warzonerat | 8186a0a03d0def9de9dce80543f12336eb276a7404e9da4680c170cfdd58b03d

Analysis

max time kernel
25s
max time network
17s
platform
windows7_x64
resource
win7v20201028
submitted
16-01-2021 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
Size

847KB
MD5

fa1bf2c3e92bf67c61bd482b3b4e20e9
SHA1

d0f8938c1249fca3eb5d0ecb76a21bcfc3cd5bb4
SHA256

8186a0a03d0def9de9dce80543f12336eb276a7404e9da4680c170cfdd58b03d
SHA512

47d9a06b14652ed54dfa0cfa09b6a918537dbb3fed10ed14a313b94f66b9dbcd15d3c4cf13aa0f6b5bb3292ae91ecef4d0a4de8061af29e5a18db4bc9c3c29fd

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

79.134.225.23:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1348-35-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1348-36-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1348-37-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

1092 images.exe
Loads dropped DLL 1 IoCs

Processes:

MSBuild.exe

pid process

1348 MSBuild.exe

pid	process
1092	images.exe

pid	process
1348	MSBuild.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	MSBuild.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 760 set thread context of 1348 760 powershell.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

760 powershell.exe
760 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 760 powershell.exe

description	pid	process	target process
PID 760 set thread context of 1348	760	powershell.exe	MSBuild.exe

pid	process
760	powershell.exe
760	powershell.exe

description	pid	process
Token: SeDebugPrivilege	760	powershell.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

fa1bf2c3e92bf67c61bd482b3b4e20e9.exe

pid	process
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

fa1bf2c3e92bf67c61bd482b3b4e20e9.exe

pid	process
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

fa1bf2c3e92bf67c61bd482b3b4e20e9.exepowershell.execsc.exeMSBuild.exe

description	pid	process	target process
PID 1740 wrote to memory of 760	1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe	powershell.exe
PID 1740 wrote to memory of 760	1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe	powershell.exe
PID 1740 wrote to memory of 760	1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe	powershell.exe
PID 1740 wrote to memory of 760	1740	fa1bf2c3e92bf67c61bd482b3b4e20e9.exe	powershell.exe
PID 760 wrote to memory of 516	760	powershell.exe	csc.exe
PID 760 wrote to memory of 516	760	powershell.exe	csc.exe
PID 760 wrote to memory of 516	760	powershell.exe	csc.exe
PID 760 wrote to memory of 516	760	powershell.exe	csc.exe
PID 516 wrote to memory of 1564	516	csc.exe	cvtres.exe
PID 516 wrote to memory of 1564	516	csc.exe	cvtres.exe
PID 516 wrote to memory of 1564	516	csc.exe	cvtres.exe
PID 516 wrote to memory of 1564	516	csc.exe	cvtres.exe
PID 760 wrote to memory of 1348	760	powershell.exe	MSBuild.exe
PID 760 wrote to memory of 1348	760	powershell.exe	MSBuild.exe
PID 760 wrote to memory of 1348	760	powershell.exe	MSBuild.exe
PID 760 wrote to memory of 1348	760	powershell.exe	MSBuild.exe
PID 760 wrote to memory of 1348	760	powershell.exe	MSBuild.exe
PID 760 wrote to memory of 1348	760	powershell.exe	MSBuild.exe
PID 760 wrote to memory of 1348	760	powershell.exe	MSBuild.exe
PID 760 wrote to memory of 1348	760	powershell.exe	MSBuild.exe
PID 760 wrote to memory of 1348	760	powershell.exe	MSBuild.exe
PID 760 wrote to memory of 1348	760	powershell.exe	MSBuild.exe
PID 760 wrote to memory of 1348	760	powershell.exe	MSBuild.exe
PID 760 wrote to memory of 1348	760	powershell.exe	MSBuild.exe
PID 1348 wrote to memory of 1092	1348	MSBuild.exe	images.exe
PID 1348 wrote to memory of 1092	1348	MSBuild.exe	images.exe
PID 1348 wrote to memory of 1092	1348	MSBuild.exe	images.exe
PID 1348 wrote to memory of 1092	1348	MSBuild.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\fa1bf2c3e92bf67c61bd482b3b4e20e9.exe
"C:\Users\Admin\AppData\Local\Temp\fa1bf2c3e92bf67c61bd482b3b4e20e9.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy bypass C:\Users\Admin\AppData\Local\Temp\hrructiRk.ps1
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ixbingm5\ixbingm5.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4653.tmp" "c:\Users\Admin\AppData\Local\Temp\ixbingm5\CSCBC857D34EFF342969CFA8435CFA4491.TMP"
4⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1348

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\ProgramData\images.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4653.tmp
MD5
bbdf5c30e9bc93d37b8c0f48e0b1adba

SHA1
01aad3014964b6e1b7b3dd7434d2c68351bf80a6

SHA256
b46198a692246be4abb35902169271f36f065afb943937b31c13dcb68e644277

SHA512
1f05184e12fb8a9bbbe6af5b968fc7c64210c85e28a4c063979bc36024cfda2670c97f66c3e16d0642fa98aeac662589bcb8fc77f75f0c318473c83e78533a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrructiRk.ps1
MD5
4756913fe47c2d12e5cc12bd27925afb

SHA1
b6d8060008e27091b794ddd39b7b6aa2fc907d0c

SHA256
0adf93292bc449eab420a088740f62f9e73d00ffc4ce8f8f33c3a05f17fe2629

SHA512
20af4bc153c56c66ed46a8b129fd822769eddfe6e812e7999aeb522d5d6363bccb088dbd69e585d755fa69c9678eedf0e619f1a3c81dbf1c3d326b6016c773b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixbingm5\ixbingm5.dll
MD5
1d8b04fdc6ed4aab58f18c8fd3e9447c

SHA1
781ebaa51ab7ce68f9303fb0a46c5a16860f6d86

SHA256
389e45f16d36f587ef70dd31e2a935929022f1bf9bbdd27c7fba40630e2c7d4f

SHA512
da8bbc0f1cbd36d13f04a85fa26b6aeaab9bee8610e0e0aff181432500c1dc5892937db5bf035678c96eb6257cda21695b1b754b5a8d97698b1698cfad3516d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ixbingm5\CSCBC857D34EFF342969CFA8435CFA4491.TMP
MD5
09f8bd357fe76c67f35c54449514562b

SHA1
39ab27779cff2f6153f637d9c8c69e2cbc5116ee

SHA256
d0e931cf005ea085c4c9db53b4ebe73d6eb24f9c4c96b9dca88ac94f4da91080

SHA512
926f2b55d798c21d368d4900f7015de31eea2011c05a5f6174eaf6c2f22b5393b233566af030aac257fb3ed72c6dac66890d88791724bc0e492f2646c7b245b8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ixbingm5\ixbingm5.0.cs
MD5
e8c41bf3708cc4bd505851f38966151a

SHA1
ab943b19fb2e837904c97a3c52309c1f2c20dc9c

SHA256
54dc97b3a24a8137d2b4dcb052b104ffde93bd4a89297ee2fb522fa346bb01e9

SHA512
40a0f9f82cfed1e51feeeda8f790b1bffb5dc7f878fd86fc8bb3fca9d5133383e3d801bdddc97907361712b9bef75062860ab2b9add12188737d8f0418cd4cc4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ixbingm5\ixbingm5.cmdline
MD5
6f4f2eded0a743b873c5110b93734acd

SHA1
6c8169826e3f114cb1dd37c4a15dc32a72101bf2

SHA256
1c71414fc63696f112c4bbce5987ed23be3ef4fdedb870fd6d8c942fc0171e62

SHA512
d9395e10aab688915ecdff4b1fa9915f3dfe079ee4d6e0bc7ed73eb7ee57adc60bdd9eb77fec9daf3e29952b3f985abec53bd62f84fc3bfb64f284aacbb9ac15

Download Submit
\ProgramData\images.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/516-27-0x0000000000000000-mapping.dmp

Download
memory/760-7-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/760-5-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/760-26-0x000000000A300000-0x000000000A301000-memory.dmp

Filesize
4KB

Download
memory/760-18-0x000000000A100000-0x000000000A101000-memory.dmp

Filesize
4KB

Download
memory/760-12-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/760-8-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/760-17-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/760-6-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/760-3-0x0000000000000000-mapping.dmp

Download
memory/760-34-0x000000000A450000-0x000000000A451000-memory.dmp

Filesize
4KB

Download
memory/760-25-0x000000000A250000-0x000000000A251000-memory.dmp

Filesize
4KB

Download
memory/760-4-0x0000000073DF0000-0x00000000744DE000-memory.dmp

Filesize
6.9MB

Download
memory/1092-42-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/1092-43-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1092-39-0x0000000000000000-mapping.dmp

Download
memory/1348-37-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1348-36-0x0000000000405CE2-mapping.dmp

Download
memory/1348-35-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1564-30-0x0000000000000000-mapping.dmp

Download
memory/1748-2-0x000007FEF7730000-0x000007FEF79AA000-memory.dmp

Filesize
2.5MB

Download