warzonerat | 2083d868972386aa9b3b423b6bba7ba92c65323b1d4dfea6f4cfa19435f26a4c

General

Target

Scan_9281027361782_Swift_copy.exe
Size

19KB
MD5

d77a90d2fa369af90578e17feb4275ca
SHA1

349d9d02476721f6b89a721c523820e504918614
SHA256

2083d868972386aa9b3b423b6bba7ba92c65323b1d4dfea6f4cfa19435f26a4c
SHA512

c64b3663ed93fe8cd41ffd25ea4d8cff9d2e4e0845e60aa894d06c7679a662dfaac34c8d6d6e5dd3a106a20bf4b076826a840d7a28878e32c5cda270fe6bfc10

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

136.144.41.4:4771

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Wsvicesss.exeNexus1.exe

pid process

1536 Wsvicesss.exe
1012 Nexus1.exe
Loads dropped DLL 2 IoCs

Processes:

Scan_9281027361782_Swift_copy.exeRegSvcs.exe

pid process

308 Scan_9281027361782_Swift_copy.exe
660 RegSvcs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Wsvicesss.exe

description pid process target process

PID 1536 set thread context of 660 1536 Wsvicesss.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1536	Wsvicesss.exe
1012	Nexus1.exe

pid	process
308	Scan_9281027361782_Swift_copy.exe
660	RegSvcs.exe

description	pid	process	target process
PID 1536 set thread context of 660	1536	Wsvicesss.exe	RegSvcs.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Scan_9281027361782_Swift_copy.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Scan_9281027361782_Swift_copy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Scan_9281027361782_Swift_copy.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Scan_9281027361782_Swift_copy.exepowershell.exe

pid process

308 Scan_9281027361782_Swift_copy.exe
824 powershell.exe
824 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Scan_9281027361782_Swift_copy.exepowershell.exe

description pid process

Token: SeDebugPrivilege 308 Scan_9281027361782_Swift_copy.exe
Token: SeDebugPrivilege 824 powershell.exe

pid	process
308	Scan_9281027361782_Swift_copy.exe
824	powershell.exe
824	powershell.exe

description	pid	process
Token: SeDebugPrivilege	308	Scan_9281027361782_Swift_copy.exe
Token: SeDebugPrivilege	824	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

Scan_9281027361782_Swift_copy.exeWsvicesss.exeRegSvcs.exe

description	pid	process	target process
PID 308 wrote to memory of 1536	308	Scan_9281027361782_Swift_copy.exe	Wsvicesss.exe
PID 308 wrote to memory of 1536	308	Scan_9281027361782_Swift_copy.exe	Wsvicesss.exe
PID 308 wrote to memory of 1536	308	Scan_9281027361782_Swift_copy.exe	Wsvicesss.exe
PID 308 wrote to memory of 1536	308	Scan_9281027361782_Swift_copy.exe	Wsvicesss.exe
PID 1536 wrote to memory of 660	1536	Wsvicesss.exe	RegSvcs.exe
PID 1536 wrote to memory of 660	1536	Wsvicesss.exe	RegSvcs.exe
PID 1536 wrote to memory of 660	1536	Wsvicesss.exe	RegSvcs.exe
PID 1536 wrote to memory of 660	1536	Wsvicesss.exe	RegSvcs.exe
PID 1536 wrote to memory of 660	1536	Wsvicesss.exe	RegSvcs.exe
PID 1536 wrote to memory of 660	1536	Wsvicesss.exe	RegSvcs.exe
PID 1536 wrote to memory of 660	1536	Wsvicesss.exe	RegSvcs.exe
PID 1536 wrote to memory of 660	1536	Wsvicesss.exe	RegSvcs.exe
PID 1536 wrote to memory of 660	1536	Wsvicesss.exe	RegSvcs.exe
PID 1536 wrote to memory of 660	1536	Wsvicesss.exe	RegSvcs.exe
PID 1536 wrote to memory of 660	1536	Wsvicesss.exe	RegSvcs.exe
PID 1536 wrote to memory of 660	1536	Wsvicesss.exe	RegSvcs.exe
PID 1536 wrote to memory of 660	1536	Wsvicesss.exe	RegSvcs.exe
PID 1536 wrote to memory of 660	1536	Wsvicesss.exe	RegSvcs.exe
PID 660 wrote to memory of 824	660	RegSvcs.exe	powershell.exe
PID 660 wrote to memory of 824	660	RegSvcs.exe	powershell.exe
PID 660 wrote to memory of 824	660	RegSvcs.exe	powershell.exe
PID 660 wrote to memory of 824	660	RegSvcs.exe	powershell.exe
PID 660 wrote to memory of 1012	660	RegSvcs.exe	Nexus1.exe
PID 660 wrote to memory of 1012	660	RegSvcs.exe	Nexus1.exe
PID 660 wrote to memory of 1012	660	RegSvcs.exe	Nexus1.exe
PID 660 wrote to memory of 1012	660	RegSvcs.exe	Nexus1.exe
PID 660 wrote to memory of 1012	660	RegSvcs.exe	Nexus1.exe
PID 660 wrote to memory of 1012	660	RegSvcs.exe	Nexus1.exe
PID 660 wrote to memory of 1012	660	RegSvcs.exe	Nexus1.exe

C:\Users\Admin\AppData\Local\Temp\Scan_9281027361782_Swift_copy.exe
"C:\Users\Admin\AppData\Local\Temp\Scan_9281027361782_Swift_copy.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308
- C:\Users\Admin\AppData\Local\Temp\Wsvicesss.exe
  "C:\Users\Admin\AppData\Local\Temp\Wsvicesss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:824
  - - C:\ProgramData\Nexus1.exe
      "C:\ProgramData\Nexus1.exe"
      4⤵
      Executes dropped EXE
      PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Nexus1.exe

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\ProgramData\Nexus1.exe

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wsvicesss.exe

MD5
02c8672818a779913d9b6a471695c293

SHA1
82cbe1fb837e2e2c7428f4de537dc83aef23a7fb

SHA256
f03fc074a84b772598d69da16f2d8df348a1428c5cd0b012cf60b29914872e32

SHA512
6dd17e889ed8d3ef87e90d382ac9e366070ad87094073984bbcf317c637933808b332bde233e05e3e4fbea7a11719bc993f6f85cec46857e4b6458f99faad0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wsvicesss.exe

MD5
02c8672818a779913d9b6a471695c293

SHA1
82cbe1fb837e2e2c7428f4de537dc83aef23a7fb

SHA256
f03fc074a84b772598d69da16f2d8df348a1428c5cd0b012cf60b29914872e32

SHA512
6dd17e889ed8d3ef87e90d382ac9e366070ad87094073984bbcf317c637933808b332bde233e05e3e4fbea7a11719bc993f6f85cec46857e4b6458f99faad0e4

Download Submit
\ProgramData\Nexus1.exe

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\Wsvicesss.exe

MD5
02c8672818a779913d9b6a471695c293

SHA1
82cbe1fb837e2e2c7428f4de537dc83aef23a7fb

SHA256
f03fc074a84b772598d69da16f2d8df348a1428c5cd0b012cf60b29914872e32

SHA512
6dd17e889ed8d3ef87e90d382ac9e366070ad87094073984bbcf317c637933808b332bde233e05e3e4fbea7a11719bc993f6f85cec46857e4b6458f99faad0e4

Download Submit
memory/308-60-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/308-62-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/660-70-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/660-74-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/660-72-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/660-71-0x0000000000405E28-mapping.dmp

Download
memory/824-96-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/824-97-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/824-121-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/824-120-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/824-106-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/824-105-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/824-98-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/824-75-0x0000000000000000-mapping.dmp

Download
memory/824-83-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/824-84-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/824-85-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/824-86-0x00000000048E2000-0x00000000048E3000-memory.dmp

Filesize
4KB

Download
memory/824-87-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download
memory/824-88-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/824-91-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/1012-82-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1012-81-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/1012-77-0x0000000000000000-mapping.dmp

Download
memory/1536-73-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1536-64-0x0000000000000000-mapping.dmp

Download
memory/1536-67-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1536-69-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing