warzonerat | 2083d868972386aa9b3b423b6bba7ba92c65323b1d4dfea6f4cfa19435f26a4c

General

Target

Scan_9281027361782_Swift_copy.exe
Size

19KB
MD5

d77a90d2fa369af90578e17feb4275ca
SHA1

349d9d02476721f6b89a721c523820e504918614
SHA256

2083d868972386aa9b3b423b6bba7ba92c65323b1d4dfea6f4cfa19435f26a4c
SHA512

c64b3663ed93fe8cd41ffd25ea4d8cff9d2e4e0845e60aa894d06c7679a662dfaac34c8d6d6e5dd3a106a20bf4b076826a840d7a28878e32c5cda270fe6bfc10

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

136.144.41.4:4771

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 2 IoCs

Processes:

Wsvicesss.exeNexus1.exe

pid process

3604 Wsvicesss.exe
3952 Nexus1.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Wsvicesss.exe

description pid process target process

PID 3604 set thread context of 1304 3604 Wsvicesss.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Scan_9281027361782_Swift_copy.exeWsvicesss.exepowershell.exe

pid process

624 Scan_9281027361782_Swift_copy.exe
3604 Wsvicesss.exe
3604 Wsvicesss.exe
2120 powershell.exe
2120 powershell.exe
2120 powershell.exe

pid	process
3604	Wsvicesss.exe
3952	Nexus1.exe

description	pid	process	target process
PID 3604 set thread context of 1304	3604	Wsvicesss.exe	RegSvcs.exe

pid	process
624	Scan_9281027361782_Swift_copy.exe
3604	Wsvicesss.exe
3604	Wsvicesss.exe
2120	powershell.exe
2120	powershell.exe
2120	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Scan_9281027361782_Swift_copy.exeWsvicesss.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	624	Scan_9281027361782_Swift_copy.exe
Token: SeDebugPrivilege	3604	Wsvicesss.exe
Token: SeDebugPrivilege	2120	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

Scan_9281027361782_Swift_copy.exeWsvicesss.exeRegSvcs.exe

description	pid	process	target process
PID 624 wrote to memory of 3604	624	Scan_9281027361782_Swift_copy.exe	Wsvicesss.exe
PID 624 wrote to memory of 3604	624	Scan_9281027361782_Swift_copy.exe	Wsvicesss.exe
PID 624 wrote to memory of 3604	624	Scan_9281027361782_Swift_copy.exe	Wsvicesss.exe
PID 3604 wrote to memory of 1504	3604	Wsvicesss.exe	RegSvcs.exe
PID 3604 wrote to memory of 1504	3604	Wsvicesss.exe	RegSvcs.exe
PID 3604 wrote to memory of 1504	3604	Wsvicesss.exe	RegSvcs.exe
PID 3604 wrote to memory of 1304	3604	Wsvicesss.exe	RegSvcs.exe
PID 3604 wrote to memory of 1304	3604	Wsvicesss.exe	RegSvcs.exe
PID 3604 wrote to memory of 1304	3604	Wsvicesss.exe	RegSvcs.exe
PID 3604 wrote to memory of 1304	3604	Wsvicesss.exe	RegSvcs.exe
PID 3604 wrote to memory of 1304	3604	Wsvicesss.exe	RegSvcs.exe
PID 3604 wrote to memory of 1304	3604	Wsvicesss.exe	RegSvcs.exe
PID 3604 wrote to memory of 1304	3604	Wsvicesss.exe	RegSvcs.exe
PID 3604 wrote to memory of 1304	3604	Wsvicesss.exe	RegSvcs.exe
PID 3604 wrote to memory of 1304	3604	Wsvicesss.exe	RegSvcs.exe
PID 3604 wrote to memory of 1304	3604	Wsvicesss.exe	RegSvcs.exe
PID 1304 wrote to memory of 2120	1304	RegSvcs.exe	powershell.exe
PID 1304 wrote to memory of 2120	1304	RegSvcs.exe	powershell.exe
PID 1304 wrote to memory of 2120	1304	RegSvcs.exe	powershell.exe
PID 1304 wrote to memory of 3952	1304	RegSvcs.exe	Nexus1.exe
PID 1304 wrote to memory of 3952	1304	RegSvcs.exe	Nexus1.exe
PID 1304 wrote to memory of 3952	1304	RegSvcs.exe	Nexus1.exe

C:\Users\Admin\AppData\Local\Temp\Scan_9281027361782_Swift_copy.exe
"C:\Users\Admin\AppData\Local\Temp\Scan_9281027361782_Swift_copy.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\Wsvicesss.exe
  "C:\Users\Admin\AppData\Local\Temp\Wsvicesss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1504
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2120
  - - C:\ProgramData\Nexus1.exe
      "C:\ProgramData\Nexus1.exe"
      4⤵
      Executes dropped EXE
      PID:3952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Nexus1.exe

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\ProgramData\Nexus1.exe

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wsvicesss.exe

MD5
02c8672818a779913d9b6a471695c293

SHA1
82cbe1fb837e2e2c7428f4de537dc83aef23a7fb

SHA256
f03fc074a84b772598d69da16f2d8df348a1428c5cd0b012cf60b29914872e32

SHA512
6dd17e889ed8d3ef87e90d382ac9e366070ad87094073984bbcf317c637933808b332bde233e05e3e4fbea7a11719bc993f6f85cec46857e4b6458f99faad0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wsvicesss.exe

MD5
02c8672818a779913d9b6a471695c293

SHA1
82cbe1fb837e2e2c7428f4de537dc83aef23a7fb

SHA256
f03fc074a84b772598d69da16f2d8df348a1428c5cd0b012cf60b29914872e32

SHA512
6dd17e889ed8d3ef87e90d382ac9e366070ad87094073984bbcf317c637933808b332bde233e05e3e4fbea7a11719bc993f6f85cec46857e4b6458f99faad0e4

Download Submit
memory/624-116-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/624-117-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/624-118-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/624-119-0x0000000005100000-0x00000000055FE000-memory.dmp

Filesize
5.0MB

Download
memory/624-114-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1304-128-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1304-130-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1304-129-0x0000000000405E28-mapping.dmp

Download
memory/2120-144-0x00000000076D0000-0x00000000076D1000-memory.dmp

Filesize
4KB

Download
memory/2120-149-0x00000000084A0000-0x00000000084A1000-memory.dmp

Filesize
4KB

Download
memory/2120-177-0x0000000004CA3000-0x0000000004CA4000-memory.dmp

Filesize
4KB

Download
memory/2120-131-0x0000000000000000-mapping.dmp

Download
memory/2120-176-0x000000007EA30000-0x000000007EA31000-memory.dmp

Filesize
4KB

Download
memory/2120-171-0x0000000009A80000-0x0000000009A81000-memory.dmp

Filesize
4KB

Download
memory/2120-170-0x0000000009880000-0x0000000009881000-memory.dmp

Filesize
4KB

Download
memory/2120-165-0x0000000009710000-0x0000000009711000-memory.dmp

Filesize
4KB

Download
memory/2120-158-0x0000000009750000-0x0000000009783000-memory.dmp

Filesize
204KB

Download
memory/2120-138-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/2120-150-0x0000000008770000-0x0000000008771000-memory.dmp

Filesize
4KB

Download
memory/2120-141-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/2120-142-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/2120-143-0x0000000004CA2000-0x0000000004CA3000-memory.dmp

Filesize
4KB

Download
memory/2120-145-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/2120-148-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/2120-146-0x0000000007F50000-0x0000000007F51000-memory.dmp

Filesize
4KB

Download
memory/2120-147-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/3604-120-0x0000000000000000-mapping.dmp

Download
memory/3604-127-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

Filesize
48KB

Download
memory/3604-123-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/3604-125-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3604-126-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/3952-140-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/3952-139-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/3952-137-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/3952-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing