Overview

overview

10

Static

static

3

4f52022aa6...77.exe

windows7-x64

10

4f52022aa6...77.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2025, 03:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f52022aa6286c18573e79cb079d5c9a01382bf1b4685a5a0dcc72cd6307b277.exe

  • Size

    703KB

  • MD5

    5d5439b5ce694c7329f002033dc479b5

  • SHA1

    fa00d36077c1a8442c5f44cbdf7545a041e85ed3

  • SHA256

    4f52022aa6286c18573e79cb079d5c9a01382bf1b4685a5a0dcc72cd6307b277

  • SHA512

    f66685591e4504f802f4895bbfbeee8a524a78a09d7813e4e9d5e34cddaa2ea49635db1c09f658f5279e7999fe7a59db4514187e2f33f4f3d5c02f9cf6b8fb0e

  • SSDEEP

    12288:4Io7W7X/WI7oDLmMjWQumYISeIQAAApLlX2/MT77oyhDdsCGW:foSbWqqmFQumNLInpSAhDd

Score
10/10
warzoneratdiscoveryexecutioninfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

193.23.160.31:6008

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzonerat family
    warzonerat
  • Warzone RAT payload 6 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f52022aa6286c18573e79cb079d5c9a01382bf1b4685a5a0dcc72cd6307b277.exe
    "C:\Users\Admin\AppData\Local\Temp\4f52022aa6286c18573e79cb079d5c9a01382bf1b4685a5a0dcc72cd6307b277.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4f52022aa6286c18573e79cb079d5c9a01382bf1b4685a5a0dcc72cd6307b277.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1824
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XBPKxvbN.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1976
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XBPKxvbN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4624.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2688
    • C:\Users\Admin\AppData\Local\Temp\4f52022aa6286c18573e79cb079d5c9a01382bf1b4685a5a0dcc72cd6307b277.exe
      "C:\Users\Admin\AppData\Local\Temp\4f52022aa6286c18573e79cb079d5c9a01382bf1b4685a5a0dcc72cd6307b277.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1256
      • C:\Users\Admin\Documents\PO
        "C:\Users\Admin\Documents\PO"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\PO"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1748
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XBPKxvbN.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2444
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XBPKxvbN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3068
        • C:\Users\Admin\Documents\PO
          "C:\Users\Admin\Documents\PO"
          4⤵
          • Executes dropped EXE
          PID:2452
        • C:\Users\Admin\Documents\PO
          "C:\Users\Admin\Documents\PO"
          4⤵
          • Executes dropped EXE
          PID:2216
        • C:\Users\Admin\Documents\PO
          "C:\Users\Admin\Documents\PO"
          4⤵
          • Executes dropped EXE
          PID:2012
        • C:\Users\Admin\Documents\PO
          "C:\Users\Admin\Documents\PO"
          4⤵
          • Executes dropped EXE
          PID:2636
        • C:\Users\Admin\Documents\PO
          "C:\Users\Admin\Documents\PO"
          4⤵
          • Executes dropped EXE
          PID:2632
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:2768
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:2376

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp4624.tmp
        Filesize

        1KB

        MD5

        52cba81c17985a0208148f80579f2ab8

        SHA1

        0efd45ec943bd88f198e89a12095a81e31db08f9

        SHA256

        f27a21407f9443ae6713df5dfc5f2b18579b07eb8ddfdd59774a0192e2518b66

        SHA512

        6ec1567b9a30b47ed0ac8585bb6a2a3747cd11ae24c293f9ca12e374b257cf152702f6121330f7e7b07f06194f74944afe170027a1567e9cbda5092b94b80c40

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        73279327c45bf0242b5880099375f6f8

        SHA1

        959f20f88de45ba5addcade6dd4d43941e3e3961

        SHA256

        b6a60fcd9d443c6f8e8d8d41479fea9a84e66879409be36d9534aa8b446c31bd

        SHA512

        e2f13ba504350231ca1f244d50088ce51c0de196ea9833a31cbe1837d6882dde0de21308df11aee0e7995f4905e9b4a6190064a511349321fa10789377a4fecc

        Download Submit

      • \Users\Admin\Documents\PO
        Filesize

        703KB

        MD5

        5d5439b5ce694c7329f002033dc479b5

        SHA1

        fa00d36077c1a8442c5f44cbdf7545a041e85ed3

        SHA256

        4f52022aa6286c18573e79cb079d5c9a01382bf1b4685a5a0dcc72cd6307b277

        SHA512

        f66685591e4504f802f4895bbfbeee8a524a78a09d7813e4e9d5e34cddaa2ea49635db1c09f658f5279e7999fe7a59db4514187e2f33f4f3d5c02f9cf6b8fb0e

        Download Submit

      • memory/2336-36-0x0000000074440000-0x0000000074B2E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2336-4-0x000000007444E000-0x000000007444F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2336-5-0x0000000074440000-0x0000000074B2E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2336-6-0x00000000050A0000-0x000000000510C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/2336-3-0x0000000000670000-0x0000000000688000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2336-2-0x0000000074440000-0x0000000074B2E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2336-1-0x0000000001000000-0x00000000010B6000-memory.dmp

        Filesize

        728KB

        Download

      • memory/2336-0-0x000000007444E000-0x000000007444F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2872-34-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2872-35-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2872-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2872-31-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2872-29-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2872-25-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2872-23-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2872-21-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2872-19-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2872-27-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2892-48-0x00000000001A0000-0x0000000000256000-memory.dmp

        Filesize

        728KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.