Overview

overview

10

Static

static

scan001.exe

windows7_x64

10

scan001.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    scan001.exe

  • Size

    1.3MB

  • MD5

    dec59124b7990c19313cec352f47414f

  • SHA1

    84769168287f5f3c9a9467b129eee606c452f0dc

  • SHA256

    2c17ec053eeef1daed652560bd9bd8672fd2bd160595f998f87c017b3c7095c5

  • SHA512

    55072103d13191e1e78b491b6e6ec3ab681f14342273158fedef4042d1822e0938bbf86213be8667cf0174c4720a56844e8cbac55bdfa2138e58d459a2d38997

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.34:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 3 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\scan001.exe
    "C:\Users\Admin\AppData\Local\Temp\scan001.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:4308
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3076
    • C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3092
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2308
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:3656

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\images.exe
      Filesize

      1.3MB

      MD5

      dec59124b7990c19313cec352f47414f

      SHA1

      84769168287f5f3c9a9467b129eee606c452f0dc

      SHA256

      2c17ec053eeef1daed652560bd9bd8672fd2bd160595f998f87c017b3c7095c5

      SHA512

      55072103d13191e1e78b491b6e6ec3ab681f14342273158fedef4042d1822e0938bbf86213be8667cf0174c4720a56844e8cbac55bdfa2138e58d459a2d38997

      Download Submit
    • C:\ProgramData\images.exe
      Filesize

      1.3MB

      MD5

      dec59124b7990c19313cec352f47414f

      SHA1

      84769168287f5f3c9a9467b129eee606c452f0dc

      SHA256

      2c17ec053eeef1daed652560bd9bd8672fd2bd160595f998f87c017b3c7095c5

      SHA512

      55072103d13191e1e78b491b6e6ec3ab681f14342273158fedef4042d1822e0938bbf86213be8667cf0174c4720a56844e8cbac55bdfa2138e58d459a2d38997

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      8e3a158ac020cb887bc58ea7fd2a9c44

      SHA1

      902cd7628d1e78643276f5d8ec4fc0c4aec18210

      SHA256

      026fa49a7854ebe2150b60c8b4a664bebd67905327af7f2fd48280e30f22ff70

      SHA512

      9e9a4815f01c46891ab77aa1f9786539f8bc66844b111a6a673d044fb090ea537de16c88a6e16d8af4c346164a87791f79c40c90c6a9f222e97e9c2cc1d512c6

      Download Submit
    • memory/2308-163-0x0000000000000000-mapping.dmp
      Download
    • memory/2308-168-0x00000000707B0000-0x00000000707FC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3076-149-0x0000000006350000-0x000000000636E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3076-152-0x0000000007120000-0x000000000712A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3076-143-0x0000000004EE0000-0x0000000004F02000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3076-144-0x00000000056E0000-0x0000000005746000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3076-145-0x0000000005750000-0x00000000057B6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3076-146-0x0000000005DA0000-0x0000000005DBE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3076-147-0x0000000006370000-0x00000000063A2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3076-148-0x0000000074860000-0x00000000748AC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3076-137-0x0000000000000000-mapping.dmp
      Download
    • memory/3076-150-0x00000000076F0000-0x0000000007D6A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3076-151-0x00000000070B0000-0x00000000070CA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3076-142-0x0000000004F50000-0x0000000005578000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3076-153-0x0000000007330000-0x00000000073C6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/3076-154-0x00000000072E0000-0x00000000072EE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/3076-155-0x00000000073F0000-0x000000000740A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3076-156-0x00000000073D0000-0x00000000073D8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3076-141-0x00000000047D0000-0x0000000004806000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3092-157-0x00000000009E0000-0x0000000000B33000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3092-138-0x0000000000000000-mapping.dmp
      Download
    • memory/3656-164-0x0000000000000000-mapping.dmp
      Download
    • memory/3656-167-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4308-130-0x0000000001270000-0x00000000013C3000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/4308-136-0x0000000001000000-0x0000000001100000-memory.dmp
      Filesize

      1024KB

      Download