F60000-0x0000000005FC6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4100-146-0x0000000006590000-0x00000000065AE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4100-147-0x0000000006B80000-0x0000000006BB2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4100-148-0x0000000074DC0000-0x0000000074E0C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4100-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4100-150-0x0000000007F00000-0x000000000857A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4100-151-0x00000000078A0000-0x00000000078BA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4100-152-0x0000000007910000-0x000000000791A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4100-153-0x0000000007B20000-0x0000000007BB6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/4100-154-0x0000000007AD0000-0x0000000007ADE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4100-155-0x0000000007BE0000-0x0000000007BFA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4100-156-0x0000000007BC0000-0x0000000007BC8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4100-143-0x00000000055C0000-0x00000000055E2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4100-141-0x0000000002C70000-0x0000000002CA6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/4100-144-0x0000000005EF0000-0x0000000005F56000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4536-163-0x0000000000000000-mapping.dmp
      Download
    • memory/4536-168-0x0000000070D20000-0x0000000070D6C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4960-130-0x0000000000D10000-0x0000000000E10000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/4960-131-0x0000000000F10000-0x0000000001063000-memory.dmp
      Filesize

      1.3MB

      Download