warzonerat | 9cc2f25b4bf0e3d246f8af3ea7ffa49a84824ff1e263ae66afe76365072f817c

General

Target

Failed Delivery Logs.scr
Size

192KB
MD5

c782821f3ea22873c247ed3524335b2a
SHA1

83295352f00b346f15b7856ee89d24b1ab84dd95
SHA256

9cc2f25b4bf0e3d246f8af3ea7ffa49a84824ff1e263ae66afe76365072f817c
SHA512

be84f8c79b93329ea927505d11f9fe6249b7230c1e9bf54a4e15f2d08b6eed21ed3f57e7c588449b16dc6d57b4a1ce3e372d27d35f7c4ecbf5c9756926caa5b5

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

iphanyi.mywire.org:5552

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Failed Delivery Logs.scrimages.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\IntelGraphics\\Z0uvLhwCZ8sr.exe\",explorer.exe"	Failed Delivery Logs.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\IntelGraphics\\MmFKs5gcQnKW.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\IntelGraphics\\Z0uvLhwCZ8sr.exe\",explorer.exe"	images.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/912-5-0x000000007EE40000-0x000000007EF94000-memory.dmp	warzonerat
behavioral1/memory/608-14-0x000000007EE40000-0x000000007EF94000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

608 images.exe

pid	process
608	images.exe

Drops startup file 2 IoCs

Processes:

Failed Delivery Logs.scr

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	Failed Delivery Logs.scr
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	Failed Delivery Logs.scr

Loads dropped DLL 1 IoCs

Processes:

Failed Delivery Logs.scr

pid process

912 Failed Delivery Logs.scr

pid	process
912	Failed Delivery Logs.scr

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Failed Delivery Logs.scr

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	Failed Delivery Logs.scr

NTFS ADS 1 IoCs

Processes:

Failed Delivery Logs.scr

description ioc process

File created C:\ProgramData:ApplicationData Failed Delivery Logs.scr
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Failed Delivery Logs.scrimages.exe

description pid process

Token: SeDebugPrivilege 912 Failed Delivery Logs.scr
Token: SeDebugPrivilege 608 images.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	Failed Delivery Logs.scr

description	pid	process
Token: SeDebugPrivilege	912	Failed Delivery Logs.scr
Token: SeDebugPrivilege	608	images.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Failed Delivery Logs.scrimages.exe

description	pid	process	target process
PID 912 wrote to memory of 608	912	Failed Delivery Logs.scr	images.exe
PID 912 wrote to memory of 608	912	Failed Delivery Logs.scr	images.exe
PID 912 wrote to memory of 608	912	Failed Delivery Logs.scr	images.exe
PID 912 wrote to memory of 608	912	Failed Delivery Logs.scr	images.exe
PID 608 wrote to memory of 764	608	images.exe	cmd.exe
PID 608 wrote to memory of 764	608	images.exe	cmd.exe
PID 608 wrote to memory of 764	608	images.exe	cmd.exe
PID 608 wrote to memory of 764	608	images.exe	cmd.exe
PID 608 wrote to memory of 764	608	images.exe	cmd.exe
PID 608 wrote to memory of 764	608	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Failed Delivery Logs.scr
"C:\Users\Admin\AppData\Local\Temp\Failed Delivery Logs.scr" /S
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\images.exe
MD5
c782821f3ea22873c247ed3524335b2a

SHA1
83295352f00b346f15b7856ee89d24b1ab84dd95

SHA256
9cc2f25b4bf0e3d246f8af3ea7ffa49a84824ff1e263ae66afe76365072f817c

SHA512
be84f8c79b93329ea927505d11f9fe6249b7230c1e9bf54a4e15f2d08b6eed21ed3f57e7c588449b16dc6d57b4a1ce3e372d27d35f7c4ecbf5c9756926caa5b5

Download Submit
C:\ProgramData\images.exe
MD5
c782821f3ea22873c247ed3524335b2a

SHA1
83295352f00b346f15b7856ee89d24b1ab84dd95

SHA256
9cc2f25b4bf0e3d246f8af3ea7ffa49a84824ff1e263ae66afe76365072f817c

SHA512
be84f8c79b93329ea927505d11f9fe6249b7230c1e9bf54a4e15f2d08b6eed21ed3f57e7c588449b16dc6d57b4a1ce3e372d27d35f7c4ecbf5c9756926caa5b5

Download Submit
\ProgramData\images.exe
MD5
c782821f3ea22873c247ed3524335b2a

SHA1
83295352f00b346f15b7856ee89d24b1ab84dd95

SHA256
9cc2f25b4bf0e3d246f8af3ea7ffa49a84824ff1e263ae66afe76365072f817c

SHA512
be84f8c79b93329ea927505d11f9fe6249b7230c1e9bf54a4e15f2d08b6eed21ed3f57e7c588449b16dc6d57b4a1ce3e372d27d35f7c4ecbf5c9756926caa5b5

Download Submit
memory/608-12-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/608-7-0x0000000000000000-mapping.dmp

Download
memory/608-14-0x000000007EE40000-0x000000007EF94000-memory.dmp

Filesize
1.3MB

Download
memory/764-15-0x0000000000000000-mapping.dmp

Download
memory/764-16-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/912-5-0x000000007EE40000-0x000000007EF94000-memory.dmp

Filesize
1.3MB

Download
memory/912-4-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/912-3-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/912-2-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads