warzonerat | f92db9d719cb7053b1b814f4a3a31c30572e83dd51b549da36d32b473361c30a

General

Target

CLEW enquiry 2021.PDF.exe
Size

472KB
MD5

4387f93e0d45409c4397bc25312ac979
SHA1

0f02a839cdac526bd40d7fb62f792947f2ffe76b
SHA256

f92db9d719cb7053b1b814f4a3a31c30572e83dd51b549da36d32b473361c30a
SHA512

54f6761a0bcd495a8c7d6fe31859271515044fe9750df726bd7f51045f03450481f015152ba06b39adc3852ea1f129fadaab4a9634b200d91d3d22aca4da1ccf

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.26:3141

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 1352	1048	CLEW enquiry 2021.PDF.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1048	CLEW enquiry 2021.PDF.exe
1048	CLEW enquiry 2021.PDF.exe
1048	CLEW enquiry 2021.PDF.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	CLEW enquiry 2021.PDF.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1328	1048	CLEW enquiry 2021.PDF.exe	79
PID 1048 wrote to memory of 1328	1048	CLEW enquiry 2021.PDF.exe	79
PID 1048 wrote to memory of 1328	1048	CLEW enquiry 2021.PDF.exe	79
PID 1048 wrote to memory of 420	1048	CLEW enquiry 2021.PDF.exe	81
PID 1048 wrote to memory of 420	1048	CLEW enquiry 2021.PDF.exe	81
PID 1048 wrote to memory of 420	1048	CLEW enquiry 2021.PDF.exe	81
PID 1048 wrote to memory of 1352	1048	CLEW enquiry 2021.PDF.exe	82
PID 1048 wrote to memory of 1352	1048	CLEW enquiry 2021.PDF.exe	82
PID 1048 wrote to memory of 1352	1048	CLEW enquiry 2021.PDF.exe	82
PID 1048 wrote to memory of 1352	1048	CLEW enquiry 2021.PDF.exe	82
PID 1048 wrote to memory of 1352	1048	CLEW enquiry 2021.PDF.exe	82
PID 1048 wrote to memory of 1352	1048	CLEW enquiry 2021.PDF.exe	82
PID 1048 wrote to memory of 1352	1048	CLEW enquiry 2021.PDF.exe	82
PID 1048 wrote to memory of 1352	1048	CLEW enquiry 2021.PDF.exe	82
PID 1048 wrote to memory of 1352	1048	CLEW enquiry 2021.PDF.exe	82
PID 1048 wrote to memory of 1352	1048	CLEW enquiry 2021.PDF.exe	82

C:\Users\Admin\AppData\Local\Temp\CLEW enquiry 2021.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\CLEW enquiry 2021.PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsQrFjjPrfyT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp222F.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-7-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1048-12-0x0000000006700000-0x0000000006772000-memory.dmp

Filesize
456KB

Download
memory/1048-6-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1048-2-0x0000000073460000-0x0000000073B4E000-memory.dmp

Filesize
6.9MB

Download
memory/1048-8-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/1048-9-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/1048-5-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/1048-11-0x0000000008140000-0x0000000008142000-memory.dmp

Filesize
8KB

Download
memory/1048-10-0x000000007EDE0000-0x000000007EDE1000-memory.dmp

Filesize
4KB

Download
memory/1048-13-0x0000000006780000-0x00000000067B2000-memory.dmp

Filesize
200KB

Download
memory/1048-3-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/1352-16-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1352-18-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads