warzonerat | 14e98f487bcb81ea810e155c7917d298d4ebbc674c795439a1cfa3775f85a679

General

Target

Fattura di errore.exe
Size

958KB
MD5

6546bd083796d7fa2f20246a4bffc82b
SHA1

06d4a96dae07bf99da76cc57585eae0dca31053c
SHA256

14e98f487bcb81ea810e155c7917d298d4ebbc674c795439a1cfa3775f85a679
SHA512

9da93507ae7c83cf85486dc4dd82f3389088622105e0c9da3c0d436f543f8050b992222efccc335ae66d9ba1db5d99d080d9a07fc70bb7d6522ef22c5ffa2784

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

104.209.133.4:7500

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/372-129-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/372-128-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/372-130-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

Processes:

Fattura di errore.exe

description pid process target process

PID 3884 set thread context of 372 3884 Fattura di errore.exe Fattura di errore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3960 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Fattura di errore.exe

pid process

3884 Fattura di errore.exe
3884 Fattura di errore.exe
3884 Fattura di errore.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Fattura di errore.exe

description pid process

Token: SeDebugPrivilege 3884 Fattura di errore.exe

description	pid	process	target process
PID 3884 set thread context of 372	3884	Fattura di errore.exe	Fattura di errore.exe

pid	process
3960	schtasks.exe

pid	process
3884	Fattura di errore.exe
3884	Fattura di errore.exe
3884	Fattura di errore.exe

description	pid	process
Token: SeDebugPrivilege	3884	Fattura di errore.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Fattura di errore.exe

description	pid	process	target process
PID 3884 wrote to memory of 3960	3884	Fattura di errore.exe	schtasks.exe
PID 3884 wrote to memory of 3960	3884	Fattura di errore.exe	schtasks.exe
PID 3884 wrote to memory of 3960	3884	Fattura di errore.exe	schtasks.exe
PID 3884 wrote to memory of 372	3884	Fattura di errore.exe	Fattura di errore.exe
PID 3884 wrote to memory of 372	3884	Fattura di errore.exe	Fattura di errore.exe
PID 3884 wrote to memory of 372	3884	Fattura di errore.exe	Fattura di errore.exe
PID 3884 wrote to memory of 372	3884	Fattura di errore.exe	Fattura di errore.exe
PID 3884 wrote to memory of 372	3884	Fattura di errore.exe	Fattura di errore.exe
PID 3884 wrote to memory of 372	3884	Fattura di errore.exe	Fattura di errore.exe
PID 3884 wrote to memory of 372	3884	Fattura di errore.exe	Fattura di errore.exe
PID 3884 wrote to memory of 372	3884	Fattura di errore.exe	Fattura di errore.exe
PID 3884 wrote to memory of 372	3884	Fattura di errore.exe	Fattura di errore.exe
PID 3884 wrote to memory of 372	3884	Fattura di errore.exe	Fattura di errore.exe
PID 3884 wrote to memory of 372	3884	Fattura di errore.exe	Fattura di errore.exe

C:\Users\Admin\AppData\Local\Temp\Fattura di errore.exe
"C:\Users\Admin\AppData\Local\Temp\Fattura di errore.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZGxgREWnZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCE4D.tmp"
2⤵
- Creates scheduled task(s)
PID:3960

C:\Users\Admin\AppData\Local\Temp\Fattura di errore.exe
"C:\Users\Admin\AppData\Local\Temp\Fattura di errore.exe"
2⤵
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCE4D.tmp
MD5
34f12ade7610bdefaad8f6cc240aeb53

SHA1
c05746216a492a1e6d3a996da9b290be63b43df9

SHA256
56338f85f6c13d81c13c38b7d334956cbd42f3a427859f322c4022fd230236ab

SHA512
45df2f058345256448cb5bd07a29d3b205794df25e47b660fa3f4d67c03157de02d8b84aeeedf05441bbfe2b0bd21f62954d6e5ffe6292ef037f54975e332c3c

Download Submit
memory/372-130-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/372-128-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/372-129-0x0000000000405CE2-mapping.dmp

Download
memory/3884-119-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/3884-120-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/3884-121-0x00000000055E0000-0x0000000005ADE000-memory.dmp

Filesize
5.0MB

Download
memory/3884-122-0x0000000007370000-0x0000000007374000-memory.dmp

Filesize
16KB

Download
memory/3884-123-0x000000007E3E0000-0x000000007E3E1000-memory.dmp

Filesize
4KB

Download
memory/3884-124-0x0000000008D40000-0x0000000008DE3000-memory.dmp

Filesize
652KB

Download
memory/3884-125-0x000000000B4E0000-0x000000000B53E000-memory.dmp

Filesize
376KB

Download
memory/3884-114-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3884-118-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/3884-117-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/3884-116-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/3960-126-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads