warzonerat | be38a69081db308b628205a8d3bf1053120da733b05f38ac497a295723d2b29f

General

Target

PDF.exe
Size

807KB
MD5

1032e6ffdbb406b3ee80d7c50989e2b5
SHA1

fb63c770ba76d25f181be481acef62aa2cf5f82c
SHA256

be38a69081db308b628205a8d3bf1053120da733b05f38ac497a295723d2b29f
SHA512

bd5203164dd2a966c1db164f6d472615932a673d7be6105c5c36a130e1bb7582e4a9a479833ecbc102c36a5786ef1e459b8eec944beb8cdf51c763078a2923f3

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

185.157.160.215:2211

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1944-69-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1944-68-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1944-71-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

PDF.exe

description pid process target process

PID 1088 set thread context of 1944 1088 PDF.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1500 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

PDF.exe

pid process

1088 PDF.exe
1088 PDF.exe
1088 PDF.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PDF.exe

description pid process

Token: SeDebugPrivilege 1088 PDF.exe

description	pid	process	target process
PID 1088 set thread context of 1944	1088	PDF.exe	vbc.exe

pid	process
1500	schtasks.exe

pid	process
1088	PDF.exe
1088	PDF.exe
1088	PDF.exe

description	pid	process
Token: SeDebugPrivilege	1088	PDF.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

PDF.exe

description	pid	process	target process
PID 1088 wrote to memory of 1500	1088	PDF.exe	schtasks.exe
PID 1088 wrote to memory of 1500	1088	PDF.exe	schtasks.exe
PID 1088 wrote to memory of 1500	1088	PDF.exe	schtasks.exe
PID 1088 wrote to memory of 1500	1088	PDF.exe	schtasks.exe
PID 1088 wrote to memory of 1636	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 1636	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 1636	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 1636	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 864	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 864	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 864	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 864	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 1944	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 1944	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 1944	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 1944	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 1944	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 1944	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 1944	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 1944	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 1944	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 1944	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 1944	1088	PDF.exe	vbc.exe
PID 1088 wrote to memory of 1944	1088	PDF.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\PDF.exe
"C:\Users\Admin\AppData\Local\Temp\PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GrxeqzFZZljX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB58.tmp"
2⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEB58.tmp

MD5
551e4867c804267ae628031d0cf8d744

SHA1
5232905667b05c261df6c2e143e3e8823bafdc96

SHA256
41ec101e560e90a1fffb39511abc9e3484f0e878c8e9190fb25206fd99611774

SHA512
c5865afd45e09c197a541f1d6260705fe927e20feb3517c95eda4ce986bcd6d52767bff3c936f6afba5369a513cc150e2623117c52cec45f35c4ba417bb902b7

Download Submit
memory/1088-60-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1088-62-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/1088-63-0x0000000009D80000-0x000000000BD7F000-memory.dmp

Filesize
32.0MB

Download
memory/1088-64-0x0000000004EB0000-0x0000000004F17000-memory.dmp

Filesize
412KB

Download
memory/1088-65-0x00000000009D0000-0x00000000009FC000-memory.dmp

Filesize
176KB

Download
memory/1500-66-0x0000000000000000-mapping.dmp

Download
memory/1944-69-0x0000000000405CE2-mapping.dmp

Download
memory/1944-68-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1944-70-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1944-71-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads