Overview

overview

10

Static

static

1

Need Price...3.xlsx

windows7-x64

10

Need Price...3.xlsx

windows10-2004-x64

1

Analysis

  • max time kernel
    103s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10-03-2023 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Need Price No.34 10-03-2023.xlsx

  • Size

    1.0MB

  • MD5

    afd2e15a47dc9394c96f5e83078ea288

  • SHA1

    b17977343c32004cc7e2f692fd04ee0ec3bea0b5

  • SHA256

    c1158a1df03d75859f08f5e9f8909ea8bf5c63a6dbc78485d543dfa461cfe478

  • SHA512

    04fe7fc6491f67a7aa52bfd1a9a47861ea555c3a68b5bf75b79727126cb8b9ff6b33d1dfff7797ff60cd4cf35f596f376348b053da230f44e62f2640be7ea1a9

  • SSDEEP

    24576:9bvFPyNd0ViftpBbbnKpm7BYYnhyovhkfbXk/jj2HB:bPyNqif7VnK5Aysh8XmjKh

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

konkation.duckdns.org:6548

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 5 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Need Price No.34 10-03-2023.xlsx"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1388
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Users\Admin\AppData\Roaming\word.exe
      C:\Users\Admin\AppData\Roaming\word.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Users\Admin\AppData\Local\Temp\cbfwfm.exe
        "C:\Users\Admin\AppData\Local\Temp\cbfwfm.exe" C:\Users\Admin\AppData\Local\Temp\ontipan.ad
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Users\Admin\AppData\Local\Temp\cbfwfm.exe
          "C:\Users\Admin\AppData\Local\Temp\cbfwfm.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cagre.ecr
    Filesize

    118KB

    MD5

    f9e7e2b025055998a8e9325cc9cb979a

    SHA1

    5a11be58906d43ca8d8bc0c93c1c56fd44092d06

    SHA256

    f24fb4a0bcc5bcd05d689c600265b84b3312022b1ab83115503a1fe498cf3e4f

    SHA512

    ebce4d867beac04df2e5aea7bd310febcbcc0abbbea0aaea3956c79b85134ce8c4ae7cdf8aed6b83a4cfe36ce73c4bec5df81463fa39239cedce48544c2ce431

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cbfwfm.exe
    Filesize

    52KB

    MD5

    a508f5e6428e14f8069765a275203762

    SHA1

    dfdfb6030dfff329df129b8867b61fc07d504c23

    SHA256

    a115161d9d3b2fea2752ca1f4e1bc252a39aabac8905a5b9a0d131f051f442f4

    SHA512

    94f57823d6a2ba94bc817e1157b17e615e6e1482872081a8a1398791589a2623d7e933ba2654b01046f64ff70264f3aa3db83807ec2046dd0f151bd39c1693c9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cbfwfm.exe
    Filesize

    52KB

    MD5

    a508f5e6428e14f8069765a275203762

    SHA1

    dfdfb6030dfff329df129b8867b61fc07d504c23

    SHA256

    a115161d9d3b2fea2752ca1f4e1bc252a39aabac8905a5b9a0d131f051f442f4

    SHA512

    94f57823d6a2ba94bc817e1157b17e615e6e1482872081a8a1398791589a2623d7e933ba2654b01046f64ff70264f3aa3db83807ec2046dd0f151bd39c1693c9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cbfwfm.exe
    Filesize

    52KB

    MD5

    a508f5e6428e14f8069765a275203762

    SHA1

    dfdfb6030dfff329df129b8867b61fc07d504c23

    SHA256

    a115161d9d3b2fea2752ca1f4e1bc252a39aabac8905a5b9a0d131f051f442f4

    SHA512

    94f57823d6a2ba94bc817e1157b17e615e6e1482872081a8a1398791589a2623d7e933ba2654b01046f64ff70264f3aa3db83807ec2046dd0f151bd39c1693c9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cbfwfm.exe
    Filesize

    52KB

    MD5

    a508f5e6428e14f8069765a275203762

    SHA1

    dfdfb6030dfff329df129b8867b61fc07d504c23

    SHA256

    a115161d9d3b2fea2752ca1f4e1bc252a39aabac8905a5b9a0d131f051f442f4

    SHA512

    94f57823d6a2ba94bc817e1157b17e615e6e1482872081a8a1398791589a2623d7e933ba2654b01046f64ff70264f3aa3db83807ec2046dd0f151bd39c1693c9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ontipan.ad
    Filesize

    7KB

    MD5

    a110333ff38bf9ff2f10115ef7a8d7d2

    SHA1

    3e4525ea307e805efb04ed91d141d691d337e80d

    SHA256

    2a15e782ed7543edf77774fd70223ee754239bf81ef34e0591d6be58ee0d7f13

    SHA512

    36dc22ab774a784417b9dfa391c328b40057f88fa22845e78d8c1a4ad8c4a3ad0417c6fdb04bc253073e729a2df3a9494d605d3a673fbe62dbc599fbdbbeef30

    Download Submit
  • C:\Users\Admin\AppData\Roaming\word.exe
    Filesize

    173KB

    MD5

    8680a5f11b1be1a28ee90eac5c6b1a66

    SHA1

    8b98db38f355689079eb6337b5f42ca5af0afa66

    SHA256

    dc323a8e0f5791312026fc4694620848be068af5561fd59e7de1ef56b188cebb

    SHA512

    71464025ee1791af9fd3fbb9b2956c399868e848bd7e16871ffefa4331ee97fb7f97f01308467a7c8b8c1ffd201758007dc7c9aaa719bae2355b7250d3fb6a2d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\word.exe
    Filesize

    173KB

    MD5

    8680a5f11b1be1a28ee90eac5c6b1a66

    SHA1

    8b98db38f355689079eb6337b5f42ca5af0afa66

    SHA256

    dc323a8e0f5791312026fc4694620848be068af5561fd59e7de1ef56b188cebb

    SHA512

    71464025ee1791af9fd3fbb9b2956c399868e848bd7e16871ffefa4331ee97fb7f97f01308467a7c8b8c1ffd201758007dc7c9aaa719bae2355b7250d3fb6a2d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\word.exe
    Filesize

    173KB

    MD5

    8680a5f11b1be1a28ee90eac5c6b1a66

    SHA1

    8b98db38f355689079eb6337b5f42ca5af0afa66

    SHA256

    dc323a8e0f5791312026fc4694620848be068af5561fd59e7de1ef56b188cebb

    SHA512

    71464025ee1791af9fd3fbb9b2956c399868e848bd7e16871ffefa4331ee97fb7f97f01308467a7c8b8c1ffd201758007dc7c9aaa719bae2355b7250d3fb6a2d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\cbfwfm.exe
    Filesize

    52KB

    MD5

    a508f5e6428e14f8069765a275203762

    SHA1

    dfdfb6030dfff329df129b8867b61fc07d504c23

    SHA256

    a115161d9d3b2fea2752ca1f4e1bc252a39aabac8905a5b9a0d131f051f442f4

    SHA512

    94f57823d6a2ba94bc817e1157b17e615e6e1482872081a8a1398791589a2623d7e933ba2654b01046f64ff70264f3aa3db83807ec2046dd0f151bd39c1693c9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\cbfwfm.exe
    Filesize

    52KB

    MD5

    a508f5e6428e14f8069765a275203762

    SHA1

    dfdfb6030dfff329df129b8867b61fc07d504c23

    SHA256

    a115161d9d3b2fea2752ca1f4e1bc252a39aabac8905a5b9a0d131f051f442f4

    SHA512

    94f57823d6a2ba94bc817e1157b17e615e6e1482872081a8a1398791589a2623d7e933ba2654b01046f64ff70264f3aa3db83807ec2046dd0f151bd39c1693c9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\cbfwfm.exe
    Filesize

    52KB

    MD5

    a508f5e6428e14f8069765a275203762

    SHA1

    dfdfb6030dfff329df129b8867b61fc07d504c23

    SHA256

    a115161d9d3b2fea2752ca1f4e1bc252a39aabac8905a5b9a0d131f051f442f4

    SHA512

    94f57823d6a2ba94bc817e1157b17e615e6e1482872081a8a1398791589a2623d7e933ba2654b01046f64ff70264f3aa3db83807ec2046dd0f151bd39c1693c9

    Download Submit
  • \Users\Admin\AppData\Roaming\word.exe
    Filesize

    173KB

    MD5

    8680a5f11b1be1a28ee90eac5c6b1a66

    SHA1

    8b98db38f355689079eb6337b5f42ca5af0afa66

    SHA256

    dc323a8e0f5791312026fc4694620848be068af5561fd59e7de1ef56b188cebb

    SHA512

    71464025ee1791af9fd3fbb9b2956c399868e848bd7e16871ffefa4331ee97fb7f97f01308467a7c8b8c1ffd201758007dc7c9aaa719bae2355b7250d3fb6a2d

    Download Submit
  • memory/692-80-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/692-84-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/692-85-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/692-86-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/692-87-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/1388-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1388-89-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download