warzonerat | f9ca14fcdffeb48b11ea026812ac0a7dc941f27e0c1384dc8e9b83b18de4c2a7

Analysis

max time kernel
151s
max time network
136s
platform
windows7_x64
resource
win7v20210408
submitted
07-05-2021 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crat.exe
Size

526KB
MD5

51f96dfcb6d8ea6422b9bba50ccd31ac
SHA1

698657bce5870929f55ffd6a8d10e2a4a5be90ae
SHA256

f9ca14fcdffeb48b11ea026812ac0a7dc941f27e0c1384dc8e9b83b18de4c2a7
SHA512

ecee48b1e55e099c52d4b8e73544260d03f1c749321ff13150068dcebd1a575a93fbc7c5f7ad1a0ab1bffdb566a36757f9810df332110621ed3d5d600641bc18

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

149.28.124.150:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 3 IoCs

Processes:

test.exeph88AcgfPIO.exeimages.exe

pid process

1448 test.exe
1020 ph88AcgfPIO.exe
1300 images.exe
Loads dropped DLL 7 IoCs

Processes:

crat.exetest.exeph88AcgfPIO.exe

pid process

1820 crat.exe
1820 crat.exe
1820 crat.exe
1820 crat.exe
1448 test.exe
1020 ph88AcgfPIO.exe
1020 ph88AcgfPIO.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1448	test.exe
1020	ph88AcgfPIO.exe
1300	images.exe

pid	process
1820	crat.exe
1820	crat.exe
1820	crat.exe
1820	crat.exe
1448	test.exe
1020	ph88AcgfPIO.exe
1020	ph88AcgfPIO.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ph88AcgfPIO.exeimages.exe

pid	process
1020	ph88AcgfPIO.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe
1300	images.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

crat.exetest.exeph88AcgfPIO.execmd.exe

description	pid	process	target process
PID 1820 wrote to memory of 1448	1820	crat.exe	test.exe
PID 1820 wrote to memory of 1448	1820	crat.exe	test.exe
PID 1820 wrote to memory of 1448	1820	crat.exe	test.exe
PID 1820 wrote to memory of 1448	1820	crat.exe	test.exe
PID 1448 wrote to memory of 1020	1448	test.exe	ph88AcgfPIO.exe
PID 1448 wrote to memory of 1020	1448	test.exe	ph88AcgfPIO.exe
PID 1448 wrote to memory of 1020	1448	test.exe	ph88AcgfPIO.exe
PID 1448 wrote to memory of 1020	1448	test.exe	ph88AcgfPIO.exe
PID 1020 wrote to memory of 1208	1020	ph88AcgfPIO.exe	Explorer.EXE
PID 1020 wrote to memory of 1208	1020	ph88AcgfPIO.exe	Explorer.EXE
PID 1020 wrote to memory of 1004	1020	ph88AcgfPIO.exe	cmd.exe
PID 1020 wrote to memory of 1004	1020	ph88AcgfPIO.exe	cmd.exe
PID 1020 wrote to memory of 1004	1020	ph88AcgfPIO.exe	cmd.exe
PID 1020 wrote to memory of 1004	1020	ph88AcgfPIO.exe	cmd.exe
PID 1020 wrote to memory of 1300	1020	ph88AcgfPIO.exe	images.exe
PID 1020 wrote to memory of 1300	1020	ph88AcgfPIO.exe	images.exe
PID 1020 wrote to memory of 1300	1020	ph88AcgfPIO.exe	images.exe
PID 1020 wrote to memory of 1300	1020	ph88AcgfPIO.exe	images.exe
PID 1004 wrote to memory of 1500	1004	cmd.exe	reg.exe
PID 1004 wrote to memory of 1500	1004	cmd.exe	reg.exe
PID 1004 wrote to memory of 1500	1004	cmd.exe	reg.exe
PID 1004 wrote to memory of 1500	1004	cmd.exe	reg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\crat.exe
"C:\Users\Admin\AppData\Local\Temp\crat.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Roaming\test.exe
"C:\Users\Admin\AppData\Roaming\test.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\Documents\ph88AcgfPIO.exe
"C:\Users\Admin\Documents\ph88AcgfPIO.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
6⤵
PID:1500

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
49e8a6ee9c5dd808767d4753639bb045

SHA1
63739f2feff8d277d53b9af26df46c77d4088cf6

SHA256
9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

SHA512
8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06

Download Submit
C:\ProgramData\images.exe
MD5
49e8a6ee9c5dd808767d4753639bb045

SHA1
63739f2feff8d277d53b9af26df46c77d4088cf6

SHA256
9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

SHA512
8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06

Download Submit
C:\Users\Admin\AppData\Roaming\test.exe
MD5
05cb7c989fa115270895dbadf7598a1b

SHA1
cfa9ac127090cc5826a6e7b6e2b13cceb82ba751

SHA256
dbdfbca2dcc01a530cd7c449500dc0f6b564c11f9ed9dc8d746709a235d6826f

SHA512
849c96876d37043a95f828ac3587b2049c0217d826f07724330f6d8d9a613868ff79352da8b74078101796d2ddf62037544db8faa680bf77ebdbd6c034fbdca9

Download Submit
C:\Users\Admin\AppData\Roaming\test.exe
MD5
05cb7c989fa115270895dbadf7598a1b

SHA1
cfa9ac127090cc5826a6e7b6e2b13cceb82ba751

SHA256
dbdfbca2dcc01a530cd7c449500dc0f6b564c11f9ed9dc8d746709a235d6826f

SHA512
849c96876d37043a95f828ac3587b2049c0217d826f07724330f6d8d9a613868ff79352da8b74078101796d2ddf62037544db8faa680bf77ebdbd6c034fbdca9

Download Submit
C:\Users\Admin\Documents\ph88AcgfPIO.exe
MD5
49e8a6ee9c5dd808767d4753639bb045

SHA1
63739f2feff8d277d53b9af26df46c77d4088cf6

SHA256
9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

SHA512
8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06

Download Submit
C:\Users\Admin\Documents\ph88AcgfPIO.exe
MD5
49e8a6ee9c5dd808767d4753639bb045

SHA1
63739f2feff8d277d53b9af26df46c77d4088cf6

SHA256
9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

SHA512
8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06

Download Submit
\ProgramData\images.exe
MD5
49e8a6ee9c5dd808767d4753639bb045

SHA1
63739f2feff8d277d53b9af26df46c77d4088cf6

SHA256
9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

SHA512
8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06

Download Submit
\ProgramData\images.exe
MD5
49e8a6ee9c5dd808767d4753639bb045

SHA1
63739f2feff8d277d53b9af26df46c77d4088cf6

SHA256
9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

SHA512
8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06

Download Submit
\Users\Admin\AppData\Local\Temp\6372a841-9f92-4355-be7d-f72f94928f4d\test.dll
MD5
e8641f344213ca05d8b5264b5f4e2dee

SHA1
96729e31f9b805800b2248fd22a4b53e226c8309

SHA256
85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24

SHA512
3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109

Download Submit
\Users\Admin\AppData\Roaming\test.exe
MD5
05cb7c989fa115270895dbadf7598a1b

SHA1
cfa9ac127090cc5826a6e7b6e2b13cceb82ba751

SHA256
dbdfbca2dcc01a530cd7c449500dc0f6b564c11f9ed9dc8d746709a235d6826f

SHA512
849c96876d37043a95f828ac3587b2049c0217d826f07724330f6d8d9a613868ff79352da8b74078101796d2ddf62037544db8faa680bf77ebdbd6c034fbdca9

Download Submit
\Users\Admin\AppData\Roaming\test.exe
MD5
05cb7c989fa115270895dbadf7598a1b

SHA1
cfa9ac127090cc5826a6e7b6e2b13cceb82ba751

SHA256
dbdfbca2dcc01a530cd7c449500dc0f6b564c11f9ed9dc8d746709a235d6826f

SHA512
849c96876d37043a95f828ac3587b2049c0217d826f07724330f6d8d9a613868ff79352da8b74078101796d2ddf62037544db8faa680bf77ebdbd6c034fbdca9

Download Submit
\Users\Admin\AppData\Roaming\test.exe
MD5
05cb7c989fa115270895dbadf7598a1b

SHA1
cfa9ac127090cc5826a6e7b6e2b13cceb82ba751

SHA256
dbdfbca2dcc01a530cd7c449500dc0f6b564c11f9ed9dc8d746709a235d6826f

SHA512
849c96876d37043a95f828ac3587b2049c0217d826f07724330f6d8d9a613868ff79352da8b74078101796d2ddf62037544db8faa680bf77ebdbd6c034fbdca9

Download Submit
\Users\Admin\AppData\Roaming\test.exe
MD5
05cb7c989fa115270895dbadf7598a1b

SHA1
cfa9ac127090cc5826a6e7b6e2b13cceb82ba751

SHA256
dbdfbca2dcc01a530cd7c449500dc0f6b564c11f9ed9dc8d746709a235d6826f

SHA512
849c96876d37043a95f828ac3587b2049c0217d826f07724330f6d8d9a613868ff79352da8b74078101796d2ddf62037544db8faa680bf77ebdbd6c034fbdca9

Download Submit
memory/1004-77-0x0000000000000000-mapping.dmp

Download
memory/1020-72-0x0000000000000000-mapping.dmp

Download
memory/1300-80-0x0000000000000000-mapping.dmp

Download
memory/1448-75-0x000000001ABB0000-0x000000001ABB2000-memory.dmp

Filesize
8KB

Download
memory/1448-71-0x000007FEF4070000-0x000007FEF419C000-memory.dmp

Filesize
1.2MB

Download
memory/1448-65-0x0000000000000000-mapping.dmp

Download
memory/1448-68-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/1500-83-0x0000000000000000-mapping.dmp

Download
memory/1820-60-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download