warzonerat | 697a598f8ed9e8d8ca308a2472e712420d116e48db95d4a0cd69495242f47e2f

General

Target

f8bb59b31d3c499175097b82261b76c7.exe
Size

889KB
MD5

f8bb59b31d3c499175097b82261b76c7
SHA1

55e04ce47ec557644fd5090c6b8eca08fc40f5ac
SHA256

697a598f8ed9e8d8ca308a2472e712420d116e48db95d4a0cd69495242f47e2f
SHA512

751e84ea0c212714f17fc1e1a3a61bcd86bccf16986ccce7f77452f1f775f539facaa97adbce88b94af784ada6c44747244fd80b3c3262d2a371a83103415cc5

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.79:5300

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1424-14-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1424-15-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/1424-16-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1824-33-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/1824-35-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

images.exeimages.exe

pid process

1248 images.exe
1824 images.exe

pid	process
1248	images.exe
1824	images.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f8bb59b31d3c499175097b82261b76c7.exeimages.exe

description	pid	process	target process
PID 4000 set thread context of 1424	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1248 set thread context of 1824	1248	images.exe	images.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2148 schtasks.exe
3836 schtasks.exe

pid	process
2148	schtasks.exe
3836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

f8bb59b31d3c499175097b82261b76c7.exeimages.exe

pid	process
4000	f8bb59b31d3c499175097b82261b76c7.exe
4000	f8bb59b31d3c499175097b82261b76c7.exe
4000	f8bb59b31d3c499175097b82261b76c7.exe
4000	f8bb59b31d3c499175097b82261b76c7.exe
4000	f8bb59b31d3c499175097b82261b76c7.exe
1248	images.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f8bb59b31d3c499175097b82261b76c7.exeimages.exe

description pid process

Token: SeDebugPrivilege 4000 f8bb59b31d3c499175097b82261b76c7.exe
Token: SeDebugPrivilege 1248 images.exe

description	pid	process
Token: SeDebugPrivilege	4000	f8bb59b31d3c499175097b82261b76c7.exe
Token: SeDebugPrivilege	1248	images.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

f8bb59b31d3c499175097b82261b76c7.exef8bb59b31d3c499175097b82261b76c7.exeimages.exe

description	pid	process	target process
PID 4000 wrote to memory of 2148	4000	f8bb59b31d3c499175097b82261b76c7.exe	schtasks.exe
PID 4000 wrote to memory of 2148	4000	f8bb59b31d3c499175097b82261b76c7.exe	schtasks.exe
PID 4000 wrote to memory of 2148	4000	f8bb59b31d3c499175097b82261b76c7.exe	schtasks.exe
PID 4000 wrote to memory of 3280	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 3280	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 3280	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 2324	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 2324	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 2324	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 1424	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 1424	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 1424	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 1424	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 1424	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 1424	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 1424	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 1424	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 1424	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 1424	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 4000 wrote to memory of 1424	4000	f8bb59b31d3c499175097b82261b76c7.exe	f8bb59b31d3c499175097b82261b76c7.exe
PID 1424 wrote to memory of 1248	1424	f8bb59b31d3c499175097b82261b76c7.exe	images.exe
PID 1424 wrote to memory of 1248	1424	f8bb59b31d3c499175097b82261b76c7.exe	images.exe
PID 1424 wrote to memory of 1248	1424	f8bb59b31d3c499175097b82261b76c7.exe	images.exe
PID 1248 wrote to memory of 3836	1248	images.exe	schtasks.exe
PID 1248 wrote to memory of 3836	1248	images.exe	schtasks.exe
PID 1248 wrote to memory of 3836	1248	images.exe	schtasks.exe
PID 1248 wrote to memory of 1824	1248	images.exe	images.exe
PID 1248 wrote to memory of 1824	1248	images.exe	images.exe
PID 1248 wrote to memory of 1824	1248	images.exe	images.exe
PID 1248 wrote to memory of 1824	1248	images.exe	images.exe
PID 1248 wrote to memory of 1824	1248	images.exe	images.exe
PID 1248 wrote to memory of 1824	1248	images.exe	images.exe
PID 1248 wrote to memory of 1824	1248	images.exe	images.exe
PID 1248 wrote to memory of 1824	1248	images.exe	images.exe
PID 1248 wrote to memory of 1824	1248	images.exe	images.exe
PID 1248 wrote to memory of 1824	1248	images.exe	images.exe
PID 1248 wrote to memory of 1824	1248	images.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\f8bb59b31d3c499175097b82261b76c7.exe
"C:\Users\Admin\AppData\Local\Temp\f8bb59b31d3c499175097b82261b76c7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgESXlmV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp937B.tmp"
2⤵
- Creates scheduled task(s)
PID:2148

C:\Users\Admin\AppData\Local\Temp\f8bb59b31d3c499175097b82261b76c7.exe
"{path}"
2⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\f8bb59b31d3c499175097b82261b76c7.exe
"{path}"
2⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\f8bb59b31d3c499175097b82261b76c7.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgESXlmV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E18.tmp"
4⤵
- Creates scheduled task(s)
PID:3836

C:\ProgramData\images.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

MD5
f8bb59b31d3c499175097b82261b76c7

SHA1
55e04ce47ec557644fd5090c6b8eca08fc40f5ac

SHA256
697a598f8ed9e8d8ca308a2472e712420d116e48db95d4a0cd69495242f47e2f

SHA512
751e84ea0c212714f17fc1e1a3a61bcd86bccf16986ccce7f77452f1f775f539facaa97adbce88b94af784ada6c44747244fd80b3c3262d2a371a83103415cc5

Download Submit
C:\ProgramData\images.exe

MD5
f8bb59b31d3c499175097b82261b76c7

SHA1
55e04ce47ec557644fd5090c6b8eca08fc40f5ac

SHA256
697a598f8ed9e8d8ca308a2472e712420d116e48db95d4a0cd69495242f47e2f

SHA512
751e84ea0c212714f17fc1e1a3a61bcd86bccf16986ccce7f77452f1f775f539facaa97adbce88b94af784ada6c44747244fd80b3c3262d2a371a83103415cc5

Download Submit
C:\ProgramData\images.exe

MD5
f8bb59b31d3c499175097b82261b76c7

SHA1
55e04ce47ec557644fd5090c6b8eca08fc40f5ac

SHA256
697a598f8ed9e8d8ca308a2472e712420d116e48db95d4a0cd69495242f47e2f

SHA512
751e84ea0c212714f17fc1e1a3a61bcd86bccf16986ccce7f77452f1f775f539facaa97adbce88b94af784ada6c44747244fd80b3c3262d2a371a83103415cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E18.tmp

MD5
f8ee0a9564d9d1592c90f4dd6af50f1c

SHA1
b6f3cadec42a5a75c506bfd519e6786ea11b58e6

SHA256
87724a95c7a539c14d657360a0a59687ac039fe662370b412476f89d633864e3

SHA512
b9469fbc3095772dd5a4fd8cb059b6194dbe276395f7ae54d44a2b1f22e6e599ba15619adc5e088d7295904f59a26b6e715ffe058a23fedca8d5c11646e32ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp937B.tmp

MD5
f8ee0a9564d9d1592c90f4dd6af50f1c

SHA1
b6f3cadec42a5a75c506bfd519e6786ea11b58e6

SHA256
87724a95c7a539c14d657360a0a59687ac039fe662370b412476f89d633864e3

SHA512
b9469fbc3095772dd5a4fd8cb059b6194dbe276395f7ae54d44a2b1f22e6e599ba15619adc5e088d7295904f59a26b6e715ffe058a23fedca8d5c11646e32ce6

Download Submit
memory/1248-27-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1248-20-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1248-17-0x0000000000000000-mapping.dmp

Download
memory/1424-15-0x0000000000405CE2-mapping.dmp

Download
memory/1424-14-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1424-16-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1824-35-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1824-33-0x0000000000405CE2-mapping.dmp

Download
memory/2148-12-0x0000000000000000-mapping.dmp

Download
memory/3836-30-0x0000000000000000-mapping.dmp

Download
memory/4000-9-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/4000-8-0x0000000005740000-0x000000000574E000-memory.dmp

Filesize
56KB

Download
memory/4000-7-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/4000-6-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/4000-10-0x00000000072E0000-0x000000000731B000-memory.dmp

Filesize
236KB

Download
memory/4000-5-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/4000-2-0x00000000738E0000-0x0000000073FCE000-memory.dmp

Filesize
6.9MB

Download
memory/4000-3-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/4000-11-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads