warzonerat | 9479384c915a5bf368753c99a365ac15a21652ee21bd5db5ccff32c6deb899f4

General

Target

dafa.exe
Size

349KB
MD5

620239d356bc0af1c8dd8846a2613424
SHA1

0d3d341acc603593c8e060220e5e5046f987c065
SHA256

9479384c915a5bf368753c99a365ac15a21652ee21bd5db5ccff32c6deb899f4
SHA512

09b90b0f81f8d43ff793c606a320dbaf5fb51403ea8926be5dce42b117169bc36d71e3b500746ee71313c53a302cdeee590066d025927bb804ad8b9cc5ef0ea2

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

santzo.warzonedns.com:5201

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4040-117-0x0000000000400000-0x0000000000424000-memory.dmp	warzonerat
behavioral2/memory/4040-118-0x0000000000405925-mapping.dmp	warzonerat
behavioral2/memory/4040-119-0x0000000000400000-0x0000000000424000-memory.dmp	warzonerat
behavioral2/memory/416-199-0x0000000000405925-mapping.dmp	warzonerat
behavioral2/memory/416-201-0x0000000000400000-0x0000000000424000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

images.exeimages.exe

pid process

1460 images.exe
416 images.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

dafa.exeimages.exe

description pid process target process

PID 2112 set thread context of 4040 2112 dafa.exe dafa.exe
PID 1460 set thread context of 416 1460 images.exe images.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3988 schtasks.exe
4084 schtasks.exe

pid	process
1460	images.exe
416	images.exe

description	pid	process	target process
PID 2112 set thread context of 4040	2112	dafa.exe	dafa.exe
PID 1460 set thread context of 416	1460	images.exe	images.exe

pid	process
3988	schtasks.exe
4084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dafa.exedafa.exepowershell.exeimages.exeimages.exepowershell.exe

pid	process
2112	dafa.exe
2112	dafa.exe
4040	dafa.exe
4040	dafa.exe
4040	dafa.exe
4040	dafa.exe
4040	dafa.exe
4040	dafa.exe
4040	dafa.exe
4040	dafa.exe
1112	powershell.exe
1112	powershell.exe
1112	powershell.exe
1460	images.exe
1460	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe
416	images.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2996 Explorer.EXE

pid	process
2996	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

dafa.exepowershell.exeExplorer.EXEimages.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2112	dafa.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeDebugPrivilege	1460	images.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2996 Explorer.EXE

pid	process
2996	Explorer.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

dafa.exedafa.exeimages.exeimages.exe

description	pid	process	target process
PID 2112 wrote to memory of 3988	2112	dafa.exe	schtasks.exe
PID 2112 wrote to memory of 3988	2112	dafa.exe	schtasks.exe
PID 2112 wrote to memory of 3988	2112	dafa.exe	schtasks.exe
PID 2112 wrote to memory of 4040	2112	dafa.exe	dafa.exe
PID 2112 wrote to memory of 4040	2112	dafa.exe	dafa.exe
PID 2112 wrote to memory of 4040	2112	dafa.exe	dafa.exe
PID 2112 wrote to memory of 4040	2112	dafa.exe	dafa.exe
PID 2112 wrote to memory of 4040	2112	dafa.exe	dafa.exe
PID 2112 wrote to memory of 4040	2112	dafa.exe	dafa.exe
PID 2112 wrote to memory of 4040	2112	dafa.exe	dafa.exe
PID 2112 wrote to memory of 4040	2112	dafa.exe	dafa.exe
PID 2112 wrote to memory of 4040	2112	dafa.exe	dafa.exe
PID 2112 wrote to memory of 4040	2112	dafa.exe	dafa.exe
PID 2112 wrote to memory of 4040	2112	dafa.exe	dafa.exe
PID 4040 wrote to memory of 1112	4040	dafa.exe	powershell.exe
PID 4040 wrote to memory of 1112	4040	dafa.exe	powershell.exe
PID 4040 wrote to memory of 1112	4040	dafa.exe	powershell.exe
PID 4040 wrote to memory of 1460	4040	dafa.exe	images.exe
PID 4040 wrote to memory of 1460	4040	dafa.exe	images.exe
PID 4040 wrote to memory of 1460	4040	dafa.exe	images.exe
PID 4040 wrote to memory of 2996	4040	dafa.exe	Explorer.EXE
PID 4040 wrote to memory of 2996	4040	dafa.exe	Explorer.EXE
PID 1460 wrote to memory of 4084	1460	images.exe	schtasks.exe
PID 1460 wrote to memory of 4084	1460	images.exe	schtasks.exe
PID 1460 wrote to memory of 4084	1460	images.exe	schtasks.exe
PID 1460 wrote to memory of 416	1460	images.exe	images.exe
PID 1460 wrote to memory of 416	1460	images.exe	images.exe
PID 1460 wrote to memory of 416	1460	images.exe	images.exe
PID 1460 wrote to memory of 416	1460	images.exe	images.exe
PID 1460 wrote to memory of 416	1460	images.exe	images.exe
PID 1460 wrote to memory of 416	1460	images.exe	images.exe
PID 1460 wrote to memory of 416	1460	images.exe	images.exe
PID 1460 wrote to memory of 416	1460	images.exe	images.exe
PID 1460 wrote to memory of 416	1460	images.exe	images.exe
PID 1460 wrote to memory of 416	1460	images.exe	images.exe
PID 1460 wrote to memory of 416	1460	images.exe	images.exe
PID 416 wrote to memory of 3964	416	images.exe	powershell.exe
PID 416 wrote to memory of 3964	416	images.exe	powershell.exe
PID 416 wrote to memory of 3964	416	images.exe	powershell.exe
PID 416 wrote to memory of 496	416	images.exe	cmd.exe
PID 416 wrote to memory of 496	416	images.exe	cmd.exe
PID 416 wrote to memory of 496	416	images.exe	cmd.exe
PID 416 wrote to memory of 496	416	images.exe	cmd.exe
PID 416 wrote to memory of 496	416	images.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2996

C:\Users\Admin\AppData\Local\Temp\dafa.exe
"C:\Users\Admin\AppData\Local\Temp\dafa.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcjiTF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE50.tmp"
3⤵
- Creates scheduled task(s)
PID:3988

C:\Users\Admin\AppData\Local\Temp\dafa.exe
"C:\Users\Admin\AppData\Local\Temp\dafa.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcjiTF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBF69.tmp"
5⤵
- Creates scheduled task(s)
PID:4084

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
6⤵
PID:496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
620239d356bc0af1c8dd8846a2613424

SHA1
0d3d341acc603593c8e060220e5e5046f987c065

SHA256
9479384c915a5bf368753c99a365ac15a21652ee21bd5db5ccff32c6deb899f4

SHA512
09b90b0f81f8d43ff793c606a320dbaf5fb51403ea8926be5dce42b117169bc36d71e3b500746ee71313c53a302cdeee590066d025927bb804ad8b9cc5ef0ea2

Download Submit
C:\ProgramData\images.exe
MD5
620239d356bc0af1c8dd8846a2613424

SHA1
0d3d341acc603593c8e060220e5e5046f987c065

SHA256
9479384c915a5bf368753c99a365ac15a21652ee21bd5db5ccff32c6deb899f4

SHA512
09b90b0f81f8d43ff793c606a320dbaf5fb51403ea8926be5dce42b117169bc36d71e3b500746ee71313c53a302cdeee590066d025927bb804ad8b9cc5ef0ea2

Download Submit
C:\ProgramData\images.exe
MD5
620239d356bc0af1c8dd8846a2613424

SHA1
0d3d341acc603593c8e060220e5e5046f987c065

SHA256
9479384c915a5bf368753c99a365ac15a21652ee21bd5db5ccff32c6deb899f4

SHA512
09b90b0f81f8d43ff793c606a320dbaf5fb51403ea8926be5dce42b117169bc36d71e3b500746ee71313c53a302cdeee590066d025927bb804ad8b9cc5ef0ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
573c9aa68691fe010a49416a06cad7da

SHA1
ed769186bec100dc7efbc8df53cd09fef2ec4757

SHA256
554846ae07235171b0ba618dc5ab6bfed105e1c69b25a1f15c13646ed4098e7a

SHA512
e7ed841ead2220ceb20964dc02270b28ecd99f4e9e2f5fac749e570b0be98158940992cdad25b1f323de63f0e0156d3050afea82fe52fe8b972c2df984e50689

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF69.tmp
MD5
3e56b9d2687c62a661c14230731557da

SHA1
6180d61059a01183fa020a76a6fb4cdaa282aa0d

SHA256
d99578d22b65282e224d0b971713c4b29a3c45b7b2b836e1c2a3c71e937f2d81

SHA512
54d524211c8659a7812d16d9f16f050f08750c024f9c9a55489144b2403562c9e8264a34a55eb3e9fd9bb176853255b1a2975118f490d10f43ed4e7bb3ac1e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE50.tmp
MD5
3e56b9d2687c62a661c14230731557da

SHA1
6180d61059a01183fa020a76a6fb4cdaa282aa0d

SHA256
d99578d22b65282e224d0b971713c4b29a3c45b7b2b836e1c2a3c71e937f2d81

SHA512
54d524211c8659a7812d16d9f16f050f08750c024f9c9a55489144b2403562c9e8264a34a55eb3e9fd9bb176853255b1a2975118f490d10f43ed4e7bb3ac1e9f

Download Submit
memory/416-201-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/416-199-0x0000000000405925-mapping.dmp

Download
memory/496-203-0x0000000000000000-mapping.dmp

Download
memory/1112-141-0x00000000087B0000-0x00000000087B1000-memory.dmp

Filesize
4KB

Download
memory/1112-192-0x0000000007393000-0x0000000007394000-memory.dmp

Filesize
4KB

Download
memory/1112-131-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/1112-132-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/1112-133-0x00000000076D0000-0x00000000076D1000-memory.dmp

Filesize
4KB

Download
memory/1112-134-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/1112-135-0x0000000008000000-0x0000000008001000-memory.dmp

Filesize
4KB

Download
memory/1112-120-0x0000000000000000-mapping.dmp

Download
memory/1112-130-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/1112-138-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/1112-139-0x0000000007392000-0x0000000007393000-memory.dmp

Filesize
4KB

Download
memory/1112-140-0x00000000083D0000-0x00000000083D1000-memory.dmp

Filesize
4KB

Download
memory/1112-164-0x00000000099B0000-0x00000000099B1000-memory.dmp

Filesize
4KB

Download
memory/1112-142-0x0000000008700000-0x0000000008701000-memory.dmp

Filesize
4KB

Download
memory/1112-150-0x00000000094A0000-0x00000000094D3000-memory.dmp

Filesize
204KB

Download
memory/1112-152-0x000000007F920000-0x000000007F921000-memory.dmp

Filesize
4KB

Download
memory/1112-158-0x0000000009480000-0x0000000009481000-memory.dmp

Filesize
4KB

Download
memory/1112-163-0x00000000097E0000-0x00000000097E1000-memory.dmp

Filesize
4KB

Download
memory/1460-121-0x0000000000000000-mapping.dmp

Download
memory/1460-137-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/2112-114-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2996-122-0x0000000000700000-0x0000000000706000-memory.dmp

Filesize
24KB

Download
memory/2996-196-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2996-194-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2996-193-0x00007FF8E4480000-0x00007FF8E4490000-memory.dmp

Filesize
64KB

Download
memory/2996-136-0x0000000002740000-0x0000000002840000-memory.dmp

Filesize
1024KB

Download
memory/2996-195-0x00007FF8E44A0000-0x00007FF8E44A6000-memory.dmp

Filesize
24KB

Download
memory/3964-206-0x0000000006A70000-0x0000000006A71000-memory.dmp

Filesize
4KB

Download
memory/3964-209-0x0000000006A73000-0x0000000006A74000-memory.dmp

Filesize
4KB

Download
memory/3964-202-0x0000000000000000-mapping.dmp

Download
memory/3964-208-0x000000007EE60000-0x000000007EE61000-memory.dmp

Filesize
4KB

Download
memory/3964-207-0x0000000006A72000-0x0000000006A73000-memory.dmp

Filesize
4KB

Download
memory/3988-115-0x0000000000000000-mapping.dmp

Download
memory/4040-119-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4040-117-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4040-118-0x0000000000405925-mapping.dmp

Download
memory/4084-197-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads