Overview

overview

10

Static

static

1

KR22190.xlsx.exe

windows7-x64

10

KR22190.xlsx.exe

windows10-2004-x64

10

Resubmissions

22-03-2023 20:25

230322-y69l1sdb4s 10

Analysis

  • max time kernel
    142s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2023 20:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KR22190.xlsx.exe

  • Size

    1.3MB

  • MD5

    edc4d988e087a9a91f13d19df5dc7b00

  • SHA1

    716697f5e6e8c3b453ef06feea4aadf581f1929e

  • SHA256

    366d56c69b0267ee6ac2a27cc199911123ed7f511d3e54ac1c69f52236644e84

  • SHA512

    eb0cf37543a8370e33ef76a9fb45f4143a90d841178b4a23cf16d65831f69b37e54e165b62afdbde61727ce66f0bc9b57e1e4138fd1c218ae6866458ba3fedc2

  • SSDEEP

    12288:Uw7JF3ADz1KGRbItXhuWw3L/2TN3SBP8WYXhuFvpmeFM8jdfA3zpWSzOgj:UqaIM72BiBUWFg0Mihm4Szr

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

45.137.116.170:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KR22190.xlsx.exe
    "C:\Users\Admin\AppData\Local\Temp\KR22190.xlsx.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Users\Admin\AppData\Local\Temp\KR22190.xlsx.exe
      "C:\Users\Admin\AppData\Local\Temp\KR22190.xlsx.exe"
      2⤵
        PID:2144
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5004

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2144-153-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2144-158-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2144-157-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2144-156-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3404-134-0x0000000005790000-0x0000000005D34000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3404-135-0x00000000051E0000-0x0000000005272000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3404-136-0x0000000001270000-0x000000000127A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3404-137-0x00000000053F0000-0x0000000005400000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3404-138-0x00000000053F0000-0x0000000005400000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3404-139-0x0000000007BB0000-0x0000000007C4C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3404-133-0x0000000000530000-0x0000000000688000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/5004-146-0x000002113A180000-0x000002113A181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5004-148-0x000002113A180000-0x000002113A181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5004-149-0x000002113A180000-0x000002113A181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5004-151-0x000002113A180000-0x000002113A181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5004-152-0x000002113A180000-0x000002113A181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5004-150-0x000002113A180000-0x000002113A181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5004-147-0x000002113A180000-0x000002113A181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5004-142-0x000002113A180000-0x000002113A181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5004-141-0x000002113A180000-0x000002113A181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5004-140-0x000002113A180000-0x000002113A181000-memory.dmp
      Filesize

      4KB

      Download