Overview

overview

10

Static

static

SecuriteIn...78.exe

windows7-x64

10

SecuriteIn...78.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    175s
  • max time network
    199s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe

  • Size

    1.0MB

  • MD5

    dbd404136dad8130e5b1197fcbf287d1

  • SHA1

    225b6204a93d7512d8bac3d533aff6836b5c4d3e

  • SHA256

    584f57edb1dc561be7396494ea26a3fe5c4c24fed1594636ce2167db8418abe1

  • SHA512

    d1111093ea89fdd2df4282dcc5097c55e2e34b522259baa1fd1758f75da33a69919a8ecb5188136da2c837aff27bc40200cd3e450f224b72007ec43b85346a23

  • SSDEEP

    24576:rz3lDgh/awtCPSJLir9KcCWY56PH62Dz:rz3lch/dsPFTkyHF

Score
10/10
warzoneratinfostealerrat

Malware Config

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4500
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zLxcgGKWkNnjkV.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2264
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zLxcgGKWkNnjkV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA747.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1300
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe"
      2⤵
        PID:4716
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe"
        2⤵
          PID:2524

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpA747.tmp
        Filesize

        1KB

        MD5

        15b057c517babaa24e2870c52e4cd81f

        SHA1

        61fe1fddb33a86779b0689720a1ac72eb2d14514

        SHA256

        04dcb84efc42e2dfe5f3f8372d5f8f9d316f9894dd91424ce16896280b8acddc

        SHA512

        3bad70300a8fc58400a28924f79ae823cc1133a405dacaebb960cc49b2392c764ba7e151d8702858498cbbfdaf57856a5314fc1a449147ea690f3f3971ee0ed8

        Download Submit

      • memory/1300-138-0x0000000000000000-mapping.dmp

        Download

      • memory/2264-151-0x00000000062F0000-0x000000000630E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2264-148-0x00000000053E0000-0x0000000005446000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2264-154-0x0000000070860000-0x00000000708AC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2264-137-0x0000000000000000-mapping.dmp

        Download

      • memory/2264-157-0x0000000007610000-0x000000000762A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2264-139-0x00000000029E0000-0x0000000002A16000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2264-147-0x0000000005340000-0x0000000005362000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2264-142-0x00000000055B0000-0x0000000005BD8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2264-155-0x0000000006890000-0x00000000068AE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2264-153-0x00000000068B0000-0x00000000068E2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2264-158-0x0000000007660000-0x000000000766A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2264-156-0x0000000007C70000-0x00000000082EA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2264-149-0x0000000005540000-0x00000000055A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2524-143-0x0000000000000000-mapping.dmp

        Download

      • memory/2524-146-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2524-150-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2524-144-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2524-152-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/4500-133-0x0000000005FC0000-0x0000000006564000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4500-132-0x0000000000F10000-0x0000000001022000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4500-135-0x00000000059B0000-0x00000000059BA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4500-134-0x0000000005A10000-0x0000000005AA2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4500-136-0x0000000007B10000-0x0000000007BAC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4716-141-0x0000000000000000-mapping.dmp

        Download