Overview

overview

10

Static

static

1

mac.exe

windows7-x64

10

mac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2022 07:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mac.exe

  • Size

    488KB

  • MD5

    d17f096da9df5fd709724e7c3b40abd9

  • SHA1

    7caf8c68a6d9a9b8fd5f53d49a8ac4721ee841eb

  • SHA256

    c9f4f2be380162c81b4ebe85adf10628a9dbdd318508b3236be41ed3f9dbc615

  • SHA512

    ba169bb4af95b299e4720eef9406d7dd5f818b9c99ee5d9fa120db90d2e866ca99f80cdf0a47ab1781efe24ad3186c6e8b8c1887a357178f4a94535f0de39d78

  • SSDEEP

    6144:MEa0mVYOrW44rarv+po4zbkFrYhpV7z0DUoqWCxHMyOxZvdO/D6sifs7O+j3DLg3:IJgpVwFUhpV73kCxsyOxZEbhh3PId

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

maulo.duckdns.org:6269

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 1 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mac.exe
    "C:\Users\Admin\AppData\Local\Temp\mac.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4912
    • C:\Users\Admin\AppData\Local\Temp\cobwpg.exe
      "C:\Users\Admin\AppData\Local\Temp\cobwpg.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Users\Admin\AppData\Local\Temp\cobwpg.exe
        "C:\Users\Admin\AppData\Local\Temp\cobwpg.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:672

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cobwpg.exe
    Filesize

    343KB

    MD5

    f1d6c72ce3b071d0e3c42c37d87de7a4

    SHA1

    df6d3b9d1c7b6f5f1083f9ee4cd931e55a559af8

    SHA256

    2def7ef736bc6f794d2ac349f58f85d405a0eb9d52f7164dd8299f000e804bef

    SHA512

    462a7c7d8dd1ef380d200ea4e8fa0abf955553f28023dc62c4db78f047b2e626e626f99a6e0d046363d8535a8d788dd5302ee3d8446aaf58db248ac4605797cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cobwpg.exe
    Filesize

    343KB

    MD5

    f1d6c72ce3b071d0e3c42c37d87de7a4

    SHA1

    df6d3b9d1c7b6f5f1083f9ee4cd931e55a559af8

    SHA256

    2def7ef736bc6f794d2ac349f58f85d405a0eb9d52f7164dd8299f000e804bef

    SHA512

    462a7c7d8dd1ef380d200ea4e8fa0abf955553f28023dc62c4db78f047b2e626e626f99a6e0d046363d8535a8d788dd5302ee3d8446aaf58db248ac4605797cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cobwpg.exe
    Filesize

    343KB

    MD5

    f1d6c72ce3b071d0e3c42c37d87de7a4

    SHA1

    df6d3b9d1c7b6f5f1083f9ee4cd931e55a559af8

    SHA256

    2def7ef736bc6f794d2ac349f58f85d405a0eb9d52f7164dd8299f000e804bef

    SHA512

    462a7c7d8dd1ef380d200ea4e8fa0abf955553f28023dc62c4db78f047b2e626e626f99a6e0d046363d8535a8d788dd5302ee3d8446aaf58db248ac4605797cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lwxrpvefg.run
    Filesize

    7KB

    MD5

    f2ae235c6d66bcf60920fff5128e632d

    SHA1

    8663e88b4e844bfefeeece0b5c62c11a5a042538

    SHA256

    71c82636991771d7c8a8fcbffcd3f2b318c106401f9b532bdedcd090d9229983

    SHA512

    d2737b91eade490f5defc5931b175db666b21fbf8604d350d8de018b2e9f2609120b764413dbbaaf717768f6fac574b7c1fcda735109d0c4b452c5bef2685f0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mflgw.z
    Filesize

    98KB

    MD5

    c07d48b923d8dcd8a545b5d9366a83a3

    SHA1

    8b73e3d2e2de25025b6ef578ca57969221afc3e5

    SHA256

    4c8ab7b2daf114a13af8986db33e96789da07727c5fc8550cb0160959193906b

    SHA512

    489510a20bbe84913f87f91d3b38988a6e7ed30ece2aa068b8bbf228b1d424e42805c50097691b6ad0da3fd013f6bdedc469f1ba0dc7339535bb48974e9626c5

    Download Submit

  • memory/672-137-0x0000000000000000-mapping.dmp

    Download

  • memory/672-139-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/3712-132-0x0000000000000000-mapping.dmp

    Download