Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    168s
  • max time network
    205s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 04:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8637ff13ee0653cfe574b2b9a9429f3124d16fca44d606432b6739c3d40a126c.exe

  • Size

    974KB

  • MD5

    7200b3d4fec8a77e6c8ba92f80e3ce30

  • SHA1

    5af6cf29dd856ef42917c9218b9dd61f8406b530

  • SHA256

    8637ff13ee0653cfe574b2b9a9429f3124d16fca44d606432b6739c3d40a126c

  • SHA512

    1243d07db82f29c6afa508ef178996d3bad58d7848c15b6375a873fad0f57bb33ba35679e41d8b48b05c45f0ababe79a4b06e52e8c16d20cbc4f5b3875e46d02

  • SSDEEP

    12288:lohgh/XxywVHfpAPY5vBsfBlcfCFxUwFJiR/EZr/x5WB2lnRzIhKyS0Rt2:lsgh/XZBAo+vbFWEZTxCynRzIa2t

Score
10/10
warzoneratinfostealerrat

Malware Config

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 5 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8637ff13ee0653cfe574b2b9a9429f3124d16fca44d606432b6739c3d40a126c.exe
    "C:\Users\Admin\AppData\Local\Temp\8637ff13ee0653cfe574b2b9a9429f3124d16fca44d606432b6739c3d40a126c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rVdYoGcJyfds.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4296
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rVdYoGcJyfds" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA8BE.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2020
    • C:\Users\Admin\AppData\Local\Temp\8637ff13ee0653cfe574b2b9a9429f3124d16fca44d606432b6739c3d40a126c.exe
      "C:\Users\Admin\AppData\Local\Temp\8637ff13ee0653cfe574b2b9a9429f3124d16fca44d606432b6739c3d40a126c.exe"
      2⤵
        PID:1920

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpA8BE.tmp
      Filesize

      1KB

      MD5

      c77e59fb4c91ab58c995e81b513d430f

      SHA1

      1adbd7e5c40bc2c89168e02c1167bd62c0ff12f0

      SHA256

      9df0081a12624dee863e8f379b5f4f4b5a9fe27c200ec3012e16be28b7521fda

      SHA512

      f3e8abebff69688f3814cad02fdd62c1b26cf6006d35938b76b11bc745c69d2e0c9ca73a0c045a0624dc20cd75c902b007ebaa595a658e18540685fbf5026f94

      Download Submit
    • memory/1920-152-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1920-150-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1920-149-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1920-145-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1920-142-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1920-141-0x0000000000000000-mapping.dmp
      Download
    • memory/2020-138-0x0000000000000000-mapping.dmp
      Download
    • memory/2732-135-0x0000000005AB0000-0x0000000005ABA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2732-132-0x0000000000F70000-0x000000000106A000-memory.dmp
      Filesize

      1000KB

      Download
    • memory/2732-134-0x00000000059F0000-0x0000000005A82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2732-133-0x0000000006050000-0x00000000065F4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2732-136-0x00000000017B0000-0x000000000184C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4296-159-0x00000000074F0000-0x0000000007586000-memory.dmp
      Filesize

      600KB

      Download
    • memory/4296-153-0x00000000064C0000-0x00000000064F2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4296-148-0x00000000057E0000-0x0000000005846000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4296-143-0x0000000004F70000-0x0000000005598000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4296-146-0x00000000056D0000-0x00000000056F2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4296-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4296-151-0x0000000004BF0000-0x0000000004C0E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4296-147-0x0000000005770000-0x00000000057D6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4296-154-0x0000000071DE0000-0x0000000071E2C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4296-155-0x00000000064A0000-0x00000000064BE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4296-156-0x00000000078C0000-0x0000000007F3A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4296-157-0x0000000007270000-0x000000000728A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4296-158-0x00000000072E0000-0x00000000072EA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4296-139-0x0000000004890000-0x00000000048C6000-memory.dmp
      Filesize

      216KB

      Download