Overview

overview

10

Static

static

3

a67e7e5c52...15.exe

windows7-x64

10

a67e7e5c52...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-02-2024 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a67e7e5c5271fda729143052d48dd615.exe

  • Size

    236KB

  • MD5

    a67e7e5c5271fda729143052d48dd615

  • SHA1

    bb1f7cd0043595bf26c7f2fc1473c12fbd66fc28

  • SHA256

    4e9666f55da5bbfbcddfb9b6066d4c1eca7a3092e0456999b6e3408c2e3edfbc

  • SHA512

    35a4fc62e1b763d38f86655384879f50b2025885ce3bb038b026b6ae599946046112cbeca71f818cc44b74755037a54960bd30b53cf3a944e105bcd4bda83b9d

  • SSDEEP

    3072:AyWUYAlmXkJr4Dul8kZyLA93qlUD2mvwV6bFcHSRoodGv8Z36CxVYwwBJ785v7W6:AksBi17NCFYp3rtHmqbK65/

Score
10/10
warzoneratevasioninfostealerratrezer0trojan

Malware Config

Extracted

Family

warzonerat

C2

185.140.53.41:2104

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Warzone RAT payload 8 IoCs
    rat
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a67e7e5c5271fda729143052d48dd615.exe
    "C:\Users\Admin\AppData\Local\Temp\a67e7e5c5271fda729143052d48dd615.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security modification
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1984
    • C:\Users\Admin\AppData\Local\Temp\a67e7e5c5271fda729143052d48dd615.exe
      "C:\Users\Admin\AppData\Local\Temp\a67e7e5c5271fda729143052d48dd615.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:2760

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Modify Registry

    2
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      3171917bc5837a8bfaacb6441b40a9eb

      SHA1

      78e2300e374d7a81c523d390d0f85f7d04fc5a53

      SHA256

      713795cf118a92411c67e69c22ec3d6a8e4d557c83d9b09a5b1970519308c55d

      SHA512

      b4b6a85846fd6a21742cd8b182e85c0c76fd4db4124254f232da0b33dc4f88a3104ad8c9ecfb55113eb9086fe5c2cca2f2a7482da4147afb6b3955425894c24a

      Download Submit
    • memory/1984-9-0x000000006FB30000-0x00000000700DB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1984-8-0x000000006FB30000-0x00000000700DB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1984-11-0x000000006FB30000-0x00000000700DB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1984-10-0x0000000002800000-0x0000000002840000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2688-31-0x0000000002F30000-0x0000000002F70000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2688-30-0x000000006F7A0000-0x000000006FD4B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2688-41-0x000000006F7A0000-0x000000006FD4B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2688-33-0x0000000002F30000-0x0000000002F70000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2688-32-0x000000006F7A0000-0x000000006FD4B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2732-14-0x0000000000400000-0x0000000000551000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2732-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2732-17-0x0000000000400000-0x0000000000551000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2732-15-0x0000000000400000-0x0000000000551000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2732-16-0x0000000000400000-0x0000000000551000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2732-42-0x0000000000400000-0x0000000000551000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2732-12-0x0000000000400000-0x0000000000551000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2732-18-0x0000000000400000-0x0000000000551000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2732-21-0x0000000000400000-0x0000000000551000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2732-23-0x0000000000400000-0x0000000000551000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2732-24-0x0000000000400000-0x0000000000551000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2732-13-0x0000000000400000-0x0000000000551000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2760-37-0x00000000001E0000-0x00000000001E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2760-35-0x00000000001E0000-0x00000000001E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2856-1-0x0000000074AB0000-0x000000007519E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2856-4-0x00000000004B0000-0x00000000004F2000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2856-34-0x0000000074AB0000-0x000000007519E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2856-2-0x0000000004720000-0x0000000004760000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2856-3-0x0000000000490000-0x0000000000498000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2856-0-0x0000000001290000-0x00000000012D2000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2856-5-0x0000000000A90000-0x0000000000AB8000-memory.dmp
      Filesize

      160KB

      Download