warzonerat | 9479384c915a5bf368753c99a365ac15a21652ee21bd5db5ccff32c6deb899f4

General

Target

dafa.exe
Size

349KB
MD5

620239d356bc0af1c8dd8846a2613424
SHA1

0d3d341acc603593c8e060220e5e5046f987c065
SHA256

9479384c915a5bf368753c99a365ac15a21652ee21bd5db5ccff32c6deb899f4
SHA512

09b90b0f81f8d43ff793c606a320dbaf5fb51403ea8926be5dce42b117169bc36d71e3b500746ee71313c53a302cdeee590066d025927bb804ad8b9cc5ef0ea2

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

santzo.warzonedns.com:5201

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3300-117-0x0000000000400000-0x0000000000424000-memory.dmp	warzonerat
behavioral2/memory/3300-118-0x0000000000405925-mapping.dmp	warzonerat
behavioral2/memory/3300-119-0x0000000000400000-0x0000000000424000-memory.dmp	warzonerat
behavioral2/memory/3012-199-0x0000000000405925-mapping.dmp	warzonerat
behavioral2/memory/3012-201-0x0000000000400000-0x0000000000424000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

images.exeimages.exe

pid process

788 images.exe
3012 images.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

dafa.exeimages.exe

description pid process target process

PID 2016 set thread context of 3300 2016 dafa.exe dafa.exe
PID 788 set thread context of 3012 788 images.exe images.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1348 schtasks.exe
2268 schtasks.exe

pid	process
788	images.exe
3012	images.exe

description	pid	process	target process
PID 2016 set thread context of 3300	2016	dafa.exe	dafa.exe
PID 788 set thread context of 3012	788	images.exe	images.exe

pid	process
1348	schtasks.exe
2268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dafa.exedafa.exepowershell.exeimages.exeimages.exepowershell.exe

pid	process
2016	dafa.exe
2016	dafa.exe
3300	dafa.exe
3300	dafa.exe
3300	dafa.exe
3300	dafa.exe
3300	dafa.exe
3300	dafa.exe
3300	dafa.exe
3300	dafa.exe
8	powershell.exe
8	powershell.exe
8	powershell.exe
788	images.exe
788	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
764	powershell.exe
764	powershell.exe
764	powershell.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe
3012	images.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE

pid	process
3036	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

dafa.exepowershell.exeExplorer.EXEimages.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2016	dafa.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeDebugPrivilege	788	images.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE

pid	process
3036	Explorer.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

dafa.exedafa.exeimages.exeimages.exe

description	pid	process	target process
PID 2016 wrote to memory of 1348	2016	dafa.exe	schtasks.exe
PID 2016 wrote to memory of 1348	2016	dafa.exe	schtasks.exe
PID 2016 wrote to memory of 1348	2016	dafa.exe	schtasks.exe
PID 2016 wrote to memory of 3300	2016	dafa.exe	dafa.exe
PID 2016 wrote to memory of 3300	2016	dafa.exe	dafa.exe
PID 2016 wrote to memory of 3300	2016	dafa.exe	dafa.exe
PID 2016 wrote to memory of 3300	2016	dafa.exe	dafa.exe
PID 2016 wrote to memory of 3300	2016	dafa.exe	dafa.exe
PID 2016 wrote to memory of 3300	2016	dafa.exe	dafa.exe
PID 2016 wrote to memory of 3300	2016	dafa.exe	dafa.exe
PID 2016 wrote to memory of 3300	2016	dafa.exe	dafa.exe
PID 2016 wrote to memory of 3300	2016	dafa.exe	dafa.exe
PID 2016 wrote to memory of 3300	2016	dafa.exe	dafa.exe
PID 2016 wrote to memory of 3300	2016	dafa.exe	dafa.exe
PID 3300 wrote to memory of 8	3300	dafa.exe	powershell.exe
PID 3300 wrote to memory of 8	3300	dafa.exe	powershell.exe
PID 3300 wrote to memory of 8	3300	dafa.exe	powershell.exe
PID 3300 wrote to memory of 3036	3300	dafa.exe	Explorer.EXE
PID 3300 wrote to memory of 3036	3300	dafa.exe	Explorer.EXE
PID 3300 wrote to memory of 788	3300	dafa.exe	images.exe
PID 3300 wrote to memory of 788	3300	dafa.exe	images.exe
PID 3300 wrote to memory of 788	3300	dafa.exe	images.exe
PID 788 wrote to memory of 2268	788	images.exe	schtasks.exe
PID 788 wrote to memory of 2268	788	images.exe	schtasks.exe
PID 788 wrote to memory of 2268	788	images.exe	schtasks.exe
PID 788 wrote to memory of 3012	788	images.exe	images.exe
PID 788 wrote to memory of 3012	788	images.exe	images.exe
PID 788 wrote to memory of 3012	788	images.exe	images.exe
PID 788 wrote to memory of 3012	788	images.exe	images.exe
PID 788 wrote to memory of 3012	788	images.exe	images.exe
PID 788 wrote to memory of 3012	788	images.exe	images.exe
PID 788 wrote to memory of 3012	788	images.exe	images.exe
PID 788 wrote to memory of 3012	788	images.exe	images.exe
PID 788 wrote to memory of 3012	788	images.exe	images.exe
PID 788 wrote to memory of 3012	788	images.exe	images.exe
PID 788 wrote to memory of 3012	788	images.exe	images.exe
PID 3012 wrote to memory of 764	3012	images.exe	powershell.exe
PID 3012 wrote to memory of 764	3012	images.exe	powershell.exe
PID 3012 wrote to memory of 764	3012	images.exe	powershell.exe
PID 3012 wrote to memory of 2664	3012	images.exe	cmd.exe
PID 3012 wrote to memory of 2664	3012	images.exe	cmd.exe
PID 3012 wrote to memory of 2664	3012	images.exe	cmd.exe
PID 3012 wrote to memory of 2664	3012	images.exe	cmd.exe
PID 3012 wrote to memory of 2664	3012	images.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3036

C:\Users\Admin\AppData\Local\Temp\dafa.exe
"C:\Users\Admin\AppData\Local\Temp\dafa.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcjiTF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEAD3.tmp"
3⤵
- Creates scheduled task(s)
PID:1348

C:\Users\Admin\AppData\Local\Temp\dafa.exe
"C:\Users\Admin\AppData\Local\Temp\dafa.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcjiTF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB026.tmp"
5⤵
- Creates scheduled task(s)
PID:2268

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
6⤵
PID:2664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
620239d356bc0af1c8dd8846a2613424

SHA1
0d3d341acc603593c8e060220e5e5046f987c065

SHA256
9479384c915a5bf368753c99a365ac15a21652ee21bd5db5ccff32c6deb899f4

SHA512
09b90b0f81f8d43ff793c606a320dbaf5fb51403ea8926be5dce42b117169bc36d71e3b500746ee71313c53a302cdeee590066d025927bb804ad8b9cc5ef0ea2

Download Submit
C:\ProgramData\images.exe
MD5
620239d356bc0af1c8dd8846a2613424

SHA1
0d3d341acc603593c8e060220e5e5046f987c065

SHA256
9479384c915a5bf368753c99a365ac15a21652ee21bd5db5ccff32c6deb899f4

SHA512
09b90b0f81f8d43ff793c606a320dbaf5fb51403ea8926be5dce42b117169bc36d71e3b500746ee71313c53a302cdeee590066d025927bb804ad8b9cc5ef0ea2

Download Submit
C:\ProgramData\images.exe
MD5
620239d356bc0af1c8dd8846a2613424

SHA1
0d3d341acc603593c8e060220e5e5046f987c065

SHA256
9479384c915a5bf368753c99a365ac15a21652ee21bd5db5ccff32c6deb899f4

SHA512
09b90b0f81f8d43ff793c606a320dbaf5fb51403ea8926be5dce42b117169bc36d71e3b500746ee71313c53a302cdeee590066d025927bb804ad8b9cc5ef0ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e9ce6e28954b2af1bf7a891b9443ce9d

SHA1
fa86c193ac56ed5fa9d54bd1134ca7ce2f777588

SHA256
7ea2c855331a57e6e95b72639e5233c6f98b4d9d1d3a78128d28eb4c45945df7

SHA512
dd95c4c6942e100645e286f34de7e41b7a9dd5cf1be7775a689a8463898928a3c67aa4b6174b79febdeaf4ca4c2ec01d317614e11a500adcf59a8dc115db9c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB026.tmp
MD5
3e56b9d2687c62a661c14230731557da

SHA1
6180d61059a01183fa020a76a6fb4cdaa282aa0d

SHA256
d99578d22b65282e224d0b971713c4b29a3c45b7b2b836e1c2a3c71e937f2d81

SHA512
54d524211c8659a7812d16d9f16f050f08750c024f9c9a55489144b2403562c9e8264a34a55eb3e9fd9bb176853255b1a2975118f490d10f43ed4e7bb3ac1e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAD3.tmp
MD5
3e56b9d2687c62a661c14230731557da

SHA1
6180d61059a01183fa020a76a6fb4cdaa282aa0d

SHA256
d99578d22b65282e224d0b971713c4b29a3c45b7b2b836e1c2a3c71e937f2d81

SHA512
54d524211c8659a7812d16d9f16f050f08750c024f9c9a55489144b2403562c9e8264a34a55eb3e9fd9bb176853255b1a2975118f490d10f43ed4e7bb3ac1e9f

Download Submit
memory/8-141-0x0000000007D90000-0x0000000007D91000-memory.dmp

Filesize
4KB

Download
memory/8-162-0x0000000009130000-0x0000000009131000-memory.dmp

Filesize
4KB

Download
memory/8-178-0x0000000004663000-0x0000000004664000-memory.dmp

Filesize
4KB

Download
memory/8-120-0x0000000000000000-mapping.dmp

Download
memory/8-130-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/8-131-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/8-132-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/8-176-0x000000007E3C0000-0x000000007E3C1000-memory.dmp

Filesize
4KB

Download
memory/8-163-0x0000000009280000-0x0000000009281000-memory.dmp

Filesize
4KB

Download
memory/8-135-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/8-136-0x0000000004662000-0x0000000004663000-memory.dmp

Filesize
4KB

Download
memory/8-137-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/8-138-0x0000000006FB0000-0x0000000006FB1000-memory.dmp

Filesize
4KB

Download
memory/8-139-0x00000000078F0000-0x00000000078F1000-memory.dmp

Filesize
4KB

Download
memory/8-140-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/8-157-0x0000000008D40000-0x0000000008D41000-memory.dmp

Filesize
4KB

Download
memory/8-142-0x00000000080E0000-0x00000000080E1000-memory.dmp

Filesize
4KB

Download
memory/8-150-0x0000000008D60000-0x0000000008D93000-memory.dmp

Filesize
204KB

Download
memory/764-207-0x00000000068C2000-0x00000000068C3000-memory.dmp

Filesize
4KB

Download
memory/764-209-0x00000000068C3000-0x00000000068C4000-memory.dmp

Filesize
4KB

Download
memory/764-208-0x000000007F8A0000-0x000000007F8A1000-memory.dmp

Filesize
4KB

Download
memory/764-206-0x00000000068C0000-0x00000000068C1000-memory.dmp

Filesize
4KB

Download
memory/764-202-0x0000000000000000-mapping.dmp

Download
memory/788-134-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/788-121-0x0000000000000000-mapping.dmp

Download
memory/1348-115-0x0000000000000000-mapping.dmp

Download
memory/2016-114-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2268-197-0x0000000000000000-mapping.dmp

Download
memory/2664-203-0x0000000000000000-mapping.dmp

Download
memory/3012-201-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-199-0x0000000000405925-mapping.dmp

Download
memory/3036-193-0x00007FFE8A380000-0x00007FFE8A390000-memory.dmp

Filesize
64KB

Download
memory/3036-196-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3036-195-0x00007FFE8A3A0000-0x00007FFE8A3A6000-memory.dmp

Filesize
24KB

Download
memory/3036-194-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3036-133-0x0000000005A30000-0x0000000005B30000-memory.dmp

Filesize
1024KB

Download
memory/3036-122-0x0000000000640000-0x0000000000646000-memory.dmp

Filesize
24KB

Download
memory/3300-118-0x0000000000405925-mapping.dmp

Download
memory/3300-119-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3300-117-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads