Overview

overview

10

Static

static

3

cfbff78272...1c.exe

windows7-x64

10

cfbff78272...1c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2025, 12:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cfbff78272aa6680ec533fc66b4d2f10145c0b9b9a45fcf6f41bf65f54d6191c.exe

  • Size

    453KB

  • MD5

    b4316f8cbe7a62d557b824d377880dff

  • SHA1

    76dd09f92a4a22ab2f53be5ad3f3cb88a62cac1e

  • SHA256

    cfbff78272aa6680ec533fc66b4d2f10145c0b9b9a45fcf6f41bf65f54d6191c

  • SHA512

    bb683485a674a7bbabbb0e64f322f91d7a8f4a495a51f552f6018a8b2e609263353dd5a5c23112b41f2c6a3110481e79f51add9d289958b52d909453198d81f6

  • SSDEEP

    6144:DEkW8RdBHMlU8LFMrrtMuV3VUuj1LNBvyRS3Bfw/LV/FhWSqQnql9Flui/PSpZA:w4t8LFMftxeI9vkSRfeLV/FTqlLiZ

Score
10/10
warzoneratdiscoveryinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.30:5590

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzonerat family
    warzonerat
  • Warzone RAT payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfbff78272aa6680ec533fc66b4d2f10145c0b9b9a45fcf6f41bf65f54d6191c.exe
    "C:\Users\Admin\AppData\Local\Temp\cfbff78272aa6680ec533fc66b4d2f10145c0b9b9a45fcf6f41bf65f54d6191c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5196
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jOmrcbxgpG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D64.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2092
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "{path}"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp2D64.tmp
    Filesize

    1KB

    MD5

    d28029691b54ae5a98b1d9c38858608f

    SHA1

    c06d3a30c6a112e9748bd15c28a54746e200db9e

    SHA256

    ed18c7ee959cec31cd7539d28d69992d0327fd9e0a2f2b84e79bc8b72d4130cb

    SHA512

    6409ac7eb1843e0574ca5b21bebf47c84c0e0adc8001a0720f586d2dc2b26879afd7acc59e7460240e84af0c7b6d79ead1fa70f29d322763ffeb460cb3e5547a

    Download Submit

  • memory/3512-17-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3512-21-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3512-15-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3512-19-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/5196-4-0x0000000005210000-0x000000000521A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5196-6-0x0000000006280000-0x00000000067AC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/5196-7-0x00000000053B0000-0x00000000053CC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/5196-8-0x000000007478E000-0x000000007478F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5196-9-0x0000000074780000-0x0000000074F30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5196-11-0x00000000068A0000-0x000000000693C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5196-10-0x00000000067B0000-0x00000000067FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5196-5-0x0000000074780000-0x0000000074F30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5196-20-0x0000000074780000-0x0000000074F30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5196-0-0x000000007478E000-0x000000007478F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5196-3-0x0000000005140000-0x00000000051D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5196-2-0x00000000057A0000-0x0000000005D44000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5196-1-0x0000000000700000-0x0000000000778000-memory.dmp

    Filesize

    480KB

    Download