Overview

overview

10

Static

static

3

PURCHASE ORDER.exe

windows7-x64

10

PURCHASE ORDER.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-08-2023 18:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PURCHASE ORDER.exe

  • Size

    678KB

  • MD5

    a2fe6a19174c433e304629876ae3e83e

  • SHA1

    7fdfd511b37459a131acba5fd4cfaeac2596bb00

  • SHA256

    4aed7e79799b99831a8e43da5e4ead88792f7852560cfe80aab8fc3663aa0c14

  • SHA512

    a3f6cfa1255b06fafd6e0b43d3d4be92fccd5cc9786e4b838eb0c9926e19c356536a2406a0ca935181c882d8d14016df5552d5d91ba9a29b4b93c47934a9c31e

  • SSDEEP

    6144:WYa6wA+J7XPJnad1zbOJY5uW8lhpx0o36:WYyAQ7fJnynOhA

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

103.212.81.157:5167

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 4 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe
    "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3792
    • C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe
      "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1332
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:4940

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsmB24A.tmp\esruijyxsj.dll
      Filesize

      60KB

      MD5

      0f19cd2a3143f61147aae6ad56c00224

      SHA1

      8874d0304b717a87871b35a688dec09e5493b05f

      SHA256

      8e1c1decdaa34d7c990dbe1b993a72c5e56ca685747bd6cbd4283eb89f3ff1ae

      SHA512

      0345a7cf578d4adc4935ee24ce84b0877848eeb78e72608c29e6c14f95890ae07bd7e8bfdc3bfd73a58b2ceb3d2219c8cebfae6a680418edb397ef31ab22acbc

      Download Submit

    • memory/1332-141-0x0000000000400000-0x000000000055E000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1332-143-0x0000000000400000-0x000000000055E000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1332-144-0x0000000000400000-0x000000000055E000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1332-147-0x0000000000400000-0x000000000055E000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3792-139-0x00000000023A0000-0x00000000023A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4940-145-0x00000000013C0000-0x00000000013C1000-memory.dmp

      Filesize

      4KB

      Download