Overview

overview

10

Static

static

1

53622e6177...49.exe

windows7-x64

10

53622e6177...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 11:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53622e61772d39cd6868b89aaabb8249.exe

  • Size

    193KB

  • MD5

    53622e61772d39cd6868b89aaabb8249

  • SHA1

    97d7be3cbfc038c741d0a0ba0404c147eb2d9b1b

  • SHA256

    ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b

  • SHA512

    1e254e3913f2bcd985d96123e8e2f08271f9f1e081a5c39d14afcfc6a1513c76139f980bd25d575845ca85ab2e14881042524a52314321f398558cdb30583d95

  • SSDEEP

    6144:QkdnyRSXGwbtZt2hP4hY9eII6cuH58KCNRJynB:Q3SXt5E4hoeEdmV+

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

46.183.222.62:5353

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 6 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53622e61772d39cd6868b89aaabb8249.exe
    "C:\Users\Admin\AppData\Local\Temp\53622e61772d39cd6868b89aaabb8249.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4352
    • C:\Users\Admin\AppData\Local\Temp\53622e61772d39cd6868b89aaabb8249.exe
      "C:\Users\Admin\AppData\Local\Temp\53622e61772d39cd6868b89aaabb8249.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Users\Admin\Documents\images.exe
        "C:\Users\Admin\Documents\images.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Users\Admin\Documents\images.exe
          "C:\Users\Admin\Documents\images.exe"
          4⤵
          • Executes dropped EXE
          PID:3928
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 544
            5⤵
            • Program crash
            PID:4532
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3928 -ip 3928
    1⤵
      PID:2044

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Documents\images.exe
      Filesize

      193KB

      MD5

      53622e61772d39cd6868b89aaabb8249

      SHA1

      97d7be3cbfc038c741d0a0ba0404c147eb2d9b1b

      SHA256

      ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b

      SHA512

      1e254e3913f2bcd985d96123e8e2f08271f9f1e081a5c39d14afcfc6a1513c76139f980bd25d575845ca85ab2e14881042524a52314321f398558cdb30583d95

      Download Submit
    • C:\Users\Admin\Documents\images.exe
      Filesize

      193KB

      MD5

      53622e61772d39cd6868b89aaabb8249

      SHA1

      97d7be3cbfc038c741d0a0ba0404c147eb2d9b1b

      SHA256

      ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b

      SHA512

      1e254e3913f2bcd985d96123e8e2f08271f9f1e081a5c39d14afcfc6a1513c76139f980bd25d575845ca85ab2e14881042524a52314321f398558cdb30583d95

      Download Submit
    • C:\Users\Admin\Documents\images.exe
      Filesize

      193KB

      MD5

      53622e61772d39cd6868b89aaabb8249

      SHA1

      97d7be3cbfc038c741d0a0ba0404c147eb2d9b1b

      SHA256

      ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b

      SHA512

      1e254e3913f2bcd985d96123e8e2f08271f9f1e081a5c39d14afcfc6a1513c76139f980bd25d575845ca85ab2e14881042524a52314321f398558cdb30583d95

      Download Submit
    • memory/2264-141-0x0000000000400000-0x000000000055C000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2264-137-0x0000000000400000-0x000000000055C000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2264-140-0x0000000000400000-0x000000000055C000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2264-146-0x0000000000400000-0x000000000055C000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3928-155-0x0000000000700000-0x000000000085C000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3928-160-0x0000000000700000-0x000000000085C000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/4352-133-0x0000000000DE0000-0x0000000000E16000-memory.dmp
      Filesize

      216KB

      Download
    • memory/4352-136-0x0000000005910000-0x0000000005920000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4352-135-0x0000000005790000-0x00000000057F6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4352-134-0x0000000005C90000-0x0000000006234000-memory.dmp
      Filesize

      5.6MB

      Download