warzonerat | 697a598f8ed9e8d8ca308a2472e712420d116e48db95d4a0cd69495242f47e2f

General

Target

f8bb59b31d3c499175097b82261b76c7.exe
Size

889KB
MD5

f8bb59b31d3c499175097b82261b76c7
SHA1

55e04ce47ec557644fd5090c6b8eca08fc40f5ac
SHA256

697a598f8ed9e8d8ca308a2472e712420d116e48db95d4a0cd69495242f47e2f
SHA512

751e84ea0c212714f17fc1e1a3a61bcd86bccf16986ccce7f77452f1f775f539facaa97adbce88b94af784ada6c44747244fd80b3c3262d2a371a83103415cc5

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.79:5300

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/400-10-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/400-11-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/400-13-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/824-27-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/824-30-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

images.exeimages.exe

pid process

912 images.exe
824 images.exe
Loads dropped DLL 1 IoCs

Processes:

f8bb59b31d3c499175097b82261b76c7.exe

pid process

400 f8bb59b31d3c499175097b82261b76c7.exe

pid	process
912	images.exe
824	images.exe

pid	process
400	f8bb59b31d3c499175097b82261b76c7.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f8bb59b31d3c499175097b82261b76c7.exeimages.exe

description	pid	process	target process
PID 1684 set thread context of 400	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 912 set thread context of 824	912	images.exe	images.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1188 schtasks.exe
568 schtasks.exe

pid	process
1188	schtasks.exe
568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

f8bb59b31d3c499175097b82261b76c7.exeimages.exe

pid	process
1684	f8bb59b31d3c499175097b82261b76c7.exe
1684	f8bb59b31d3c499175097b82261b76c7.exe
1684	f8bb59b31d3c499175097b82261b76c7.exe
1684	f8bb59b31d3c499175097b82261b76c7.exe
1684	f8bb59b31d3c499175097b82261b76c7.exe
912	images.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f8bb59b31d3c499175097b82261b76c7.exeimages.exe

description pid process

Token: SeDebugPrivilege 1684 f8bb59b31d3c499175097b82261b76c7.exe
Token: SeDebugPrivilege 912 images.exe

description	pid	process
Token: SeDebugPrivilege	1684	f8bb59b31d3c499175097b82261b76c7.exe
Token: SeDebugPrivilege	912	images.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

f8bb59b31d3c499175097b82261b76c7.exef8bb59b31d3c499175097b82261b76c7.exeimages.exe

description	pid	process	target process
PID 1684 wrote to memory of 1188	1684	f8bb59b31d3c499175097b82261b76c7.exe	schtasks.exe
PID 1684 wrote to memory of 1188	1684	f8bb59b31d3c499175097b82261b76c7.exe	schtasks.exe
PID 1684 wrote to memory of 1188	1684	f8bb59b31d3c499175097b82261b76c7.exe	schtasks.exe
PID 1684 wrote to memory of 1188	1684	f8bb59b31d3c499175097b82261b76c7.exe	schtasks.exe
PID 1684 wrote to memory of 1596	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 1596	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 1596	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 1596	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 528	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 528	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 528	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 528	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 400	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 400	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 400	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 400	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 400	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 400	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 400	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 400	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 400	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 400	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 400	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1684 wrote to memory of 400	1684	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 400 wrote to memory of 912	400	f8bb59b31d3c499175097b82261b76c7.exe	images.exe
PID 400 wrote to memory of 912	400	f8bb59b31d3c499175097b82261b76c7.exe	images.exe
PID 400 wrote to memory of 912	400	f8bb59b31d3c499175097b82261b76c7.exe	images.exe
PID 400 wrote to memory of 912	400	f8bb59b31d3c499175097b82261b76c7.exe	images.exe
PID 912 wrote to memory of 568	912	images.exe	schtasks.exe
PID 912 wrote to memory of 568	912	images.exe	schtasks.exe
PID 912 wrote to memory of 568	912	images.exe	schtasks.exe
PID 912 wrote to memory of 568	912	images.exe	schtasks.exe
PID 912 wrote to memory of 824	912	images.exe	images.exe
PID 912 wrote to memory of 824	912	images.exe	images.exe
PID 912 wrote to memory of 824	912	images.exe	images.exe
PID 912 wrote to memory of 824	912	images.exe	images.exe
PID 912 wrote to memory of 824	912	images.exe	images.exe
PID 912 wrote to memory of 824	912	images.exe	images.exe
PID 912 wrote to memory of 824	912	images.exe	images.exe
PID 912 wrote to memory of 824	912	images.exe	images.exe
PID 912 wrote to memory of 824	912	images.exe	images.exe
PID 912 wrote to memory of 824	912	images.exe	images.exe
PID 912 wrote to memory of 824	912	images.exe	images.exe
PID 912 wrote to memory of 824	912	images.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\f8bb59b31d3c499175097b82261b76c7.exe
"C:\Users\Admin\AppData\Local\Temp\f8bb59b31d3c499175097b82261b76c7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgESXlmV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8FB2.tmp"
2⤵
- Creates scheduled task(s)
PID:1188

C:\Users\Admin\AppData\Local\Temp\f8bb59b31d3c499175097b82261b76c7.exe
"{path}"
2⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\f8bb59b31d3c499175097b82261b76c7.exe
"{path}"
2⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\f8bb59b31d3c499175097b82261b76c7.exe
"{path}"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:400

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgESXlmV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C5E.tmp"
4⤵
- Creates scheduled task(s)
PID:568

C:\ProgramData\images.exe
"{path}"
4⤵
- Executes dropped EXE
PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

MD5
f8bb59b31d3c499175097b82261b76c7

SHA1
55e04ce47ec557644fd5090c6b8eca08fc40f5ac

SHA256
697a598f8ed9e8d8ca308a2472e712420d116e48db95d4a0cd69495242f47e2f

SHA512
751e84ea0c212714f17fc1e1a3a61bcd86bccf16986ccce7f77452f1f775f539facaa97adbce88b94af784ada6c44747244fd80b3c3262d2a371a83103415cc5

Download Submit
C:\ProgramData\images.exe

MD5
f8bb59b31d3c499175097b82261b76c7

SHA1
55e04ce47ec557644fd5090c6b8eca08fc40f5ac

SHA256
697a598f8ed9e8d8ca308a2472e712420d116e48db95d4a0cd69495242f47e2f

SHA512
751e84ea0c212714f17fc1e1a3a61bcd86bccf16986ccce7f77452f1f775f539facaa97adbce88b94af784ada6c44747244fd80b3c3262d2a371a83103415cc5

Download Submit
C:\ProgramData\images.exe

MD5
f8bb59b31d3c499175097b82261b76c7

SHA1
55e04ce47ec557644fd5090c6b8eca08fc40f5ac

SHA256
697a598f8ed9e8d8ca308a2472e712420d116e48db95d4a0cd69495242f47e2f

SHA512
751e84ea0c212714f17fc1e1a3a61bcd86bccf16986ccce7f77452f1f775f539facaa97adbce88b94af784ada6c44747244fd80b3c3262d2a371a83103415cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2C5E.tmp

MD5
d63fd1c6e5ef6d9706c70a57e47da543

SHA1
0d8029197903e3a7ab8d8eaf742e3ccc39341ff6

SHA256
ec83ce834d4a62ec71f86890416750a9bd35a03cfce7ad732b75f87f7ce25df8

SHA512
8ed943b5f1a212a1ece0f71b701f7a32c8ed54fdc2b0a0d8d879c3c0026069bb84ffce954f8d374286de0545dd89f4b1bfa74ce3430ce67497580807673926d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8FB2.tmp

MD5
d63fd1c6e5ef6d9706c70a57e47da543

SHA1
0d8029197903e3a7ab8d8eaf742e3ccc39341ff6

SHA256
ec83ce834d4a62ec71f86890416750a9bd35a03cfce7ad732b75f87f7ce25df8

SHA512
8ed943b5f1a212a1ece0f71b701f7a32c8ed54fdc2b0a0d8d879c3c0026069bb84ffce954f8d374286de0545dd89f4b1bfa74ce3430ce67497580807673926d9

Download Submit
\ProgramData\images.exe

MD5
f8bb59b31d3c499175097b82261b76c7

SHA1
55e04ce47ec557644fd5090c6b8eca08fc40f5ac

SHA256
697a598f8ed9e8d8ca308a2472e712420d116e48db95d4a0cd69495242f47e2f

SHA512
751e84ea0c212714f17fc1e1a3a61bcd86bccf16986ccce7f77452f1f775f539facaa97adbce88b94af784ada6c44747244fd80b3c3262d2a371a83103415cc5

Download Submit
memory/400-12-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/400-10-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/400-11-0x0000000000405CE2-mapping.dmp

Download
memory/400-13-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/568-24-0x0000000000000000-mapping.dmp

Download
memory/824-27-0x0000000000405CE2-mapping.dmp

Download
memory/824-30-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/912-18-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/912-15-0x0000000000000000-mapping.dmp

Download
memory/912-19-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/912-22-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1188-8-0x0000000000000000-mapping.dmp

Download
memory/1684-2-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-7-0x00000000007B0000-0x00000000007EB000-memory.dmp

Filesize
236KB

Download
memory/1684-6-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/1684-5-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/1684-3-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads