warzonerat | 10de29d6ca34f4ba474a432588dcab2d09356fb4b3a323075c04c81c45200095

Analysis

max time kernel
25s
max time network
18s
platform
windows7_x64
resource
win7v20201028
submitted
16-01-2021 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
Size

847KB
MD5

c1ad9cbcb7bad8a5ae3f13752bab68a1
SHA1

114ebd72632913e4641b03d9e7eed01f1c0362e8
SHA256

10de29d6ca34f4ba474a432588dcab2d09356fb4b3a323075c04c81c45200095
SHA512

f284b853f83ec1e44983f889ae6e15f1b086d4d009115865c05e72a1543b1140ac0dc3d6a5a2b4384c9e98bad74e61dcf836378a7200747d97c6ff5231a519ab

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

23.105.131.198:5300

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1076-36-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1076-35-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1076-37-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

1604 images.exe
Loads dropped DLL 1 IoCs

Processes:

MSBuild.exe

pid process

1076 MSBuild.exe

pid	process
1604	images.exe

pid	process
1076	MSBuild.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	MSBuild.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 268 set thread context of 1076 268 powershell.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

268 powershell.exe
268 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 268 powershell.exe

description	pid	process	target process
PID 268 set thread context of 1076	268	powershell.exe	MSBuild.exe

pid	process
268	powershell.exe
268	powershell.exe

description	pid	process
Token: SeDebugPrivilege	268	powershell.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

c1ad9cbcb7bad8a5ae3f13752bab68a1.exe

pid	process
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

c1ad9cbcb7bad8a5ae3f13752bab68a1.exe

pid	process
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

c1ad9cbcb7bad8a5ae3f13752bab68a1.exepowershell.execsc.exeMSBuild.exe

description	pid	process	target process
PID 1096 wrote to memory of 268	1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe	powershell.exe
PID 1096 wrote to memory of 268	1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe	powershell.exe
PID 1096 wrote to memory of 268	1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe	powershell.exe
PID 1096 wrote to memory of 268	1096	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe	powershell.exe
PID 268 wrote to memory of 1808	268	powershell.exe	csc.exe
PID 268 wrote to memory of 1808	268	powershell.exe	csc.exe
PID 268 wrote to memory of 1808	268	powershell.exe	csc.exe
PID 268 wrote to memory of 1808	268	powershell.exe	csc.exe
PID 1808 wrote to memory of 944	1808	csc.exe	cvtres.exe
PID 1808 wrote to memory of 944	1808	csc.exe	cvtres.exe
PID 1808 wrote to memory of 944	1808	csc.exe	cvtres.exe
PID 1808 wrote to memory of 944	1808	csc.exe	cvtres.exe
PID 268 wrote to memory of 912	268	powershell.exe	MSBuild.exe
PID 268 wrote to memory of 912	268	powershell.exe	MSBuild.exe
PID 268 wrote to memory of 912	268	powershell.exe	MSBuild.exe
PID 268 wrote to memory of 912	268	powershell.exe	MSBuild.exe
PID 268 wrote to memory of 1076	268	powershell.exe	MSBuild.exe
PID 268 wrote to memory of 1076	268	powershell.exe	MSBuild.exe
PID 268 wrote to memory of 1076	268	powershell.exe	MSBuild.exe
PID 268 wrote to memory of 1076	268	powershell.exe	MSBuild.exe
PID 268 wrote to memory of 1076	268	powershell.exe	MSBuild.exe
PID 268 wrote to memory of 1076	268	powershell.exe	MSBuild.exe
PID 268 wrote to memory of 1076	268	powershell.exe	MSBuild.exe
PID 268 wrote to memory of 1076	268	powershell.exe	MSBuild.exe
PID 268 wrote to memory of 1076	268	powershell.exe	MSBuild.exe
PID 268 wrote to memory of 1076	268	powershell.exe	MSBuild.exe
PID 268 wrote to memory of 1076	268	powershell.exe	MSBuild.exe
PID 268 wrote to memory of 1076	268	powershell.exe	MSBuild.exe
PID 1076 wrote to memory of 1604	1076	MSBuild.exe	images.exe
PID 1076 wrote to memory of 1604	1076	MSBuild.exe	images.exe
PID 1076 wrote to memory of 1604	1076	MSBuild.exe	images.exe
PID 1076 wrote to memory of 1604	1076	MSBuild.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
"C:\Users\Admin\AppData\Local\Temp\c1ad9cbcb7bad8a5ae3f13752bab68a1.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy bypass C:\Users\Admin\AppData\Local\Temp\CCMAMjNmw.ps1
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gof4uk1n\gof4uk1n.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DFF.tmp" "c:\Users\Admin\AppData\Local\Temp\gof4uk1n\CSC26338747EA0C4850A92191F6314A93BC.TMP"
4⤵
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1076

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\ProgramData\images.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCMAMjNmw.ps1
MD5
83f3d6f8e49da8fc978a4715c65372bc

SHA1
bc7622d135688252f922a3cb4aa706a43c13f83d

SHA256
c21bcd976308ad8aa803545c69640829f7325c796fba75ef3d635bd7ffdec89b

SHA512
7622cf82efec91a1de6446c2cf423559f3ffc6e5a5b91e5eebce57502d3d3080496b4859907d8d00247fd23097160471c91a3e15c34d16185a6229ede5124730

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6DFF.tmp
MD5
8ffd886a5df9d8ac6a31665278e19dc4

SHA1
e35c66ef2836ab4aa2e0bbf729981621f601db6c

SHA256
fb251119087a50605ce6a32796839f12bd71c0567ac70fa7c11ca026e3306aa5

SHA512
3ce18eadd4b5d312eacaf9e354d8f0936c652785deaf3d442b809ebd1e1bbb028c7b70d2edc821def43cdaca877f248d896d8f2c9f7792ef2eaf93af012e2366

Download Submit
C:\Users\Admin\AppData\Local\Temp\gof4uk1n\gof4uk1n.dll
MD5
d7c1e5ea633400f49056c040188cadde

SHA1
ad7af277c0daf96789c64723421288dfa33a1b1d

SHA256
bd9432a09a6b87491b97862d558efc071df993501fe0ed2680984889c15338f8

SHA512
68e98ccfa2baa13a556f7dfdd42b5ffd1aaab465b19dd0579dab3870005b80a9636988e5734aa44065b3af6d6943de950b9a1f7ef9bdcb713e1a699343c90b4c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gof4uk1n\CSC26338747EA0C4850A92191F6314A93BC.TMP
MD5
fa8e22c88f405108d639a3bd1c8aa173

SHA1
5e14adb44631659cd430880c2dc4345550e7ac79

SHA256
d95f4146f973077479a2bbbf37e6668f7ed15d14b2bac0a1ef9505c21b86de8d

SHA512
e168edeca851ee1af716909a4c42058cdf137951ba3ef84f0adb6b229da7eaee7f5efae8db707bf31a4563afae74ae466dcc5d7468aac0748f00da168d177079

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gof4uk1n\gof4uk1n.0.cs
MD5
e8c41bf3708cc4bd505851f38966151a

SHA1
ab943b19fb2e837904c97a3c52309c1f2c20dc9c

SHA256
54dc97b3a24a8137d2b4dcb052b104ffde93bd4a89297ee2fb522fa346bb01e9

SHA512
40a0f9f82cfed1e51feeeda8f790b1bffb5dc7f878fd86fc8bb3fca9d5133383e3d801bdddc97907361712b9bef75062860ab2b9add12188737d8f0418cd4cc4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gof4uk1n\gof4uk1n.cmdline
MD5
5a8d89ad04d1975ba4836aae36ab7f68

SHA1
b04a6c0b280f51b18b83f0c37d464343cae91ca8

SHA256
2873014d7c9c2e25f52bbd049a3491b79f50c86d6af662ce07f16196d4a8a36d

SHA512
65a9cfd9077ae3283e05a0b5e7efc8b4722fdfe955a5eb6dcc2c97cb50870dd407775b47ed92f5953c792e976b24c9e4533f4010b03db284a8455e425312fdff

Download Submit
\ProgramData\images.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/268-4-0x0000000073E80000-0x000000007456E000-memory.dmp

Filesize
6.9MB

Download
memory/268-18-0x000000000A1E0000-0x000000000A1E1000-memory.dmp

Filesize
4KB

Download
memory/268-25-0x000000000A290000-0x000000000A291000-memory.dmp

Filesize
4KB

Download
memory/268-26-0x000000000A320000-0x000000000A321000-memory.dmp

Filesize
4KB

Download
memory/268-3-0x0000000000000000-mapping.dmp

Download
memory/268-12-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/268-8-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/268-34-0x000000000A450000-0x000000000A451000-memory.dmp

Filesize
4KB

Download
memory/268-7-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/268-6-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/268-5-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/268-17-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/944-30-0x0000000000000000-mapping.dmp

Download
memory/1076-37-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1076-35-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1076-36-0x0000000000405CE2-mapping.dmp

Download
memory/1604-39-0x0000000000000000-mapping.dmp

Download
memory/1604-43-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1604-42-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/1696-2-0x000007FEF6500000-0x000007FEF677A000-memory.dmp

Filesize
2.5MB

Download
memory/1808-27-0x0000000000000000-mapping.dmp

Download