Overview

overview

10

Static

static

10

ed63cc891f...03.exe

windows7-x64

10

ed63cc891f...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 04:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed63cc891f28d284baf85525ce5e833c541429a1d09e999ac4d08ca4080e7f03.exe

  • Size

    141KB

  • MD5

    69f1b1837eec6d3b743e067eb8590959

  • SHA1

    886ada51656010297deb513aa0ec73ecbb4e5a31

  • SHA256

    ed63cc891f28d284baf85525ce5e833c541429a1d09e999ac4d08ca4080e7f03

  • SHA512

    7c5a7bf11960fdf9ddcbdd2a9371f0ac163d3e273be1358b6de608893655c3412d3c26a5db3c93116e693aa679a24fc28fd234cedeaf425a448cbd0ed55a1757

  • SSDEEP

    3072:RARHROub6IiZktM+t4B6IZeAzaZyJ6QYzHHxgGT0Iw:RkxbQktMo4BRiyjYz6GTrw

Score
10/10
warzoneratexecutioninfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

94.131.110.60:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
  • Detects executables embedding command execution via IExecuteCommand COM object 1 IoCs
  • Warzone RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed63cc891f28d284baf85525ce5e833c541429a1d09e999ac4d08ca4080e7f03.exe
    "C:\Users\Admin\AppData\Local\Temp\ed63cc891f28d284baf85525ce5e833c541429a1d09e999ac4d08ca4080e7f03.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4660
    • C:\Users\Admin\Documents\NetFramework64.exe
      "C:\Users\Admin\Documents\NetFramework64.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    d5f265982b8ad5ac2fc26ca35593de75

    SHA1

    70d7534b747dbfdae363e36b7407a4dc700ad230

    SHA256

    53ff9e83706dc9e9c15720e7ec8b29a956ff47db8b40818aefcc597a7a6bf95e

    SHA512

    e9b429da49dd923814ef50239d5f178ccc66625458a6082c44326a4cb088066a3e8a964037288cdcbe8f419a242ad6c0a849a76a1a15da0a88e9c2c0e18e0961

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gnihf0eg.reb.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\Documents\NetFramework64.exe
    Filesize

    141KB

    MD5

    69f1b1837eec6d3b743e067eb8590959

    SHA1

    886ada51656010297deb513aa0ec73ecbb4e5a31

    SHA256

    ed63cc891f28d284baf85525ce5e833c541429a1d09e999ac4d08ca4080e7f03

    SHA512

    7c5a7bf11960fdf9ddcbdd2a9371f0ac163d3e273be1358b6de608893655c3412d3c26a5db3c93116e693aa679a24fc28fd234cedeaf425a448cbd0ed55a1757

    Download Submit

  • memory/2840-64-0x000000006FD20000-0x000000006FD6C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2840-53-0x0000000005BE0000-0x0000000005F34000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4660-32-0x00000000734A0000-0x0000000073C50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4660-37-0x0000000007F80000-0x00000000085FA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4660-7-0x00000000057B0000-0x0000000005816000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4660-17-0x0000000006140000-0x0000000006494000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4660-18-0x00000000065F0000-0x000000000660E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4660-19-0x0000000006630000-0x000000000667C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4660-20-0x0000000006BF0000-0x0000000006C22000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4660-31-0x0000000006C50000-0x0000000006C6E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4660-21-0x000000006FD20000-0x000000006FD6C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4660-33-0x0000000007840000-0x00000000078E3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4660-0-0x00000000734AE000-0x00000000734AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4660-34-0x00000000734A0000-0x0000000073C50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4660-35-0x00000000734A0000-0x0000000073C50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4660-6-0x0000000005740000-0x00000000057A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4660-38-0x0000000007940000-0x000000000795A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4660-5-0x00000000056A0000-0x00000000056C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4660-42-0x00000000079B0000-0x00000000079BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4660-43-0x0000000007BC0000-0x0000000007C56000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4660-44-0x0000000007B40000-0x0000000007B51000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4660-45-0x0000000007B70000-0x0000000007B7E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4660-46-0x0000000007B80000-0x0000000007B94000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4660-47-0x0000000007C80000-0x0000000007C9A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4660-48-0x0000000007C60000-0x0000000007C68000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4660-51-0x00000000734A0000-0x0000000073C50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4660-4-0x00000000734A0000-0x0000000073C50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4660-3-0x0000000005850000-0x0000000005E78000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4660-2-0x00000000734A0000-0x0000000073C50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4660-1-0x0000000002D10000-0x0000000002D46000-memory.dmp

    Filesize

    216KB

    Download