Overview

overview

10

Static

static

1

ec0f998453...4.xlsx

windows7-x64

10

ec0f998453...4.xlsx

windows10-2004-x64

1

Analysis

  • max time kernel
    143s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06/05/2023, 01:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ec0f998453e3125596d9907d4e5fdfc367ddee82239fadc50a7c67ed1cad4c64.xlsx

  • Size

    896KB

  • MD5

    2e5428a15a37026ad74f3bf13f15ce40

  • SHA1

    f97238cfc6bf1c84ae8d69df7ca5461bb764460c

  • SHA256

    ec0f998453e3125596d9907d4e5fdfc367ddee82239fadc50a7c67ed1cad4c64

  • SHA512

    74d9d48a2dc06ce9cb302adb36fe009380272a6c47a3ac73d47f1eb23ddcaaf0dd5b3bd457fe0d2d60455c0b7c8bd97bdbf9f2ba38a04959b3b4ed1873257cb8

  • SSDEEP

    12288:70CxAvsDoysUIRudr2mFsBoI+MAgQCeAwcdpc3BnVmtflCXKaK8UAoiDAVth:wGhWUI8didBoI7MUETwAKapoPjh

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

jeron7.duckdns.org:2905

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 4 IoCs
    rat
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ec0f998453e3125596d9907d4e5fdfc367ddee82239fadc50a7c67ed1cad4c64.xlsx
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1928
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:584
    • C:\Users\Admin\AppData\Roaming\word.exe
      C:\Users\Admin\AppData\Roaming\word.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:984
      • C:\Users\Admin\AppData\Roaming\word.exe
        "C:\Users\Admin\AppData\Roaming\word.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1932

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\word.exe
          Filesize

          153KB

          MD5

          c544c36f9031c1c13c9444edc245f55f

          SHA1

          b1612c0b6e8ad7fcfd8bf44fdbeb08e88ac52b57

          SHA256

          ed5f71edcd297159229c6f8eb7894d5df258826136a6631f9107381da63f678b

          SHA512

          fd1e1dd205c4bec2c83e7c4ef0c0ec820533815f13190dc1f645b60f31a6bb41d0311794e64dcb9d91db2325445200103e65e3769760da10dd43b367498738ac

          Download Submit

        • C:\Users\Admin\AppData\Roaming\word.exe
          Filesize

          153KB

          MD5

          c544c36f9031c1c13c9444edc245f55f

          SHA1

          b1612c0b6e8ad7fcfd8bf44fdbeb08e88ac52b57

          SHA256

          ed5f71edcd297159229c6f8eb7894d5df258826136a6631f9107381da63f678b

          SHA512

          fd1e1dd205c4bec2c83e7c4ef0c0ec820533815f13190dc1f645b60f31a6bb41d0311794e64dcb9d91db2325445200103e65e3769760da10dd43b367498738ac

          Download Submit

        • C:\Users\Admin\AppData\Roaming\word.exe
          Filesize

          153KB

          MD5

          c544c36f9031c1c13c9444edc245f55f

          SHA1

          b1612c0b6e8ad7fcfd8bf44fdbeb08e88ac52b57

          SHA256

          ed5f71edcd297159229c6f8eb7894d5df258826136a6631f9107381da63f678b

          SHA512

          fd1e1dd205c4bec2c83e7c4ef0c0ec820533815f13190dc1f645b60f31a6bb41d0311794e64dcb9d91db2325445200103e65e3769760da10dd43b367498738ac

          Download Submit

        • C:\Users\Admin\AppData\Roaming\word.exe
          Filesize

          153KB

          MD5

          c544c36f9031c1c13c9444edc245f55f

          SHA1

          b1612c0b6e8ad7fcfd8bf44fdbeb08e88ac52b57

          SHA256

          ed5f71edcd297159229c6f8eb7894d5df258826136a6631f9107381da63f678b

          SHA512

          fd1e1dd205c4bec2c83e7c4ef0c0ec820533815f13190dc1f645b60f31a6bb41d0311794e64dcb9d91db2325445200103e65e3769760da10dd43b367498738ac

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsy37B6.tmp\graaj.dll
          Filesize

          12KB

          MD5

          efcaa4781922783ffdda3336fe6336f9

          SHA1

          20917d68b0cd5cdc11230617c193c423d4bb90ee

          SHA256

          2f723a0d2623062f009f74fe6395caa45345b3bf274ffcdffd766c019deb1bd9

          SHA512

          f11ba1a3e0ec1b7670317b73f7110688bc5a229a6a6198ffa7c196a45df078213019bc6ce943d6623f184b2a1ca57f233f11a8a32f5ba98ff312094419459f48

          Download Submit

        • \Users\Admin\AppData\Roaming\word.exe
          Filesize

          153KB

          MD5

          c544c36f9031c1c13c9444edc245f55f

          SHA1

          b1612c0b6e8ad7fcfd8bf44fdbeb08e88ac52b57

          SHA256

          ed5f71edcd297159229c6f8eb7894d5df258826136a6631f9107381da63f678b

          SHA512

          fd1e1dd205c4bec2c83e7c4ef0c0ec820533815f13190dc1f645b60f31a6bb41d0311794e64dcb9d91db2325445200103e65e3769760da10dd43b367498738ac

          Download Submit

        • memory/984-88-0x0000000002BF0000-0x0000000002BF2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1928-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1928-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1932-89-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

          Download

        • memory/1932-92-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

          Download

        • memory/1932-93-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

          Download

        • memory/1932-94-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

          Download