Overview

overview

10

Static

static

UPS Delivery Info.exe

windows7-x64

10

UPS Delivery Info.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-11-2022 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UPS Delivery Info.exe

  • Size

    665KB

  • MD5

    010233bc921206bf5f3cf343695520c8

  • SHA1

    6e5558813b1926d2e95173f532171ab4a095d117

  • SHA256

    fb98878de141d3a4a27e64c29ec0e8427e000c59e8d7018ed8e1faf3e69e4634

  • SHA512

    3727f5d0eb8e326f0ab6a980c491872573c550b1059258e41f420c179895f6c3ad2017a40092285a9286b33675c50519e471a2e33d3c8a37c454b10effa32194

  • SSDEEP

    12288:2B4XMgcpCYrN5HIgT+XbLFY6iWT7a/qmsFtw8674c21Rx:hICQdfT+YjWT/c8674c21b

Score
10/10
warzoneratevasioninfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

pastorcc.duckdns.org:2223

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\UPS Delivery Info.exe
    "C:\Users\Admin\AppData\Local\Temp\UPS Delivery Info.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Users\Admin\AppData\Local\Temp\UPS Delivery Info.exe
      "C:\Users\Admin\AppData\Local\Temp\UPS Delivery Info.exe"
      2⤵
        PID:4628
      • C:\Users\Admin\AppData\Local\Temp\UPS Delivery Info.exe
        "C:\Users\Admin\AppData\Local\Temp\UPS Delivery Info.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4132
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Add-MpPreference -ExclusionPath C:\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3148

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1888-132-0x0000000000DE0000-0x0000000000E8C000-memory.dmp

      Filesize

      688KB

      Download

    • memory/1888-133-0x0000000005DD0000-0x0000000006374000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1888-134-0x0000000005820000-0x00000000058B2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1888-135-0x00000000059D0000-0x00000000059DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1888-136-0x00000000090E0000-0x000000000917C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1888-137-0x00000000094F0000-0x0000000009556000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3148-154-0x0000000007360000-0x000000000737A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3148-150-0x0000000006620000-0x0000000006652000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3148-159-0x0000000007680000-0x0000000007688000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3148-158-0x00000000076A0000-0x00000000076BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3148-157-0x0000000007590000-0x000000000759E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3148-144-0x0000000000000000-mapping.dmp

      Download

    • memory/3148-145-0x0000000004AC0000-0x0000000004AF6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3148-146-0x00000000051C0000-0x00000000057E8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3148-147-0x00000000057F0000-0x0000000005812000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3148-148-0x0000000005950000-0x00000000059B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3148-149-0x0000000006060000-0x000000000607E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3148-156-0x00000000075E0000-0x0000000007676000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3148-151-0x0000000070870000-0x00000000708BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3148-152-0x0000000006600000-0x000000000661E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3148-153-0x00000000079A0000-0x000000000801A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3148-155-0x00000000073D0000-0x00000000073DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4132-139-0x0000000000000000-mapping.dmp

      Download

    • memory/4132-143-0x0000000000400000-0x000000000055E000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4132-142-0x0000000000400000-0x000000000055E000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4132-140-0x0000000000400000-0x000000000055E000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4132-160-0x0000000000400000-0x000000000055E000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4628-138-0x0000000000000000-mapping.dmp

      Download