Overview

overview

10

Static

static

3

bfb1b045ee...f6.exe

windows7-x64

10

bfb1b045ee...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2025, 11:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bfb1b045ee5fc2bc3e4ca29683d695c36cc033ed43c0071385907400bc09c7f6.exe

  • Size

    767KB

  • MD5

    9d2874400b3886af06010fa7c1314613

  • SHA1

    0f586057e49f7c2131cdc98d9074f3107acbb23f

  • SHA256

    bfb1b045ee5fc2bc3e4ca29683d695c36cc033ed43c0071385907400bc09c7f6

  • SHA512

    33a824c3bbf2192c57beed1e1a2ab78679f85b7c703ba552573e234cd57b651ffff3cd56c20f79b414f879074e7dd573c9a9aca91a097a0104410b8d9b3651a5

  • SSDEEP

    12288:ZNLEM6YeXY/e1xX7pDnjzhooH9AbhuK9rGbe7bR+wWZpXpZbnLZaLcc5hRfQyWe:mHXNTwzGb8Sb9atfQY

Score
10/10
warzoneratdiscoveryexecutioninfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

193.23.160.31:6008

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzonerat family
    warzonerat
  • Warzone RAT payload 7 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfb1b045ee5fc2bc3e4ca29683d695c36cc033ed43c0071385907400bc09c7f6.exe
    "C:\Users\Admin\AppData\Local\Temp\bfb1b045ee5fc2bc3e4ca29683d695c36cc033ed43c0071385907400bc09c7f6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\bfb1b045ee5fc2bc3e4ca29683d695c36cc033ed43c0071385907400bc09c7f6.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UekLCOpkGyI.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2880
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UekLCOpkGyI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5199.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2692
    • C:\Users\Admin\AppData\Local\Temp\bfb1b045ee5fc2bc3e4ca29683d695c36cc033ed43c0071385907400bc09c7f6.exe
      "C:\Users\Admin\AppData\Local\Temp\bfb1b045ee5fc2bc3e4ca29683d695c36cc033ed43c0071385907400bc09c7f6.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1160
      • C:\Users\Admin\Documents\PO
        "C:\Users\Admin\Documents\PO"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:592
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\PO"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1084
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UekLCOpkGyI.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:536
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UekLCOpkGyI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9FA9.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1908
        • C:\Users\Admin\Documents\PO
          "C:\Users\Admin\Documents\PO"
          4⤵
          • Executes dropped EXE
          PID:2000
        • C:\Users\Admin\Documents\PO
          "C:\Users\Admin\Documents\PO"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2976
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Add-MpPreference -ExclusionPath C:\
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1680
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1848

Network

    No results found
  • 193.23.160.31:6008
    PO
    152 B
     3
  • 193.23.160.31:6008
    PO
    152 B
     3
  • 193.23.160.31:6008
    PO
    152 B
     3
  • 193.23.160.31:6008
    PO
    152 B
     3
  • 193.23.160.31:6008
    PO
    104 B
     2
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5199.tmp
    Filesize

    1KB

    MD5

    0c302dd31c7f1420eabc2a7f96f42a86

    SHA1

    e84b594e57ccaf1dc5787349b1b6a1a71169c106

    SHA256

    c9909b6808a671e4c36e9a7b2781ae8429c28088bdf682e51e99433aa2f6d477

    SHA512

    ad16ba95fbe6a2a0afc546d2975fd89765e282ccc8861555b134b98b2c960f95a964649dee297a04593abc7245a3aa426998fdd15c725a1843dadfe73e7ce9f3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    722aa64c64c3e5cb36dc8e3cd6799115

    SHA1

    e048b4c19c47749b38ee37ff5211ecac1f68d33d

    SHA256

    a97f8c67ed78c0db18d79c169ad8cba43313c4fb5dc6f81819a18ccc9b858da5

    SHA512

    8febdfae159d054ec60a75f895ea7fd2b7ad1c5aee481f3cd5078a385baccd554f9e9960b8612d95aab5feff95457e668005b325e6fddabeabdb255daf8d093a

    Download Submit

  • \Users\Admin\Documents\PO
    Filesize

    767KB

    MD5

    9d2874400b3886af06010fa7c1314613

    SHA1

    0f586057e49f7c2131cdc98d9074f3107acbb23f

    SHA256

    bfb1b045ee5fc2bc3e4ca29683d695c36cc033ed43c0071385907400bc09c7f6

    SHA512

    33a824c3bbf2192c57beed1e1a2ab78679f85b7c703ba552573e234cd57b651ffff3cd56c20f79b414f879074e7dd573c9a9aca91a097a0104410b8d9b3651a5

    Download Submit

  • memory/592-48-0x00000000009E0000-0x0000000000AA6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/1848-88-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1848-86-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2196-19-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2196-23-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2196-30-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2196-34-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2196-35-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2196-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2196-31-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2196-27-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2196-25-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2196-21-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2364-6-0x0000000004F10000-0x0000000004F7C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2364-0-0x000000007441E000-0x000000007441F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-36-0x0000000074410000-0x0000000074AFE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2364-5-0x0000000074410000-0x0000000074AFE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2364-4-0x000000007441E000-0x000000007441F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-3-0x00000000006F0000-0x0000000000708000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2364-2-0x0000000074410000-0x0000000074AFE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2364-1-0x0000000001080000-0x0000000001146000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2976-80-0x0000000000400000-0x000000000055A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2976-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.