7c4f34556d1064cbe1889b7d6567b6f8baccaa9d33c18b18f7a2dfb0458484d1 | Triage

Analysis

max time kernel
130s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 23:12

Sharing

Report Analysis Logs

General

Target

WARZONE RAT 3.03/cratclientd.dll
Size

132KB
MD5

f6dbe80a1b68a734c92375fbbcf4be88
SHA1

cd6a7b57812c891f75e3a40c8f925ef5be48bade
SHA256

d364fe03510f34c22e8b5d25784ba80decae568bd939db66e4cd8b90538d60be
SHA512

59abbb522f6a4f442601190f901846ff7b57e041a25773ea0b7ec03011c2d207bb8e609443dd1a74ad0a13a4e5bef043c584b0da882a5d6619d05871015230e8
SSDEEP

3072:Z3wSeEN8bsEe0wwT+KKpiTxW7Cz4PLT85:ZAEN8bFwIcIqCzILT8

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3668	3168	WerFault.exe	82

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 3168	3260	rundll32.exe	82
PID 3260 wrote to memory of 3168	3260	rundll32.exe	82
PID 3260 wrote to memory of 3168	3260	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\cratclientd.dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\cratclientd.dll",#1
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1072
    3⤵
    - Program crash
    PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3168 -ip 3168
1⤵
PID:4344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads