warzonerat | 561e01008bd45fa4233aff08700b9d1dd4fda7fb24d68925ad0ef3f77dc96163

General

Target

decoded-1.exe
Size

152KB
MD5

5d49b53ae5acb1bf240d07a476725e8e
SHA1

6aa1e6da21a513f989a819b29889a005604f3153
SHA256

561e01008bd45fa4233aff08700b9d1dd4fda7fb24d68925ad0ef3f77dc96163
SHA512

a4fb6d703a6aa60bf3747cd98604eb22ad491fd53f80d702c74c43018abc7f5e0f5c073fd1f48b5828614e10e56fe9b852231bd51bec49a36e5af244c38a9813

Score

10^/10

warzonerat infostealer rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 1 IoCs

Processes:

$wz$images.exe

pid process

2964 $wz$images.exe

pid	process
2964	$wz$images.exe

Drops startup file 2 IoCs

Processes:

decoded-1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	decoded-1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	decoded-1.exe

NTFS ADS 1 IoCs

Processes:

decoded-1.exe

description ioc process

File created C:\ProgramData:ApplicationData decoded-1.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	decoded-1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

decoded-1.exepowershell.exe$wz$images.exepowershell.exe

pid	process
980	decoded-1.exe
980	decoded-1.exe
2364	powershell.exe
2364	powershell.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2652	powershell.exe
2364	powershell.exe
2652	powershell.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2652	powershell.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe
2964	$wz$images.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2364 powershell.exe
Token: SeDebugPrivilege 2652 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

decoded-1.execmd.exe$wz$images.exe

description	pid	process	target process
PID 980 wrote to memory of 2364	980	decoded-1.exe	powershell.exe
PID 980 wrote to memory of 2364	980	decoded-1.exe	powershell.exe
PID 980 wrote to memory of 2364	980	decoded-1.exe	powershell.exe
PID 980 wrote to memory of 3128	980	decoded-1.exe	Explorer.EXE
PID 980 wrote to memory of 3128	980	decoded-1.exe	Explorer.EXE
PID 980 wrote to memory of 2544	980	decoded-1.exe	cmd.exe
PID 980 wrote to memory of 2544	980	decoded-1.exe	cmd.exe
PID 980 wrote to memory of 2544	980	decoded-1.exe	cmd.exe
PID 980 wrote to memory of 2964	980	decoded-1.exe	$wz$images.exe
PID 980 wrote to memory of 2964	980	decoded-1.exe	$wz$images.exe
PID 980 wrote to memory of 2964	980	decoded-1.exe	$wz$images.exe
PID 2544 wrote to memory of 652	2544	cmd.exe	reg.exe
PID 2544 wrote to memory of 652	2544	cmd.exe	reg.exe
PID 2544 wrote to memory of 652	2544	cmd.exe	reg.exe
PID 2964 wrote to memory of 2652	2964	$wz$images.exe	powershell.exe
PID 2964 wrote to memory of 2652	2964	$wz$images.exe	powershell.exe
PID 2964 wrote to memory of 2652	2964	$wz$images.exe	powershell.exe
PID 2964 wrote to memory of 3680	2964	$wz$images.exe	cmd.exe
PID 2964 wrote to memory of 3680	2964	$wz$images.exe	cmd.exe
PID 2964 wrote to memory of 3680	2964	$wz$images.exe	cmd.exe
PID 2964 wrote to memory of 3680	2964	$wz$images.exe	cmd.exe
PID 2964 wrote to memory of 3680	2964	$wz$images.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\decoded-1.exe
"C:\Users\Admin\AppData\Local\Temp\decoded-1.exe"
2⤵
- Drops startup file
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\$wz$images.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\$wz$images.exe"
4⤵
PID:652

C:\ProgramData\$wz$images.exe
"C:\ProgramData\$wz$images.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:3680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\$wz$images.exe
MD5
5d49b53ae5acb1bf240d07a476725e8e

SHA1
6aa1e6da21a513f989a819b29889a005604f3153

SHA256
561e01008bd45fa4233aff08700b9d1dd4fda7fb24d68925ad0ef3f77dc96163

SHA512
a4fb6d703a6aa60bf3747cd98604eb22ad491fd53f80d702c74c43018abc7f5e0f5c073fd1f48b5828614e10e56fe9b852231bd51bec49a36e5af244c38a9813

Download Submit
C:\ProgramData\$wz$images.exe
MD5
5d49b53ae5acb1bf240d07a476725e8e

SHA1
6aa1e6da21a513f989a819b29889a005604f3153

SHA256
561e01008bd45fa4233aff08700b9d1dd4fda7fb24d68925ad0ef3f77dc96163

SHA512
a4fb6d703a6aa60bf3747cd98604eb22ad491fd53f80d702c74c43018abc7f5e0f5c073fd1f48b5828614e10e56fe9b852231bd51bec49a36e5af244c38a9813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5a09fe24da8d81879a7a92483da6e800

SHA1
f07ce72130a3c6467560a0e6c40962035045c1da

SHA256
0163bac695e0758577b4bea590e083b36a021d5a35e087a1e318d4e2fea54e29

SHA512
cd8850b4cba55f706d83728feee4b281e1c80e8b1dcec0e840bef9a725fdad692b46b8292bf982e00af6891470e2bc3f1c1d6a99f1b64a9eb2ecf490cdfd22ae

Download Submit
memory/652-8-0x0000000000000000-mapping.dmp

Download
memory/2364-16-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/2364-39-0x0000000009940000-0x0000000009941000-memory.dmp

Filesize
4KB

Download
memory/2364-9-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/2364-10-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/2364-11-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/2364-12-0x0000000008180000-0x0000000008181000-memory.dmp

Filesize
4KB

Download
memory/2364-13-0x0000000008260000-0x0000000008261000-memory.dmp

Filesize
4KB

Download
memory/2364-14-0x00000000082D0000-0x00000000082D1000-memory.dmp

Filesize
4KB

Download
memory/2364-15-0x0000000008140000-0x0000000008141000-memory.dmp

Filesize
4KB

Download
memory/2364-2-0x0000000000000000-mapping.dmp

Download
memory/2364-53-0x0000000009C00000-0x0000000009C01000-memory.dmp

Filesize
4KB

Download
memory/2364-51-0x0000000009C50000-0x0000000009C51000-memory.dmp

Filesize
4KB

Download
memory/2364-40-0x0000000009A90000-0x0000000009A91000-memory.dmp

Filesize
4KB

Download
memory/2364-22-0x0000000008980000-0x0000000008981000-memory.dmp

Filesize
4KB

Download
memory/2364-7-0x00000000729A0000-0x000000007308E000-memory.dmp

Filesize
6.9MB

Download
memory/2364-32-0x0000000009960000-0x0000000009993000-memory.dmp

Filesize
204KB

Download
memory/2544-3-0x0000000000000000-mapping.dmp

Download
memory/2652-19-0x00000000729A0000-0x000000007308E000-memory.dmp

Filesize
6.9MB

Download
memory/2652-17-0x0000000000000000-mapping.dmp

Download
memory/2652-58-0x00000000093E0000-0x00000000093E1000-memory.dmp

Filesize
4KB

Download
memory/2964-4-0x0000000000000000-mapping.dmp

Download
memory/3680-29-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/3680-18-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads