warzonerat | 72e1816b0f9e1fb44f557dda6696b1596b8c61369e7e91e4e730de33646d4d72

General

Target

0001.exe
Size

504KB
MD5

dce40fe214b73d0e6404ee8d25510cd1
SHA1

e6b31b3b3c8ad95554f63415f66ae098632c5a34
SHA256

72e1816b0f9e1fb44f557dda6696b1596b8c61369e7e91e4e730de33646d4d72
SHA512

12f10cf718959d9aac2f7fb88842aa2868eb3ba963395b94a8dd7f5bbcb46674c13bf2bd59b24f2598f23435a519e66c7d166bd42d7abbac4639e633f8b07fd0

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.26:3141

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Suspicious use of SetThreadContext 1 IoCs

Processes:

0001.exe

description pid process target process

PID 2604 set thread context of 3256 2604 0001.exe 0001.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2664 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0001.exe

pid process

2604 0001.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0001.exe

description pid process

Token: SeDebugPrivilege 2604 0001.exe

description	pid	process	target process
PID 2604 set thread context of 3256	2604	0001.exe	0001.exe

pid	process
2664	schtasks.exe

pid	process
2604	0001.exe

description	pid	process
Token: SeDebugPrivilege	2604	0001.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

0001.exe

description	pid	process	target process
PID 2604 wrote to memory of 2664	2604	0001.exe	schtasks.exe
PID 2604 wrote to memory of 2664	2604	0001.exe	schtasks.exe
PID 2604 wrote to memory of 2664	2604	0001.exe	schtasks.exe
PID 2604 wrote to memory of 3256	2604	0001.exe	0001.exe
PID 2604 wrote to memory of 3256	2604	0001.exe	0001.exe
PID 2604 wrote to memory of 3256	2604	0001.exe	0001.exe
PID 2604 wrote to memory of 3256	2604	0001.exe	0001.exe
PID 2604 wrote to memory of 3256	2604	0001.exe	0001.exe
PID 2604 wrote to memory of 3256	2604	0001.exe	0001.exe
PID 2604 wrote to memory of 3256	2604	0001.exe	0001.exe
PID 2604 wrote to memory of 3256	2604	0001.exe	0001.exe
PID 2604 wrote to memory of 3256	2604	0001.exe	0001.exe
PID 2604 wrote to memory of 3256	2604	0001.exe	0001.exe

C:\Users\Admin\AppData\Local\Temp\0001.exe
"C:\Users\Admin\AppData\Local\Temp\0001.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tGzTHNLfnLr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCBA2.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\0001.exe
  "{path}"
  2⤵
  PID:3256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCBA2.tmp

MD5
87a5eb355754a666b0d2812b2e8d1342

SHA1
60040ad29046330c52b6b762441bc4099d0c7420

SHA256
bf8a40c393cdee257ff1d78a5ff0640e41f86f6479e1643bec640a0029aa6737

SHA512
d10179b2180bebe1462f59cb69f7c536eb7086b5a29e52e00536b91f6bedcfbba95adda37f9680ddd781d1342293cc605acaefd59016efcbe23371b00c962d30

Download Submit
memory/2604-7-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/2604-12-0x0000000006BB0000-0x0000000006C24000-memory.dmp

Filesize
464KB

Download
memory/2604-6-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/2604-2-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-8-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/2604-9-0x00000000085C0000-0x00000000085C1000-memory.dmp

Filesize
4KB

Download
memory/2604-5-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/2604-11-0x0000000008780000-0x0000000008782000-memory.dmp

Filesize
8KB

Download
memory/2604-10-0x000000007E430000-0x000000007E431000-memory.dmp

Filesize
4KB

Download
memory/2604-13-0x0000000006C30000-0x0000000006C63000-memory.dmp

Filesize
204KB

Download
memory/2604-3-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2664-14-0x0000000000000000-mapping.dmp

Download
memory/3256-16-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3256-17-0x0000000000405E28-mapping.dmp

Download
memory/3256-18-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads