warzonerat | 34ef4f8cfb814da5aeb5f3181301976e3622470fd9bfbfec8c016e7eed215d8f

Analysis

max time kernel
67s
max time network
146s
platform
windows10_x64
resource
win10v20210410
submitted
11-06-2021 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT COPY-20211106_pdf.exe
Size

308KB
MD5

c288afa652187f51cd8a51225403b371
SHA1

47da2c2d1f08cbdfa92576588f466b59da5645cb
SHA256

34ef4f8cfb814da5aeb5f3181301976e3622470fd9bfbfec8c016e7eed215d8f
SHA512

d1c0fbffa2523ba3f770034ce788597f37f7fab042c8d843219d4c053d0bf548e1562a24e6d7614285cafc329a5797f16b9b173eeb0f014f4ab81b43b677aac0

Score

10^/10

warzonerat infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

warzonerat

103.155.83.189:1289

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 9 IoCs

Processes:

PAYMENT COPY-20211106_pdf.exesvchost.exePAYMENT COPY-20211106_pdf.exe

pid	process
2232	PAYMENT COPY-20211106_pdf.exe
2232	PAYMENT COPY-20211106_pdf.exe
2076	svchost.exe
2212	PAYMENT COPY-20211106_pdf.exe
2212	PAYMENT COPY-20211106_pdf.exe
2212	PAYMENT COPY-20211106_pdf.exe
2212	PAYMENT COPY-20211106_pdf.exe
2212	PAYMENT COPY-20211106_pdf.exe
2212	PAYMENT COPY-20211106_pdf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PAYMENT COPY-20211106_pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\svfrdwtqxbkd = "C:\\Users\\Admin\\AppData\\Roaming\\rhijmmuuuev\\uvbkxpxykvcb.exe"	PAYMENT COPY-20211106_pdf.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

PAYMENT COPY-20211106_pdf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\qpktrId = "0"	PAYMENT COPY-20211106_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	PAYMENT COPY-20211106_pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	PAYMENT COPY-20211106_pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	PAYMENT COPY-20211106_pdf.exe

Drops file in System32 directory 2 IoCs

Processes:

PAYMENT COPY-20211106_pdf.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	PAYMENT COPY-20211106_pdf.exe
File opened for modification	C:\Windows\System32\rfxvmt.dll	PAYMENT COPY-20211106_pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PAYMENT COPY-20211106_pdf.exe

description pid process target process

PID 2232 set thread context of 2212 2232 PAYMENT COPY-20211106_pdf.exe PAYMENT COPY-20211106_pdf.exe

description	pid	process	target process
PID 2232 set thread context of 2212	2232	PAYMENT COPY-20211106_pdf.exe	PAYMENT COPY-20211106_pdf.exe

Drops file in Program Files directory 2 IoCs

Processes:

PAYMENT COPY-20211106_pdf.exe

description	ioc	process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	PAYMENT COPY-20211106_pdf.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	PAYMENT COPY-20211106_pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

PAYMENT COPY-20211106_pdf.exepowershell.exesvchost.exe

pid	process
2232	PAYMENT COPY-20211106_pdf.exe
2232	PAYMENT COPY-20211106_pdf.exe
2232	PAYMENT COPY-20211106_pdf.exe
2232	PAYMENT COPY-20211106_pdf.exe
2232	PAYMENT COPY-20211106_pdf.exe
2232	PAYMENT COPY-20211106_pdf.exe
2232	PAYMENT COPY-20211106_pdf.exe
2232	PAYMENT COPY-20211106_pdf.exe
2856	powershell.exe
2856	powershell.exe
2856	powershell.exe
2076	svchost.exe
2076	svchost.exe
2076	svchost.exe
2076	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

624
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

PAYMENT COPY-20211106_pdf.exe

pid process

2232 PAYMENT COPY-20211106_pdf.exe

pid	process
624

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exePAYMENT COPY-20211106_pdf.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2212	PAYMENT COPY-20211106_pdf.exe
Token: SeAuditPrivilege	2076	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

PAYMENT COPY-20211106_pdf.exePAYMENT COPY-20211106_pdf.exe

description	pid	process	target process
PID 2232 wrote to memory of 2212	2232	PAYMENT COPY-20211106_pdf.exe	PAYMENT COPY-20211106_pdf.exe
PID 2232 wrote to memory of 2212	2232	PAYMENT COPY-20211106_pdf.exe	PAYMENT COPY-20211106_pdf.exe
PID 2232 wrote to memory of 2212	2232	PAYMENT COPY-20211106_pdf.exe	PAYMENT COPY-20211106_pdf.exe
PID 2232 wrote to memory of 2212	2232	PAYMENT COPY-20211106_pdf.exe	PAYMENT COPY-20211106_pdf.exe
PID 2212 wrote to memory of 2856	2212	PAYMENT COPY-20211106_pdf.exe	powershell.exe
PID 2212 wrote to memory of 2856	2212	PAYMENT COPY-20211106_pdf.exe	powershell.exe
PID 2212 wrote to memory of 2856	2212	PAYMENT COPY-20211106_pdf.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY-20211106_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY-20211106_pdf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY-20211106_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY-20211106_pdf.exe"
  2⤵
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2856

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\program files\microsoft dn1\rdpwrap.ini

MD5
6bc395161b04aa555d5a4e8eb8320020

SHA1
f18544faa4bd067f6773a373d580e111b0c8c300

SHA256
23390dfcda60f292ba1e52abb5ba2f829335351f4f9b1d33a9a6ad7a9bf5e2be

SHA512
679ac80c26422667ca5f2a6d9f0e022ef76bc9b09f97ad390b81f2e286446f0658524ccc8346a6e79d10e42131bc428f7c0ce4541d44d83af8134c499436daae

Download Submit
\??\c:\program files\microsoft dn1\sqlmap.dll

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5
ef12ab9d0b231b8f898067b2114b1bc0

SHA1
6d90f27b2105945f9bb77039e8b892070a5f9442

SHA256
2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

SHA512
2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

Download Submit
\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5
75f8cc548cabf0cc800c25047e4d3124

SHA1
602676768f9faecd35b48c38a0632781dfbde10c

SHA256
fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0

SHA512
ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

Download Submit
\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll

MD5
d7858e8449004e21b01d468e9fd04b82

SHA1
9524352071ede21c167e7e4f106e9526dc23ef4e

SHA256
78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db

SHA512
1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

Download Submit
\Users\Admin\AppData\Local\Temp\nsx19D9.tmp\System.dll

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsx19D9.tmp\System.dll

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\softokn3.dll

MD5
471c983513694ac3002590345f2be0da

SHA1
6612b9af4ff6830fa9b7d4193078434ef72f775b

SHA256
bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f

SHA512
a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

Download Submit
\Users\Admin\AppData\Local\Temp\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/2212-190-0x0000000003810000-0x0000000003894000-memory.dmp

Filesize
528KB

Download
memory/2212-117-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2212-116-0x0000000000405E28-mapping.dmp

Download
memory/2856-124-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/2856-129-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/2856-139-0x0000000009540000-0x0000000009573000-memory.dmp

Filesize
204KB

Download
memory/2856-146-0x0000000009520000-0x0000000009521000-memory.dmp

Filesize
4KB

Download
memory/2856-151-0x0000000009890000-0x0000000009891000-memory.dmp

Filesize
4KB

Download
memory/2856-152-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2856-153-0x0000000004E93000-0x0000000004E94000-memory.dmp

Filesize
4KB

Download
memory/2856-154-0x0000000009A40000-0x0000000009A41000-memory.dmp

Filesize
4KB

Download
memory/2856-130-0x0000000008680000-0x0000000008681000-memory.dmp

Filesize
4KB

Download
memory/2856-131-0x00000000087D0000-0x00000000087D1000-memory.dmp

Filesize
4KB

Download
memory/2856-128-0x0000000004E92000-0x0000000004E93000-memory.dmp

Filesize
4KB

Download
memory/2856-127-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/2856-126-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download
memory/2856-125-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/2856-123-0x00000000076D0000-0x00000000076D1000-memory.dmp

Filesize
4KB

Download
memory/2856-122-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/2856-121-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/2856-118-0x0000000000000000-mapping.dmp

Download