warzonerat | 10de29d6ca34f4ba474a432588dcab2d09356fb4b3a323075c04c81c45200095

Analysis

max time kernel
35s
max time network
27s
platform
windows7_x64
resource
win7v20201028
submitted
15-01-2021 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gf.exe
Size

847KB
MD5

c1ad9cbcb7bad8a5ae3f13752bab68a1
SHA1

114ebd72632913e4641b03d9e7eed01f1c0362e8
SHA256

10de29d6ca34f4ba474a432588dcab2d09356fb4b3a323075c04c81c45200095
SHA512

f284b853f83ec1e44983f889ae6e15f1b086d4d009115865c05e72a1543b1140ac0dc3d6a5a2b4384c9e98bad74e61dcf836378a7200747d97c6ff5231a519ab

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

23.105.131.198:5300

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1400-35-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1400-36-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1400-37-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

596 images.exe
Loads dropped DLL 1 IoCs

Processes:

MSBuild.exe

pid process

1400 MSBuild.exe

pid	process
596	images.exe

pid	process
1400	MSBuild.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	MSBuild.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1176 set thread context of 1400 1176 powershell.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1176 powershell.exe
1176 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1176 powershell.exe

description	pid	process	target process
PID 1176 set thread context of 1400	1176	powershell.exe	MSBuild.exe

pid	process
1176	powershell.exe
1176	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1176	powershell.exe

Suspicious use of FindShellTrayWindow 22 IoCs

Processes:

gf.exe

pid	process
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe

Suspicious use of SendNotifyMessage 22 IoCs

Processes:

gf.exe

pid	process
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe
1656	gf.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

gf.exepowershell.execsc.exeMSBuild.exe

description	pid	process	target process
PID 1656 wrote to memory of 1176	1656	gf.exe	powershell.exe
PID 1656 wrote to memory of 1176	1656	gf.exe	powershell.exe
PID 1656 wrote to memory of 1176	1656	gf.exe	powershell.exe
PID 1656 wrote to memory of 1176	1656	gf.exe	powershell.exe
PID 1176 wrote to memory of 1520	1176	powershell.exe	csc.exe
PID 1176 wrote to memory of 1520	1176	powershell.exe	csc.exe
PID 1176 wrote to memory of 1520	1176	powershell.exe	csc.exe
PID 1176 wrote to memory of 1520	1176	powershell.exe	csc.exe
PID 1520 wrote to memory of 560	1520	csc.exe	cvtres.exe
PID 1520 wrote to memory of 560	1520	csc.exe	cvtres.exe
PID 1520 wrote to memory of 560	1520	csc.exe	cvtres.exe
PID 1520 wrote to memory of 560	1520	csc.exe	cvtres.exe
PID 1176 wrote to memory of 1400	1176	powershell.exe	MSBuild.exe
PID 1176 wrote to memory of 1400	1176	powershell.exe	MSBuild.exe
PID 1176 wrote to memory of 1400	1176	powershell.exe	MSBuild.exe
PID 1176 wrote to memory of 1400	1176	powershell.exe	MSBuild.exe
PID 1176 wrote to memory of 1400	1176	powershell.exe	MSBuild.exe
PID 1176 wrote to memory of 1400	1176	powershell.exe	MSBuild.exe
PID 1176 wrote to memory of 1400	1176	powershell.exe	MSBuild.exe
PID 1176 wrote to memory of 1400	1176	powershell.exe	MSBuild.exe
PID 1176 wrote to memory of 1400	1176	powershell.exe	MSBuild.exe
PID 1176 wrote to memory of 1400	1176	powershell.exe	MSBuild.exe
PID 1176 wrote to memory of 1400	1176	powershell.exe	MSBuild.exe
PID 1176 wrote to memory of 1400	1176	powershell.exe	MSBuild.exe
PID 1400 wrote to memory of 596	1400	MSBuild.exe	images.exe
PID 1400 wrote to memory of 596	1400	MSBuild.exe	images.exe
PID 1400 wrote to memory of 596	1400	MSBuild.exe	images.exe
PID 1400 wrote to memory of 596	1400	MSBuild.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\gf.exe
"C:\Users\Admin\AppData\Local\Temp\gf.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy bypass C:\Users\Admin\AppData\Local\Temp\CCMAMjNmw.ps1
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ebqi1uxh\ebqi1uxh.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADEB.tmp" "c:\Users\Admin\AppData\Local\Temp\ebqi1uxh\CSCFCB583CEB5824449B1F46145766DFEAF.TMP"
4⤵
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1400

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
PID:596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\ProgramData\images.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCMAMjNmw.ps1
MD5
83f3d6f8e49da8fc978a4715c65372bc

SHA1
bc7622d135688252f922a3cb4aa706a43c13f83d

SHA256
c21bcd976308ad8aa803545c69640829f7325c796fba75ef3d635bd7ffdec89b

SHA512
7622cf82efec91a1de6446c2cf423559f3ffc6e5a5b91e5eebce57502d3d3080496b4859907d8d00247fd23097160471c91a3e15c34d16185a6229ede5124730

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESADEB.tmp
MD5
4f4bcb983327980a3dd0ef1ee9baba82

SHA1
fc33aa34fa511779785e65fa42d0e4dc31bac98a

SHA256
8e14b093b4eddaebac0cdca086ce4094331e70851efef8d8f2d130a64cbadcc0

SHA512
aba1c7aa769131b7029cfa8950eccc06f52d6bf046303ddb781096a31a7fdd2c88bd73c630c5be2cc6b40f9bf14b17a746f48412d536a06f7147ac11bc8f17c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebqi1uxh\ebqi1uxh.dll
MD5
4f8cc30ac591a4cf0efe85c35548a5de

SHA1
c57ad059521eaae302c5d6bba0e011fdd735e74c

SHA256
a30d782bbc510307a037d9fe74702f94b36442c71eb4b84975fb4327cee39425

SHA512
d96f6b870134518b620ade9f6d25128c7a023a373c431a6a37ed13a47498dd7057c7170a06773041ced43b9e5d82e74046f1351b341c42f309d88f6347c9a660

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ebqi1uxh\CSCFCB583CEB5824449B1F46145766DFEAF.TMP
MD5
478cb294c658f65b36291a27caddfcd6

SHA1
a97d0f67d8fdf31ed564d3b0818ba76d3dab4b8c

SHA256
a287fd9734462b50360d7da780a5ea9b8994456a9fe5e8fdb738316ab8f2d0d2

SHA512
b6bad171d1fe8238bf224306cc594277f0efd125c4485658abb7997151ad06223cd5af6b4afc9ff11e21fcd3ba12022588a2b6abdda87659bf41a7e643b9be35

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ebqi1uxh\ebqi1uxh.0.cs
MD5
e8c41bf3708cc4bd505851f38966151a

SHA1
ab943b19fb2e837904c97a3c52309c1f2c20dc9c

SHA256
54dc97b3a24a8137d2b4dcb052b104ffde93bd4a89297ee2fb522fa346bb01e9

SHA512
40a0f9f82cfed1e51feeeda8f790b1bffb5dc7f878fd86fc8bb3fca9d5133383e3d801bdddc97907361712b9bef75062860ab2b9add12188737d8f0418cd4cc4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ebqi1uxh\ebqi1uxh.cmdline
MD5
cdf3d7174bf8794bfda8ed4e8e99d7f7

SHA1
876e75d505a3aa4ba1b9ec430e4a5832aabe365d

SHA256
4641b8615ec0575a0ddf0aa4a5531d55212dc2a11612448f4094d14680ce634d

SHA512
d886fa90ff39b9029cee9ebee81b30f5600e000debd4e20af5a62b7f4a5c024dfbe4bd489f1d4b685c8022d63943bd74434d7ce10d68baa29d1b2ec6e3dac31f

Download Submit
\ProgramData\images.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/560-30-0x0000000000000000-mapping.dmp

Download
memory/596-43-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/596-39-0x0000000000000000-mapping.dmp

Download
memory/596-42-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/1176-7-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1176-26-0x000000000A300000-0x000000000A301000-memory.dmp

Filesize
4KB

Download
memory/1176-8-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1176-4-0x0000000073640000-0x0000000073D2E000-memory.dmp

Filesize
6.9MB

Download
memory/1176-6-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1176-25-0x000000000A2D0000-0x000000000A2D1000-memory.dmp

Filesize
4KB

Download
memory/1176-34-0x000000000A450000-0x000000000A451000-memory.dmp

Filesize
4KB

Download
memory/1176-5-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1176-3-0x0000000000000000-mapping.dmp

Download
memory/1176-18-0x000000000A1D0000-0x000000000A1D1000-memory.dmp

Filesize
4KB

Download
memory/1176-12-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/1176-17-0x000000000A0D0000-0x000000000A0D1000-memory.dmp

Filesize
4KB

Download
memory/1400-37-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1400-36-0x0000000000405CE2-mapping.dmp

Download
memory/1400-35-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1520-27-0x0000000000000000-mapping.dmp

Download
memory/1600-2-0x000007FEF6F80000-0x000007FEF71FA000-memory.dmp

Filesize
2.5MB

Download