Overview

overview

10

Static

static

1

PO No 4000302979.rtf

windows7-x64

10

PO No 4000302979.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    16/06/2023, 13:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    PO No 4000302979.rtf

  • Size

    82KB

  • MD5

    10cd284660133c5f8f33cc4cccc0f34f

  • SHA1

    5baa5806ea5b7eb7da3d7b89910f48922da579b9

  • SHA256

    de716a5e98013894445471b78da71e1a68739adb4573ec3e4d01c110ee41b957

  • SHA512

    1d0446c03b12308dad5b667d24e7a0d648284a6a1c1a647f3c07b4ec7bb7bbdeb25d1f08225c1a05cc84ab2f0025559a26314d37d5b3d9b5ac54562b92fb9236

  • SSDEEP

    1536:sZMVZ0XrRo57uHQOuiI838wahKC+UBcGJBxWnj+xU2HXDGPqtVkuE5gcM/:sZoZ0Xa7uwv8sVhKC+DABxWnj+xbHXmO

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

ifedinma.duckdns.org:6060

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 5 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO No 4000302979.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1348
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Users\Admin\AppData\Roaming\word.exe
        C:\Users\Admin\AppData\Roaming\word.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Users\Admin\AppData\Roaming\word.exe
          "C:\Users\Admin\AppData\Roaming\word.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1540

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\nsj3621.tmp\xuylkwv.dll
            Filesize

            41KB

            MD5

            70c259078c90aec9596cd8d70f888fea

            SHA1

            00a675ea29aa2edd9e33827dc8c10632267c5b0d

            SHA256

            00f19d2772c9ceef52e6fcdef53b07ae2811c58a4e12b2d7b00d353360d63217

            SHA512

            3f5803fe5af71098674695bed6b1709e49741dfcb31a747aa634258bf67773bfe2c7c52744cfec317f982aed0d65b88b7c0a78250d911dfe17e1b51bd93c7e3c

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            20KB

            MD5

            4a1e56d9ad7af323b4f6fd6b20926516

            SHA1

            e2b6e5d447661aefec07a8f752c80785b52a74d6

            SHA256

            e7bcb5476a85a1dc9adef3d97a39ea85ace123b30d6feb9a08417e71562c9743

            SHA512

            b19441654d2aa02e947bd1fdc870e68965a16d09c9c27acede09b96242287b23fd89ddb916386d4245662f2d3f9f5f93e36298c943417ffec1b3a8a29d1e69f0

            Download Submit

          • C:\Users\Admin\AppData\Roaming\word.exe
            Filesize

            192KB

            MD5

            6bfbaed7319c39250417b5c2abe69c95

            SHA1

            9d7608d04c5216ab064b94a040a9826eadf3c506

            SHA256

            f7496f108391338372913fefa715d2828bfbbf8178b9702e7e6b5f9b8db5b0fb

            SHA512

            a343ffe30b19734da756895d2d4e589363cb2dd97f62511e01651162b9e1494dc14153d67b7f632f2fc878ee406101886e766e232b8f32aaf36df6053ad73da6

            Download Submit

          • C:\Users\Admin\AppData\Roaming\word.exe
            Filesize

            192KB

            MD5

            6bfbaed7319c39250417b5c2abe69c95

            SHA1

            9d7608d04c5216ab064b94a040a9826eadf3c506

            SHA256

            f7496f108391338372913fefa715d2828bfbbf8178b9702e7e6b5f9b8db5b0fb

            SHA512

            a343ffe30b19734da756895d2d4e589363cb2dd97f62511e01651162b9e1494dc14153d67b7f632f2fc878ee406101886e766e232b8f32aaf36df6053ad73da6

            Download Submit

          • C:\Users\Admin\AppData\Roaming\word.exe
            Filesize

            192KB

            MD5

            6bfbaed7319c39250417b5c2abe69c95

            SHA1

            9d7608d04c5216ab064b94a040a9826eadf3c506

            SHA256

            f7496f108391338372913fefa715d2828bfbbf8178b9702e7e6b5f9b8db5b0fb

            SHA512

            a343ffe30b19734da756895d2d4e589363cb2dd97f62511e01651162b9e1494dc14153d67b7f632f2fc878ee406101886e766e232b8f32aaf36df6053ad73da6

            Download Submit

          • C:\Users\Admin\AppData\Roaming\word.exe
            Filesize

            192KB

            MD5

            6bfbaed7319c39250417b5c2abe69c95

            SHA1

            9d7608d04c5216ab064b94a040a9826eadf3c506

            SHA256

            f7496f108391338372913fefa715d2828bfbbf8178b9702e7e6b5f9b8db5b0fb

            SHA512

            a343ffe30b19734da756895d2d4e589363cb2dd97f62511e01651162b9e1494dc14153d67b7f632f2fc878ee406101886e766e232b8f32aaf36df6053ad73da6

            Download Submit

          • \Users\Admin\AppData\Local\Temp\nsj3621.tmp\xuylkwv.dll
            Filesize

            41KB

            MD5

            70c259078c90aec9596cd8d70f888fea

            SHA1

            00a675ea29aa2edd9e33827dc8c10632267c5b0d

            SHA256

            00f19d2772c9ceef52e6fcdef53b07ae2811c58a4e12b2d7b00d353360d63217

            SHA512

            3f5803fe5af71098674695bed6b1709e49741dfcb31a747aa634258bf67773bfe2c7c52744cfec317f982aed0d65b88b7c0a78250d911dfe17e1b51bd93c7e3c

            Download Submit

          • \Users\Admin\AppData\Roaming\word.exe
            Filesize

            192KB

            MD5

            6bfbaed7319c39250417b5c2abe69c95

            SHA1

            9d7608d04c5216ab064b94a040a9826eadf3c506

            SHA256

            f7496f108391338372913fefa715d2828bfbbf8178b9702e7e6b5f9b8db5b0fb

            SHA512

            a343ffe30b19734da756895d2d4e589363cb2dd97f62511e01651162b9e1494dc14153d67b7f632f2fc878ee406101886e766e232b8f32aaf36df6053ad73da6

            Download Submit

          • memory/1108-74-0x0000000001C60000-0x0000000001C62000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1540-76-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1540-80-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1540-82-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1540-88-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1540-89-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1712-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1712-115-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download