warzonerat | ac3ac2c7989618e67564ccfad54facd8f4ec7b0ade1e09f323f1d940f3db8ede

Analysis

max time kernel
149s
max time network
191s
platform
windows7_x64
resource
win7v20210408
submitted
28-05-2021 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

services.exe
Size

113KB
MD5

4e9f2ab42f55d659b90079a3bb75858c
SHA1

b7481079ec7a825f454bea6d7bf2788d7e286523
SHA256

ac3ac2c7989618e67564ccfad54facd8f4ec7b0ade1e09f323f1d940f3db8ede
SHA512

bba8850ebd6617df9240e4aecd334f81fdb33cf7f3ff2f8973bfee15a45b78c656b96b162660068d558df314ca7b6266cc13f407b8f652d2002512d68e0804f3

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

services.exe

description	pid	process	target process
PID 320 wrote to memory of 1364	320	services.exe	cmd.exe
PID 320 wrote to memory of 1364	320	services.exe	cmd.exe
PID 320 wrote to memory of 1364	320	services.exe	cmd.exe
PID 320 wrote to memory of 1364	320	services.exe	cmd.exe
PID 320 wrote to memory of 1364	320	services.exe	cmd.exe
PID 320 wrote to memory of 1364	320	services.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\services.exe
"C:\Users\Admin\AppData\Local\Temp\services.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-59-0x0000000075051000-0x0000000075053000-memory.dmp

Filesize
8KB

Download
memory/1364-60-0x0000000000000000-mapping.dmp

Download