Overview

overview

10

Static

static

10

tes1.exe

windows7-x64

10

tes1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-07-2024 01:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tes1.exe

  • Size

    132KB

  • MD5

    b77ff60d464d3aa97d0432680c468bf5

  • SHA1

    9523926751ef97005e7c87beac04ef74ba353fe2

  • SHA256

    eb71118942d0a74070e815d3aa153cca01c172f4bce9c64fe64b097ce95ec797

  • SHA512

    699bb186b2859460d86ce1cff238665ecb3ed27291e7f8c2d85632e98596a0e31b186096e5fd1d3c77d52b3e5e029f0aa0f0f2a81e20ee8d79010d32627984ac

  • SSDEEP

    3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a

Score
10/10
warzoneratdiscoveryinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

194.59.30.96:7771

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tes1.exe
    "C:\Users\Admin\AppData\Local\Temp\tes1.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3148
    • C:\Users\Admin\Documents\images.exe
      "C:\Users\Admin\Documents\images.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\images.exe
    Filesize

    132KB

    MD5

    b77ff60d464d3aa97d0432680c468bf5

    SHA1

    9523926751ef97005e7c87beac04ef74ba353fe2

    SHA256

    eb71118942d0a74070e815d3aa153cca01c172f4bce9c64fe64b097ce95ec797

    SHA512

    699bb186b2859460d86ce1cff238665ecb3ed27291e7f8c2d85632e98596a0e31b186096e5fd1d3c77d52b3e5e029f0aa0f0f2a81e20ee8d79010d32627984ac

    Download Submit

  • memory/1472-4-0x0000000000620000-0x0000000000621000-memory.dmp

    Filesize

    4KB

    Download