File name: | 35f3f9e4d43cd037feadf2d7c81f9d90 |
Full analysis: | https://app.any.run/tasks/f1356a48-d0dd-4d65-9308-a5b9292c5254 |
Verdict: | Malicious activity |
Threats: | WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. |
Analysis date: | December 05, 2022, 20:24:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 35F3F9E4D43CD037FEADF2D7C81F9D90 |
SHA1: | 41AC8250A318FCBE930B5F19A8191A24B7BFD1FA |
SHA256: | 3677DDB0CDA755E0CCA757A2EA20C794B836877B1ED6BD14E0BCD4DFD721751C |
SSDEEP: | 12288:KPuYd+V6b1momPZeft0UA6aX9h8ktLNxH6EldpAlus6rjv8hcpJePuYd+V6b:KPuYd+V6bIomxit0b9JNxVAyrT8ipJeJ |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (7.4) |
.exe | | | Win32 Executable (generic) (5.1) |
.exe | | | Generic Win/DOS Executable (2.2) |
.exe | | | DOS Executable Generic (2.2) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2022-Dec-05 07:12:41 |
Debug artifacts: |
|
Comments: | - |
CompanyName: | Home |
FileDescription: | ElectionVotingSystem |
FileVersion: | 1.0.0.0 |
InternalName: | dFZj.exe |
LegalCopyright: | Copyright © Home 2011 |
LegalTrademarks: | - |
OriginalFilename: | dFZj.exe |
ProductName: | ElectionVotingSystem |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2022-Dec-05 07:12:41 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 8192 | 548468 | 548864 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.57439 |
.rsrc | 557056 | 68724 | 69120 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.33604 |
.reloc | 630784 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 2.30609 | 67624 | UNKNOWN | UNKNOWN | RT_ICON |
32512 | 1.98048 | 20 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
1 (#2) | 3.28128 | 844 | UNKNOWN | UNKNOWN | RT_VERSION |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1860 | "C:\Users\admin\AppData\Local\Temp\35f3f9e4d43cd037feadf2d7c81f9d90.exe" | C:\Users\admin\AppData\Local\Temp\35f3f9e4d43cd037feadf2d7c81f9d90.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Home Integrity Level: MEDIUM Description: ElectionVotingSystem Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
2220 | "C:\Users\admin\AppData\Local\Temp\35f3f9e4d43cd037feadf2d7c81f9d90.exe" | C:\Users\admin\AppData\Local\Temp\35f3f9e4d43cd037feadf2d7c81f9d90.exe | 35f3f9e4d43cd037feadf2d7c81f9d90.exe | ||||||||||||
User: admin Company: Home Integrity Level: MEDIUM Description: ElectionVotingSystem Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
3812 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | 35f3f9e4d43cd037feadf2d7c81f9d90.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1144 | "C:\Users\admin\Documents\1mages.exe" | C:\Users\admin\Documents\1mages.exe | — | 35f3f9e4d43cd037feadf2d7c81f9d90.exe | |||||||||||
User: admin Company: Home Integrity Level: MEDIUM Description: ElectionVotingSystem Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
3272 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1336 | "C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xml | C:\Windows\system32\pkgmgr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Package Manager Exit code: 3221226540 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2104 | "C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xml | C:\Windows\system32\pkgmgr.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Package Manager Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3148 | "C:\Windows\system32\dism.exe" /online /norestart /apply-unattend:"C:\Users\admin\AppData\Local\Temp\ellocnak.xml" | C:\Windows\system32\dism.exe | — | pkgmgr.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Dism Image Servicing Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2488 | "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20221205202522.log C:\Windows\Logs\CBS\CbsPersist_20221205202522.cab | C:\Windows\system32\makecab.exe | — | pkgmgr.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft® Cabinet Maker Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3940 | "C:\Users\admin\AppData\Local\Temp\35f3f9e4d43cd037feadf2d7c81f9d90.exe" | C:\Users\admin\AppData\Local\Temp\35f3f9e4d43cd037feadf2d7c81f9d90.exe | — | dism.exe | |||||||||||
User: admin Company: Home Integrity Level: HIGH Description: ElectionVotingSystem Exit code: 0 Version: 1.0.0.0 Modules
|
(PID) Process: | (2220) 35f3f9e4d43cd037feadf2d7c81f9d90.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | MaxConnectionsPer1_0Server |
Value: 10 | |||
(PID) Process: | (2220) 35f3f9e4d43cd037feadf2d7c81f9d90.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | MaxConnectionsPerServer |
Value: 10 | |||
(PID) Process: | (2220) 35f3f9e4d43cd037feadf2d7c81f9d90.exe | Key: | HKEY_CURRENT_USER\Software\_rptls |
Operation: | write | Name: | Install |
Value: C:\Users\admin\AppData\Local\Temp\35f3f9e4d43cd037feadf2d7c81f9d90.exe | |||
(PID) Process: | (2220) 35f3f9e4d43cd037feadf2d7c81f9d90.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PRZKN0OOBI |
Operation: | write | Name: | inst |
Value: 0A0EADF8B10D576066E173DC67D32EF8C40486A0F619863BFBCEE9C12C3F05DEBFFF6D3C9466F2EA0D96002FD1B2EB18A379B1FB7DF28EFAC5C13175CB76BC17F69EE4B45498CE13 | |||
(PID) Process: | (2220) 35f3f9e4d43cd037feadf2d7c81f9d90.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | 1mages |
Value: C:\Users\admin\Documents\1mages.exe | |||
(PID) Process: | (3812) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3812) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3812) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3812) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3432) 1mages.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | MaxConnectionsPer1_0Server |
Value: 10 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2104 | pkgmgr.exe | C:\Windows\Logs\CBS\CbsPersist_20221205202522.log | — | |
MD5:— | SHA256:— | |||
2220 | 35f3f9e4d43cd037feadf2d7c81f9d90.exe | C:\Users\admin\Documents\1mages.exe | executable | |
MD5:35F3F9E4D43CD037FEADF2D7C81F9D90 | SHA256:3677DDB0CDA755E0CCA757A2EA20C794B836877B1ED6BD14E0BCD4DFD721751C | |||
2104 | pkgmgr.exe | C:\Windows\Logs\CBS\CBS.log | text | |
MD5:1D8F3684FB72A1584361298BCBE840C6 | SHA256:6F5B7BCBA949A8EB29DF55FDEA7A02246CA268C52079FC990A8A51DA1A1FF1A3 | |||
2488 | makecab.exe | C:\Users\admin\AppData\Local\Temp\cab_2488_3 | binary | |
MD5:929F5374F2847231C55A88703583D389 | SHA256:DE18744F0E804583D7E874A4B0347B8DBD6C2FBEF115671232DE1ACAC212DC9B | |||
2220 | 35f3f9e4d43cd037feadf2d7c81f9d90.exe | C:\Users\admin\Documents\Documents:ApplicationData | executable | |
MD5:35F3F9E4D43CD037FEADF2D7C81F9D90 | SHA256:3677DDB0CDA755E0CCA757A2EA20C794B836877B1ED6BD14E0BCD4DFD721751C | |||
2488 | makecab.exe | C:\Windows\Logs\CBS\CbsPersist_20221205202522.cab | compressed | |
MD5:9491A8B6C9ABA9D6F386FB597FF10D43 | SHA256:92F918BD18C25B20355BFFFC30716FCB0712ED05E5F02502D068910CA04A7947 | |||
3812 | cmd.exe | C:\Users\admin\AppData\Local\Temp\dismcore.dll | executable | |
MD5:6B906764A35508A7FD266CDD512E46B1 | SHA256:FC0C90044B94B080F307C16494369A0796AC1D4E74E7912BA79C15CCA241801C | |||
4024 | cmd.exe | C:\Users\admin\AppData\Local\Temp\dismcore.dll | executable | |
MD5:6B906764A35508A7FD266CDD512E46B1 | SHA256:FC0C90044B94B080F307C16494369A0796AC1D4E74E7912BA79C15CCA241801C | |||
2488 | makecab.exe | C:\Users\admin\AppData\Local\Temp\cab_2488_5 | binary | |
MD5:929F5374F2847231C55A88703583D389 | SHA256:DE18744F0E804583D7E874A4B0347B8DBD6C2FBEF115671232DE1ACAC212DC9B | |||
2488 | makecab.exe | C:\Users\admin\AppData\Local\Temp\cab_2488_4 | binary | |
MD5:A439AD6D04C099EC6F85B3B5B96A3AC3 | SHA256:8C08BEA3C051DB4252EB452FFF7F03A843EE5B83177C488A59308F3AF1789521 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3432 | 1mages.exe | 51.178.11.185:5200 | — | OVH SAS | FR | malicious |