warzonerat | 9179ffac8f35e73f35673a16efe0144858415cb462387ad524889d25ab72a052

General

Target

Swift copy .xls.exe
Size

360KB
MD5

21f7a17e1a7bf3ea8e5b77beec1dd94f
SHA1

d6d0529b2bc4b8ed2c10d4c0e0730cd90421a744
SHA256

f1a7b6a46915fa2b34597413808c3f79379961e645ec613ec09dd0cd0a8722f0
SHA512

26a3dbdfae0007a8bcda397ad87d289cc1bd883f69e76cef67b2826069f183fac2e1e7273dbb58edefa7f70ce26e34241e4f70332e68964ad7170b9f228d4ec3

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

194.5.97.116:1360

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1444-14-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1444-15-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/1444-16-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

3780 svchost.exe

pid	process
3780	svchost.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Swift copy .xls.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Swift copy .xls.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Swift copy .xls.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Bvubksk = "0"	Swift copy .xls.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	Swift copy .xls.exe

Drops file in System32 directory 2 IoCs

Processes:

Swift copy .xls.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	Swift copy .xls.exe
File opened for modification	C:\Windows\System32\rfxvmt.dll	Swift copy .xls.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Swift copy .xls.exe

description pid process target process

PID 1176 set thread context of 1444 1176 Swift copy .xls.exe Swift copy .xls.exe

description	pid	process	target process
PID 1176 set thread context of 1444	1176	Swift copy .xls.exe	Swift copy .xls.exe

Drops file in Program Files directory 2 IoCs

Processes:

Swift copy .xls.exe

description	ioc	process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	Swift copy .xls.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	Swift copy .xls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2796 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Swift copy .xls.exesvchost.exe

pid process

1176 Swift copy .xls.exe
1176 Swift copy .xls.exe
1176 Swift copy .xls.exe
3780 svchost.exe
3780 svchost.exe
3780 svchost.exe
3780 svchost.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

620

pid	process
2796	schtasks.exe

pid	process
1176	Swift copy .xls.exe
1176	Swift copy .xls.exe
1176	Swift copy .xls.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe

pid	process
620

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Swift copy .xls.exeSwift copy .xls.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1176	Swift copy .xls.exe
Token: SeDebugPrivilege	1444	Swift copy .xls.exe
Token: SeAuditPrivilege	3780	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Swift copy .xls.exe

description	pid	process	target process
PID 1176 wrote to memory of 2796	1176	Swift copy .xls.exe	schtasks.exe
PID 1176 wrote to memory of 2796	1176	Swift copy .xls.exe	schtasks.exe
PID 1176 wrote to memory of 2796	1176	Swift copy .xls.exe	schtasks.exe
PID 1176 wrote to memory of 3420	1176	Swift copy .xls.exe	Swift copy .xls.exe
PID 1176 wrote to memory of 3420	1176	Swift copy .xls.exe	Swift copy .xls.exe
PID 1176 wrote to memory of 3420	1176	Swift copy .xls.exe	Swift copy .xls.exe
PID 1176 wrote to memory of 1444	1176	Swift copy .xls.exe	Swift copy .xls.exe
PID 1176 wrote to memory of 1444	1176	Swift copy .xls.exe	Swift copy .xls.exe
PID 1176 wrote to memory of 1444	1176	Swift copy .xls.exe	Swift copy .xls.exe
PID 1176 wrote to memory of 1444	1176	Swift copy .xls.exe	Swift copy .xls.exe
PID 1176 wrote to memory of 1444	1176	Swift copy .xls.exe	Swift copy .xls.exe
PID 1176 wrote to memory of 1444	1176	Swift copy .xls.exe	Swift copy .xls.exe
PID 1176 wrote to memory of 1444	1176	Swift copy .xls.exe	Swift copy .xls.exe
PID 1176 wrote to memory of 1444	1176	Swift copy .xls.exe	Swift copy .xls.exe
PID 1176 wrote to memory of 1444	1176	Swift copy .xls.exe	Swift copy .xls.exe
PID 1176 wrote to memory of 1444	1176	Swift copy .xls.exe	Swift copy .xls.exe
PID 1176 wrote to memory of 1444	1176	Swift copy .xls.exe	Swift copy .xls.exe

C:\Users\Admin\AppData\Local\Temp\Swift copy .xls.exe
"C:\Users\Admin\AppData\Local\Temp\Swift copy .xls.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AsLvNjC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE3CE.tmp"
2⤵
- Creates scheduled task(s)
PID:2796

C:\Users\Admin\AppData\Local\Temp\Swift copy .xls.exe
"{path}"
2⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\Swift copy .xls.exe
"{path}"
2⤵
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1444

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:3712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Winlogon Helper DLL

1

T1004

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE3CE.tmp
MD5
e56bba58443fec352a5d56e208b4a261

SHA1
6f42d1067a80f66aa80253abd51949e24669179c

SHA256
8a3ea8c29c6e7e506dc45c387e2590dae03336899a125f97d0b37817744e8476

SHA512
2aa6f7648cf31d22e9f5afd2e92d34a87fd6e450397b0c246c5a9351ef9bf3b662f3293cce3d6ffba6c8c4db2f93f4e0f26668d659316f14c56f5b697cffd35f

Download Submit
\??\c:\program files\microsoft dn1\rdpwrap.ini
MD5
6bc395161b04aa555d5a4e8eb8320020

SHA1
f18544faa4bd067f6773a373d580e111b0c8c300

SHA256
23390dfcda60f292ba1e52abb5ba2f829335351f4f9b1d33a9a6ad7a9bf5e2be

SHA512
679ac80c26422667ca5f2a6d9f0e022ef76bc9b09f97ad390b81f2e286446f0658524ccc8346a6e79d10e42131bc428f7c0ce4541d44d83af8134c499436daae

Download Submit
\??\c:\program files\microsoft dn1\sqlmap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
memory/1176-11-0x0000000006E30000-0x0000000006E78000-memory.dmp

Filesize
288KB

Download
memory/1176-6-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/1176-9-0x0000000006AF0000-0x0000000006AF1000-memory.dmp

Filesize
4KB

Download
memory/1176-10-0x0000000004D70000-0x0000000004D7B000-memory.dmp

Filesize
44KB

Download
memory/1176-2-0x0000000073A80000-0x000000007416E000-memory.dmp

Filesize
6.9MB

Download
memory/1176-3-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1176-7-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1176-5-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/1176-8-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/1444-16-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1444-15-0x0000000000405CE2-mapping.dmp

Download
memory/1444-14-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1444-20-0x0000000003F70000-0x0000000003FF4000-memory.dmp

Filesize
528KB

Download
memory/2796-12-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads