warzonerat | 10de29d6ca34f4ba474a432588dcab2d09356fb4b3a323075c04c81c45200095

General

Target

c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
Size

847KB
MD5

c1ad9cbcb7bad8a5ae3f13752bab68a1
SHA1

114ebd72632913e4641b03d9e7eed01f1c0362e8
SHA256

10de29d6ca34f4ba474a432588dcab2d09356fb4b3a323075c04c81c45200095
SHA512

f284b853f83ec1e44983f889ae6e15f1b086d4d009115865c05e72a1543b1140ac0dc3d6a5a2b4384c9e98bad74e61dcf836378a7200747d97c6ff5231a519ab

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

23.105.131.198:5300

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/928-25-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/928-24-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/928-26-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

68 images.exe

pid	process
68	images.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2292 set thread context of 928 2292 powershell.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2292 powershell.exe
2292 powershell.exe
2292 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2292 powershell.exe

description	pid	process	target process
PID 2292 set thread context of 928	2292	powershell.exe	MSBuild.exe

pid	process
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2292	powershell.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

c1ad9cbcb7bad8a5ae3f13752bab68a1.exe

pid	process
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

c1ad9cbcb7bad8a5ae3f13752bab68a1.exe

pid	process
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

c1ad9cbcb7bad8a5ae3f13752bab68a1.exepowershell.execsc.exeMSBuild.exe

description	pid	process	target process
PID 1404 wrote to memory of 2292	1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe	powershell.exe
PID 1404 wrote to memory of 2292	1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe	powershell.exe
PID 1404 wrote to memory of 2292	1404	c1ad9cbcb7bad8a5ae3f13752bab68a1.exe	powershell.exe
PID 2292 wrote to memory of 3648	2292	powershell.exe	csc.exe
PID 2292 wrote to memory of 3648	2292	powershell.exe	csc.exe
PID 2292 wrote to memory of 3648	2292	powershell.exe	csc.exe
PID 3648 wrote to memory of 1256	3648	csc.exe	cvtres.exe
PID 3648 wrote to memory of 1256	3648	csc.exe	cvtres.exe
PID 3648 wrote to memory of 1256	3648	csc.exe	cvtres.exe
PID 2292 wrote to memory of 928	2292	powershell.exe	MSBuild.exe
PID 2292 wrote to memory of 928	2292	powershell.exe	MSBuild.exe
PID 2292 wrote to memory of 928	2292	powershell.exe	MSBuild.exe
PID 2292 wrote to memory of 928	2292	powershell.exe	MSBuild.exe
PID 2292 wrote to memory of 928	2292	powershell.exe	MSBuild.exe
PID 2292 wrote to memory of 928	2292	powershell.exe	MSBuild.exe
PID 2292 wrote to memory of 928	2292	powershell.exe	MSBuild.exe
PID 2292 wrote to memory of 928	2292	powershell.exe	MSBuild.exe
PID 2292 wrote to memory of 928	2292	powershell.exe	MSBuild.exe
PID 2292 wrote to memory of 928	2292	powershell.exe	MSBuild.exe
PID 2292 wrote to memory of 928	2292	powershell.exe	MSBuild.exe
PID 928 wrote to memory of 68	928	MSBuild.exe	images.exe
PID 928 wrote to memory of 68	928	MSBuild.exe	images.exe
PID 928 wrote to memory of 68	928	MSBuild.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\c1ad9cbcb7bad8a5ae3f13752bab68a1.exe
"C:\Users\Admin\AppData\Local\Temp\c1ad9cbcb7bad8a5ae3f13752bab68a1.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy bypass C:\Users\Admin\AppData\Local\Temp\CCMAMjNmw.ps1
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j1mgtbwc\j1mgtbwc.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3C1.tmp" "c:\Users\Admin\AppData\Local\Temp\j1mgtbwc\CSC1F551B8871B64900B12CEE808736D228.TMP"
4⤵
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:928

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
PID:68

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\ProgramData\images.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCMAMjNmw.ps1
MD5
83f3d6f8e49da8fc978a4715c65372bc

SHA1
bc7622d135688252f922a3cb4aa706a43c13f83d

SHA256
c21bcd976308ad8aa803545c69640829f7325c796fba75ef3d635bd7ffdec89b

SHA512
7622cf82efec91a1de6446c2cf423559f3ffc6e5a5b91e5eebce57502d3d3080496b4859907d8d00247fd23097160471c91a3e15c34d16185a6229ede5124730

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD3C1.tmp
MD5
a616b90b94cbb6af40cac50821751fe8

SHA1
24979d4b482f2c6ec86fb556f8a693c074da36b1

SHA256
0a18dcbe057220b729aee427193ee721a40207b20f37c75cd478eb56e008f4f1

SHA512
96d94c3a6ef448ddc83e7e9ba89a6a4ca7a933e20ad35af2271587d563ec07341ff9654b590ce871a4c15cc632e134919747b420fcacbdb7045e62f77e94e143

Download Submit
C:\Users\Admin\AppData\Local\Temp\j1mgtbwc\j1mgtbwc.dll
MD5
fead5c4ebfe803504e09e6816e8062cf

SHA1
8f7f1e007f151f58a1c6f24e323613ee3ffbab26

SHA256
7307f82465cb4dc5162e983f7c9d56f92f3e64f07b2e2a93b9301d156c0a6e79

SHA512
91759fe7dd4c9e6236a300d1edbbb225f829ddfad3e61e6917f35bbbb26f1a5b97d52ba49c4725eb6de9f38090b8daa8a881d0284f57edada5207fc3bdefbe2f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j1mgtbwc\CSC1F551B8871B64900B12CEE808736D228.TMP
MD5
5f510a936ddb062e1dfcfbf4b3048658

SHA1
1d613c01e1512e292897291bd73dc88b1686a726

SHA256
a308d649bd866e8a69aabddcf0e84d75074b1b467b143a8265691d4b3a413be9

SHA512
dab7f30102c66209476053bdaff5b26ade9b17654be7ca0f280f47a21d240ae3007c1cfccf8fa082dd75ff915bdfff0712e3dbb996c6de1ff60b8aec9374fd9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j1mgtbwc\j1mgtbwc.0.cs
MD5
e8c41bf3708cc4bd505851f38966151a

SHA1
ab943b19fb2e837904c97a3c52309c1f2c20dc9c

SHA256
54dc97b3a24a8137d2b4dcb052b104ffde93bd4a89297ee2fb522fa346bb01e9

SHA512
40a0f9f82cfed1e51feeeda8f790b1bffb5dc7f878fd86fc8bb3fca9d5133383e3d801bdddc97907361712b9bef75062860ab2b9add12188737d8f0418cd4cc4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j1mgtbwc\j1mgtbwc.cmdline
MD5
f1a3dfa4461f97c1040cc8d5bc41b705

SHA1
e202322cbed04bf5c4535b690011fdd19e801b1f

SHA256
a201c08dc6736f18925a7083a3428c9104b4e8f6bca7e523cf3f4d7a5d26dd55

SHA512
3c3a755eb1c12102fee41013bcb56b47ec663550ead205e63011516a1ca1500a28d5ee43ed71e1bc0a11d00c75e082c9bbd19201e921ef99585ac861a04bed7a

Download Submit
memory/68-31-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/68-27-0x0000000000000000-mapping.dmp

Download
memory/68-30-0x0000000073590000-0x0000000073C7E000-memory.dmp

Filesize
6.9MB

Download
memory/68-32-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/68-33-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/928-26-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/928-24-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/928-25-0x0000000000405CE2-mapping.dmp

Download
memory/1256-19-0x0000000000000000-mapping.dmp

Download
memory/2292-11-0x0000000008080000-0x0000000008081000-memory.dmp

Filesize
4KB

Download
memory/2292-2-0x0000000000000000-mapping.dmp

Download
memory/2292-12-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/2292-23-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/2292-10-0x0000000006A40000-0x0000000006A41000-memory.dmp

Filesize
4KB

Download
memory/2292-14-0x000000000D570000-0x000000000D571000-memory.dmp

Filesize
4KB

Download
memory/2292-15-0x0000000008BE0000-0x0000000008BE1000-memory.dmp

Filesize
4KB

Download
memory/2292-3-0x00000000726B0000-0x0000000072D9E000-memory.dmp

Filesize
6.9MB

Download
memory/2292-9-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/2292-8-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/2292-7-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/2292-6-0x0000000006DD0000-0x0000000006DD1000-memory.dmp

Filesize
4KB

Download
memory/2292-5-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/2292-4-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/3648-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads