Overview

overview

10

Static

static

3

cfbff78272...1c.exe

windows7-x64

10

cfbff78272...1c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2025, 12:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cfbff78272aa6680ec533fc66b4d2f10145c0b9b9a45fcf6f41bf65f54d6191c.exe

  • Size

    453KB

  • MD5

    b4316f8cbe7a62d557b824d377880dff

  • SHA1

    76dd09f92a4a22ab2f53be5ad3f3cb88a62cac1e

  • SHA256

    cfbff78272aa6680ec533fc66b4d2f10145c0b9b9a45fcf6f41bf65f54d6191c

  • SHA512

    bb683485a674a7bbabbb0e64f322f91d7a8f4a495a51f552f6018a8b2e609263353dd5a5c23112b41f2c6a3110481e79f51add9d289958b52d909453198d81f6

  • SSDEEP

    6144:DEkW8RdBHMlU8LFMrrtMuV3VUuj1LNBvyRS3Bfw/LV/FhWSqQnql9Flui/PSpZA:w4t8LFMftxeI9vkSRfeLV/FTqlLiZ

Score
10/10
warzoneratdiscoveryinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.30:5590

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzonerat family
    warzonerat
  • Warzone RAT payload 6 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfbff78272aa6680ec533fc66b4d2f10145c0b9b9a45fcf6f41bf65f54d6191c.exe
    "C:\Users\Admin\AppData\Local\Temp\cfbff78272aa6680ec533fc66b4d2f10145c0b9b9a45fcf6f41bf65f54d6191c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jOmrcbxgpG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp74C3.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2896
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "{path}"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 200
        3⤵
        • Program crash
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp74C3.tmp
    Filesize

    1KB

    MD5

    1d4ff1b5a06baa765afeb4fae28bcbab

    SHA1

    71ade04f973f106948a43291e345687bc23bea5c

    SHA256

    e985117e963a6f92947d05a170093c89fff497e4488fb5cdc0c16be75e9ff49a

    SHA512

    04a621b2e32b105ca5c3a5a55f8947075b20bd0bffc3c6cf771da1fa3d822a1ae2cb5930e202426b2166aa7c21dffc80bec844373500ecbfbddd6c3b0ee728ce

    Download Submit

  • memory/1708-25-0x0000000074580000-0x0000000074C6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1708-1-0x0000000000E10000-0x0000000000E88000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1708-2-0x0000000074580000-0x0000000074C6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1708-3-0x0000000000490000-0x00000000004AC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1708-4-0x000000007458E000-0x000000007458F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1708-5-0x0000000074580000-0x0000000074C6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1708-6-0x0000000004550000-0x000000000459C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1708-0-0x000000007458E000-0x000000007458F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2636-17-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2636-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2636-19-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2636-15-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2636-13-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2636-12-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2636-11-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2636-10-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2636-22-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2636-24-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.