Overview

overview

10

Static

static

3

DOCUMENTS.exe

windows7-x64

10

DOCUMENTS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2024 03:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DOCUMENTS.exe

  • Size

    440KB

  • MD5

    5e87783b71d535bcaf402e2278c91048

  • SHA1

    7e7faec34ecbe87ec3d18a402ff2e71fe3dcb533

  • SHA256

    7c226fda60b190a13b95e0e5e992506ec7214ef9789e2117b4ee11981dad3158

  • SHA512

    f1851e0d8fdcaeb22c3405b2bd23d9397e92fa367bc6576b8f0f200458b33c1356cdb57b1dac3a5ec5eb157a9eec5c933a2b0b2035f4033393db8badac60f4d9

  • SSDEEP

    6144:TE9eMLIjdWdvwXXuqmDxIA3wkAyxHZUYCjUrpcrFiLDcUfqxwz74Gk96kAD:TpaJZMeqmDXXA6CjUrqiLOxwz7Y

Score
10/10
warzoneratdiscoveryinfostealerrat

Malware Config

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
    "C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4332
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1872
    • C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
      C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
      2⤵
        PID:3624
      • C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
        C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
        2⤵
          PID:5964
        • C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
          C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
          2⤵
          • Drops startup file
          • System Location Discovery: System Language Discovery
          • NTFS ADS
          • Suspicious use of WriteProcessMemory
          PID:6028
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\win32.exe"
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5448
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\win32.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:5152
          • C:\ProgramData\win32.exe
            "C:\ProgramData\win32.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:5500
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:5028
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:5740
            • C:\Users\Admin\AppData\Local\Temp\win32.exe
              C:\Users\Admin\AppData\Local\Temp\win32.exe
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:5728
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:5828

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\win32.exe
        Filesize

        440KB

        MD5

        5e87783b71d535bcaf402e2278c91048

        SHA1

        7e7faec34ecbe87ec3d18a402ff2e71fe3dcb533

        SHA256

        7c226fda60b190a13b95e0e5e992506ec7214ef9789e2117b4ee11981dad3158

        SHA512

        f1851e0d8fdcaeb22c3405b2bd23d9397e92fa367bc6576b8f0f200458b33c1356cdb57b1dac3a5ec5eb157a9eec5c933a2b0b2035f4033393db8badac60f4d9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        0774a05ce5ee4c1af7097353c9296c62

        SHA1

        658ff96b111c21c39d7ad5f510fb72f9762114bb

        SHA256

        d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

        SHA512

        104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        19KB

        MD5

        52f5046656d6ecd3919b4f57a8fd3d41

        SHA1

        27a37cd7efd2176610bac27ef89f8af61cf87514

        SHA256

        29f0ada1ee447e129331c0132905bf10a9848981230578712f9e8d382e3812bb

        SHA512

        f9937406f1aec9adeb5b6cd1553c3d60d5edcaeaecdd9c0f0fc49a8ec43e2c54764415e8b339f24a34841a4ecc31e4b108320f087c6f5a4b26f64d41729bebd5

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        19KB

        MD5

        cfa4d46567ac22d02fff75716ac82e78

        SHA1

        4b109500ca973072ce83ba3de0f3ba4550a7c69b

        SHA256

        aa4f1dfa97671a28489391c50f9346ce180aaae0e1763c37cc50ba6fa9a03aaa

        SHA512

        b7a3bf4bb54dc039547bf11554925e0d448673785ee4b3be4f481e5c0b71ce65151b95f6efb5285958773327b10d64efc2e3f4f378ba9d8f5d9efe8332ab8aed

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        19KB

        MD5

        05c903b9e15fddebbbe1ee0db34f3177

        SHA1

        38e50d90d0d4eccc2d7c7e181cacad081ac5869f

        SHA256

        87b8fed11c95b2f55d021fcb9241afecaad66e32b8617018ac4f414918e6cd4c

        SHA512

        cbee5d681d4279c4d6d9206934ed7271b57077fd9ae965298c13a5e46bafec9127ef42aeedce1a21fb21426451f3185618d91ed2a703ffad443d06a47ebee390

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fcxd33qu.iq0.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/1872-51-0x00000000753B0000-0x0000000075B60000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1872-48-0x0000000005B10000-0x0000000005E64000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1872-38-0x00000000753B0000-0x0000000075B60000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1872-37-0x00000000753B0000-0x0000000075B60000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1872-36-0x00000000753B0000-0x0000000075B60000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2984-65-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-91-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-1-0x0000000000630000-0x00000000006A4000-memory.dmp

        Filesize

        464KB

        Download

      • memory/2984-2-0x0000000005540000-0x0000000005AE4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2984-3-0x0000000004F90000-0x0000000005022000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2984-4-0x0000000005120000-0x000000000512A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2984-2535-0x00000000753B0000-0x0000000075B60000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2984-54-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-55-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-57-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-59-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-33-0x00000000753BE000-0x00000000753BF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2984-34-0x00000000753B0000-0x0000000075B60000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2984-61-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-63-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-75-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-83-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-99-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-105-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-5-0x00000000753B0000-0x0000000075B60000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2984-52-0x0000000006160000-0x00000000061BC000-memory.dmp

        Filesize

        368KB

        Download

      • memory/2984-53-0x0000000006200000-0x0000000006280000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2984-67-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-71-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-117-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-115-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-111-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-109-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-107-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-103-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-101-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-97-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-95-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-93-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-89-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-87-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-85-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-81-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-79-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-77-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-73-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-69-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2984-0-0x00000000753BE000-0x00000000753BF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2984-113-0x0000000006200000-0x000000000627A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/4332-29-0x00000000080F0000-0x000000000876A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4332-13-0x00000000055B0000-0x0000000005616000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4332-27-0x00000000061B0000-0x00000000061CA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4332-28-0x0000000006250000-0x0000000006272000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4332-9-0x00000000753B0000-0x0000000075B60000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4332-10-0x0000000004F10000-0x0000000005538000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4332-11-0x0000000004D50000-0x0000000004D72000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4332-32-0x00000000753B0000-0x0000000075B60000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4332-12-0x0000000005540000-0x00000000055A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4332-7-0x00000000753B0000-0x0000000075B60000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4332-8-0x00000000753B0000-0x0000000075B60000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4332-26-0x0000000006D20000-0x0000000006DB6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4332-25-0x0000000006200000-0x000000000624C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4332-24-0x0000000005D10000-0x0000000005D2E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4332-6-0x0000000002440000-0x0000000002476000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4332-23-0x0000000005720000-0x0000000005A74000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/5028-2553-0x0000000005BF0000-0x0000000005F44000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/5740-2565-0x0000000005A60000-0x0000000005DB4000-memory.dmp

        Filesize

        3.3MB

        Download