top title background image
flash

WarZOne.exe

Status: finished
Submission Time: 2022-03-21 13:11:28 +01:00
Malicious
Trojan
Evader

Comments

Tags

  • exe

Details

  • Analysis ID:
    593196
  • API (Web) ID:
    960718
  • Analysis Started:
    2022-03-21 13:14:44 +01:00
  • Analysis Finished:
    2022-03-21 13:30:09 +01:00
  • MD5:
    bd217c997f860e6c95e4df1204e8b6f2
  • SHA1:
    67d432c7611e1a657c39647b82afb9d7d93c7a71
  • SHA256:
    cde7e237d3724ede32827c724793cd1e44f041b020a49a5188df9f0f0a92a722
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
malicious
Score: 96
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious

IPs

IP Country Detection
208.95.112.1
United States

Domains

Name IP Detection
ip-api.com
208.95.112.1

URLs

Name Detection
https://github.com/Pester/Pester
http://ip-api.com/line/?fields=hosting
http://crl.t.com/pki/crl/pr
Click to see the 26 hidden entries
http://crl.entrust.net/2048ca.crl0
http://www.entrust.net/rpa0
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://crl.entrust.net/ts1ca.crl0
http://www.codeplex.com/DotNetZip
http://ip-api.com
https://nuget.org/nuget.exe
https://contoso.com/
http://schemas.xmlsoap.org/wsdl/
http://nsis.sf.net/NSIS_Error
http://ip-api.com4
http://crl.mi
http://nuget.org/NuGet.exe
http://nsis.sf.net/NSIS_ErrorError
http://crl.osofts/Microt0
http://aia.entrust.net/ts1-chain256.cer01
https://contoso.com/Icon
https://contoso.com/License
http://www.entrust.net/rpa03
https://go.micro
http://ocsp.entrust.net02
http://www.apache.org/licenses/LICENSE-2.0.html
http://ocsp.entrust.net03
http://schemas.xmlsoap.org/soap/encoding/
http://pesterbdd.com/images/Pester.png
http://wsoft.com/pki/ceroCerAut_2010-06-

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\Windows\System.exe
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\6363.exe
PE32 executable (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\13.exe
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
#
Click to see the 14 hidden entries
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ntbonqkd.4oe.psm1
very short file (no magic)
#
C:\Users\user\Documents\20220321\PowerShell_transcript.124406.nPMpTzNg.20220321131615.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20220321\PowerShell_transcript.124406.hEIboB2j.20220321131654.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20220321\PowerShell_transcript.124406.H_CZkqq5.20220321131727.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmrv50ev.vgm.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onkmbs4h.1fs.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\13.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kza20jcr.aj3.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hdqh0fyf.oux.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ax1m5cxw.dic.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fszllca.cnq.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1nkf0ynl.1ys.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#