warzonerat | 33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5

General

Target

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
Size

1.8MB
MD5

b9e4fdb4f1d1e50fb2b1bc6f8e648e91
SHA1

afe3e9370a5fb240ae917a9089fc07b6a54a7bd6
SHA256

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5
SHA512

ff4f45aca5c634e0e64623c8dd1e5521b502713166c5cc01699d3eef24b39e3ae7238d8afa61457c418d242cadb9505ba09a7b50cfac55cf5fa4855c7bdb2cad

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 7 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat

Executes dropped EXE 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

1468 explorer.exe
1328 explorer.exe

pid	process
1468	explorer.exe
1328	explorer.exe

Loads dropped DLL 2 IoCs

Processes:

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe

pid	process
1716	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
1716	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exeexplorer.exe

description	pid	process	target process
PID 756 set thread context of 1716	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 756 set thread context of 1264	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	diskperf.exe
PID 1468 set thread context of 1328	1468	explorer.exe	explorer.exe
PID 1468 set thread context of 608	1468	explorer.exe	diskperf.exe

Drops file in Windows directory 1 IoCs

Processes:

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe

pid process

1716 33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe

pid	process
1716	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
1716	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exeexplorer.exe

description	pid	process	target process
PID 756 wrote to memory of 1716	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 756 wrote to memory of 1716	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 756 wrote to memory of 1716	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 756 wrote to memory of 1716	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 756 wrote to memory of 1716	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 756 wrote to memory of 1716	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 756 wrote to memory of 1716	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 756 wrote to memory of 1716	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 756 wrote to memory of 1716	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 756 wrote to memory of 1264	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	diskperf.exe
PID 756 wrote to memory of 1264	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	diskperf.exe
PID 756 wrote to memory of 1264	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	diskperf.exe
PID 756 wrote to memory of 1264	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	diskperf.exe
PID 756 wrote to memory of 1264	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	diskperf.exe
PID 756 wrote to memory of 1264	756	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	diskperf.exe
PID 1716 wrote to memory of 1468	1716	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	explorer.exe
PID 1716 wrote to memory of 1468	1716	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	explorer.exe
PID 1716 wrote to memory of 1468	1716	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	explorer.exe
PID 1716 wrote to memory of 1468	1716	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	explorer.exe
PID 1468 wrote to memory of 1328	1468	explorer.exe	explorer.exe
PID 1468 wrote to memory of 1328	1468	explorer.exe	explorer.exe
PID 1468 wrote to memory of 1328	1468	explorer.exe	explorer.exe
PID 1468 wrote to memory of 1328	1468	explorer.exe	explorer.exe
PID 1468 wrote to memory of 1328	1468	explorer.exe	explorer.exe
PID 1468 wrote to memory of 1328	1468	explorer.exe	explorer.exe
PID 1468 wrote to memory of 1328	1468	explorer.exe	explorer.exe
PID 1468 wrote to memory of 1328	1468	explorer.exe	explorer.exe
PID 1468 wrote to memory of 1328	1468	explorer.exe	explorer.exe
PID 1468 wrote to memory of 608	1468	explorer.exe	diskperf.exe
PID 1468 wrote to memory of 608	1468	explorer.exe	diskperf.exe
PID 1468 wrote to memory of 608	1468	explorer.exe	diskperf.exe
PID 1468 wrote to memory of 608	1468	explorer.exe	diskperf.exe
PID 1468 wrote to memory of 608	1468	explorer.exe	diskperf.exe
PID 1468 wrote to memory of 608	1468	explorer.exe	diskperf.exe

C:\Users\Admin\AppData\Local\Temp\33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
"C:\Users\Admin\AppData\Local\Temp\33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
"C:\Users\Admin\AppData\Local\Temp\33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1468

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
PID:1328

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:608

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1264

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
b9e4fdb4f1d1e50fb2b1bc6f8e648e91

SHA1
afe3e9370a5fb240ae917a9089fc07b6a54a7bd6

SHA256
33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5

SHA512
ff4f45aca5c634e0e64623c8dd1e5521b502713166c5cc01699d3eef24b39e3ae7238d8afa61457c418d242cadb9505ba09a7b50cfac55cf5fa4855c7bdb2cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
4f2a85631e64de0f0c79734020c219ed

SHA1
7477de7d243a12e36505dcc297c5f3d9d1b00de5

SHA256
9c1614cff8128ac4d53fc18b6267ece8167dea8ec65fa4841fbb54a65e2e2d17

SHA512
1ea331e91a170d2897d2d30fdbd7a2c3894db81d09b8126e149920a60514d567849b7df02637368418c91a21f944362159be29368c7b9d1d25182770b4143f14

Download Submit
C:\Windows\system\explorer.exe
MD5
4f2a85631e64de0f0c79734020c219ed

SHA1
7477de7d243a12e36505dcc297c5f3d9d1b00de5

SHA256
9c1614cff8128ac4d53fc18b6267ece8167dea8ec65fa4841fbb54a65e2e2d17

SHA512
1ea331e91a170d2897d2d30fdbd7a2c3894db81d09b8126e149920a60514d567849b7df02637368418c91a21f944362159be29368c7b9d1d25182770b4143f14

Download Submit
C:\Windows\system\explorer.exe
MD5
4f2a85631e64de0f0c79734020c219ed

SHA1
7477de7d243a12e36505dcc297c5f3d9d1b00de5

SHA256
9c1614cff8128ac4d53fc18b6267ece8167dea8ec65fa4841fbb54a65e2e2d17

SHA512
1ea331e91a170d2897d2d30fdbd7a2c3894db81d09b8126e149920a60514d567849b7df02637368418c91a21f944362159be29368c7b9d1d25182770b4143f14

Download Submit
\??\c:\windows\system\explorer.exe
MD5
4f2a85631e64de0f0c79734020c219ed

SHA1
7477de7d243a12e36505dcc297c5f3d9d1b00de5

SHA256
9c1614cff8128ac4d53fc18b6267ece8167dea8ec65fa4841fbb54a65e2e2d17

SHA512
1ea331e91a170d2897d2d30fdbd7a2c3894db81d09b8126e149920a60514d567849b7df02637368418c91a21f944362159be29368c7b9d1d25182770b4143f14

Download Submit
\Windows\system\explorer.exe
MD5
4f2a85631e64de0f0c79734020c219ed

SHA1
7477de7d243a12e36505dcc297c5f3d9d1b00de5

SHA256
9c1614cff8128ac4d53fc18b6267ece8167dea8ec65fa4841fbb54a65e2e2d17

SHA512
1ea331e91a170d2897d2d30fdbd7a2c3894db81d09b8126e149920a60514d567849b7df02637368418c91a21f944362159be29368c7b9d1d25182770b4143f14

Download Submit
\Windows\system\explorer.exe
MD5
4f2a85631e64de0f0c79734020c219ed

SHA1
7477de7d243a12e36505dcc297c5f3d9d1b00de5

SHA256
9c1614cff8128ac4d53fc18b6267ece8167dea8ec65fa4841fbb54a65e2e2d17

SHA512
1ea331e91a170d2897d2d30fdbd7a2c3894db81d09b8126e149920a60514d567849b7df02637368418c91a21f944362159be29368c7b9d1d25182770b4143f14

Download Submit
memory/608-86-0x0000000000411000-mapping.dmp

Download
memory/756-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/756-60-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1264-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1264-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1264-67-0x0000000000411000-mapping.dmp

Download
memory/1328-81-0x0000000000403670-mapping.dmp

Download
memory/1468-75-0x0000000000000000-mapping.dmp

Download
memory/1468-78-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1716-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1716-63-0x0000000000403670-mapping.dmp

Download
memory/1716-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads