Overview

overview

10

Static

static

1

Quotation ...DF.scr

windows7-x64

10

Quotation ...DF.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    552s
  • max time network
    555s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2023 15:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation 202311025_PDF.scr

  • Size

    24KB

  • MD5

    f1ed9f09ea489162b2a5ef0c4d285503

  • SHA1

    5e1b5599aef58f90e4ad3efa43661a1d7cc4ed6c

  • SHA256

    c8007f5d3d8770320aa06642b4363f60d8caa0056507a6e1bf94dfb38b786f97

  • SHA512

    4dfa6ad16b68bcc15362a93ef970bde290a654f67df507d8a3e8976ae45d38a4603184ad79fb7099de5fdaed637b8291022c3af3a374435428cc99512403252a

  • SSDEEP

    384:iJg3aSz4PT02opvtOvt6Y4BwEapWNJR+:iW3Dl2oZU1ZdWNJR

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

37.120.155.179:52920

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation 202311025_PDF.scr
    "C:\Users\Admin\AppData\Local\Temp\Quotation 202311025_PDF.scr" /S
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig/release
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /release
        3⤵
        • Gathers network information
        PID:4408
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4784
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig/renew
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4264
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /renew
        3⤵
        • Gathers network information
        PID:4016
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      2⤵
        PID:1808

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1280-134-0x0000000000000000-mapping.dmp
      Download
    • memory/1808-152-0x0000000000400000-0x000000000055E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1808-151-0x0000000000400000-0x000000000055E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1808-149-0x0000000000400000-0x000000000055E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1808-147-0x0000000000400000-0x000000000055E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1808-146-0x0000000000000000-mapping.dmp
      Download
    • memory/2728-133-0x0000000006570000-0x0000000006592000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2728-132-0x00000000003D0000-0x00000000003DC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/4016-145-0x0000000000000000-mapping.dmp
      Download
    • memory/4264-144-0x0000000000000000-mapping.dmp
      Download
    • memory/4408-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4784-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4784-143-0x0000000006520000-0x000000000653A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4784-142-0x0000000007690000-0x0000000007D0A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4784-141-0x0000000006000000-0x000000000601E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4784-140-0x00000000059B0000-0x0000000005A16000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4784-139-0x0000000005810000-0x0000000005876000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4784-138-0x0000000005170000-0x0000000005798000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4784-137-0x0000000002A20000-0x0000000002A56000-memory.dmp
      Filesize

      216KB

      Download