Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    01/06/2023, 10:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    403KB

  • MD5

    fed4e5c5a6289646dbfeaf2a6ac1837d

  • SHA1

    7e26ff3f359cce161296f051be5d9e5347185cca

  • SHA256

    ca3affd71eef006c116efd75c7a5b44e1d4af1749dc14f24a103f21d22190af5

  • SHA512

    02e94a04a5e95e785c07099f5cafd5b47924b6f60b103a6d7a2c1059f0e7d73c0a5cb77cfb4fd2fcaf8fa4791a8eeea6cc8aabe52ecf3ce45e811b76c548b6e4

  • SSDEEP

    6144:fjNyCpEwbIE8BFbkP7OTcpdW4RluwlbUgSoGfMBhm6NXNiqYzOvFbt:1EwbIE8HAP7PW4jFlwFfUhm6NMqYz8H

Score
10/10
warzoneratevasioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

warzonerat

C2

91.193.75.154:4449

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Warzone RAT payload 1 IoCs
    rat
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:552
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp723.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:832
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • UAC bypass
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Sets service image path in registry
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:580
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:936
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
          4⤵
            PID:980
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
            4⤵
              PID:1500
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
              4⤵
                PID:1928
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
                4⤵
                  PID:1544
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
                  4⤵
                    PID:988
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
                    4⤵
                      PID:836
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
                      4⤵
                        PID:1652
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
                        4⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1668
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 304
                          5⤵
                          • Program crash
                          PID:1180

                Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\tmp723.tmp.bat
                        Filesize

                        150B

                        MD5

                        4521243bc4bbb82b9361bffd9a908233

                        SHA1

                        52391915a177cd3c828b9758023d5f041ac26934

                        SHA256

                        b82dc771857cbf8d9535ddf52bf13cbd55b097a10962f6852d74928b63298a94

                        SHA512

                        861ddf1e072376ef82600656f6a9fd0fe8236597c4ebba88f1cb24e050014c76978d7f1f1430b54b61c5bead4b6ea449e9931163c49e53b88189f8884fe6c182

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\tmp723.tmp.bat
                        Filesize

                        150B

                        MD5

                        4521243bc4bbb82b9361bffd9a908233

                        SHA1

                        52391915a177cd3c828b9758023d5f041ac26934

                        SHA256

                        b82dc771857cbf8d9535ddf52bf13cbd55b097a10962f6852d74928b63298a94

                        SHA512

                        861ddf1e072376ef82600656f6a9fd0fe8236597c4ebba88f1cb24e050014c76978d7f1f1430b54b61c5bead4b6ea449e9931163c49e53b88189f8884fe6c182

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\svchost.exe
                        Filesize

                        403KB

                        MD5

                        fed4e5c5a6289646dbfeaf2a6ac1837d

                        SHA1

                        7e26ff3f359cce161296f051be5d9e5347185cca

                        SHA256

                        ca3affd71eef006c116efd75c7a5b44e1d4af1749dc14f24a103f21d22190af5

                        SHA512

                        02e94a04a5e95e785c07099f5cafd5b47924b6f60b103a6d7a2c1059f0e7d73c0a5cb77cfb4fd2fcaf8fa4791a8eeea6cc8aabe52ecf3ce45e811b76c548b6e4

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\svchost.exe
                        Filesize

                        403KB

                        MD5

                        fed4e5c5a6289646dbfeaf2a6ac1837d

                        SHA1

                        7e26ff3f359cce161296f051be5d9e5347185cca

                        SHA256

                        ca3affd71eef006c116efd75c7a5b44e1d4af1749dc14f24a103f21d22190af5

                        SHA512

                        02e94a04a5e95e785c07099f5cafd5b47924b6f60b103a6d7a2c1059f0e7d73c0a5cb77cfb4fd2fcaf8fa4791a8eeea6cc8aabe52ecf3ce45e811b76c548b6e4

                        Download Submit

                      • \Users\Admin\AppData\Roaming\svchost.exe
                        Filesize

                        403KB

                        MD5

                        fed4e5c5a6289646dbfeaf2a6ac1837d

                        SHA1

                        7e26ff3f359cce161296f051be5d9e5347185cca

                        SHA256

                        ca3affd71eef006c116efd75c7a5b44e1d4af1749dc14f24a103f21d22190af5

                        SHA512

                        02e94a04a5e95e785c07099f5cafd5b47924b6f60b103a6d7a2c1059f0e7d73c0a5cb77cfb4fd2fcaf8fa4791a8eeea6cc8aabe52ecf3ce45e811b76c548b6e4

                        Download Submit

                      • memory/580-69-0x0000000000280000-0x00000000002EA000-memory.dmp

                        Filesize

                        424KB

                        Download

                      • memory/580-70-0x000000001AC10000-0x000000001AC90000-memory.dmp

                        Filesize

                        512KB

                        Download

                      • memory/936-76-0x000000001B330000-0x000000001B612000-memory.dmp

                        Filesize

                        2.9MB

                        Download

                      • memory/936-77-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/936-79-0x0000000002514000-0x0000000002517000-memory.dmp

                        Filesize

                        12KB

                        Download

                      • memory/936-80-0x000000000251B000-0x0000000002552000-memory.dmp

                        Filesize

                        220KB

                        Download

                      • memory/1668-78-0x0000000000400000-0x000000000055C000-memory.dmp

                        Filesize

                        1.4MB

                        Download

                      • memory/1764-55-0x000000001BF40000-0x000000001BFC0000-memory.dmp

                        Filesize

                        512KB

                        Download

                      • memory/1764-54-0x00000000013A0000-0x000000000140A000-memory.dmp

                        Filesize

                        424KB

                        Download