warzonerat | f873b017cb3063a499db2874275e4797b8412ccd1300d29f4f1af03d66ee6700

General

Target

SF40_DOC.EXE
Size

859KB
MD5

378b91450d386cf5916fb645b143d89d
SHA1

e34a417e9a6a4985de8cf1877d542364c7255dcd
SHA256

bfb41f621f57bccd1923f8437a21329666ebd4f826c7ed0f7540d54f464ad7b5
SHA512

c5db058ddfae775203c41fcf29a69e5420017722b32ca446f019e8f15cc9a4c7aa07f64fb95b5ecac5fcd6ffc8020dfb093d869f6f853bfccd1f512253d3f2dd

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

165.22.5.66:6666

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2116-129-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2116-130-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/2116-131-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

Processes:

SF40_DOC.EXE

description pid process target process

PID 904 set thread context of 2116 904 SF40_DOC.EXE SF40_DOC.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1156 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SF40_DOC.EXE

pid process

904 SF40_DOC.EXE
904 SF40_DOC.EXE
904 SF40_DOC.EXE
904 SF40_DOC.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SF40_DOC.EXE

description pid process

Token: SeDebugPrivilege 904 SF40_DOC.EXE

description	pid	process	target process
PID 904 set thread context of 2116	904	SF40_DOC.EXE	SF40_DOC.EXE

pid	process
1156	schtasks.exe

pid	process
904	SF40_DOC.EXE
904	SF40_DOC.EXE
904	SF40_DOC.EXE
904	SF40_DOC.EXE

description	pid	process
Token: SeDebugPrivilege	904	SF40_DOC.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

SF40_DOC.EXE

description	pid	process	target process
PID 904 wrote to memory of 1156	904	SF40_DOC.EXE	schtasks.exe
PID 904 wrote to memory of 1156	904	SF40_DOC.EXE	schtasks.exe
PID 904 wrote to memory of 1156	904	SF40_DOC.EXE	schtasks.exe
PID 904 wrote to memory of 2116	904	SF40_DOC.EXE	SF40_DOC.EXE
PID 904 wrote to memory of 2116	904	SF40_DOC.EXE	SF40_DOC.EXE
PID 904 wrote to memory of 2116	904	SF40_DOC.EXE	SF40_DOC.EXE
PID 904 wrote to memory of 2116	904	SF40_DOC.EXE	SF40_DOC.EXE
PID 904 wrote to memory of 2116	904	SF40_DOC.EXE	SF40_DOC.EXE
PID 904 wrote to memory of 2116	904	SF40_DOC.EXE	SF40_DOC.EXE
PID 904 wrote to memory of 2116	904	SF40_DOC.EXE	SF40_DOC.EXE
PID 904 wrote to memory of 2116	904	SF40_DOC.EXE	SF40_DOC.EXE
PID 904 wrote to memory of 2116	904	SF40_DOC.EXE	SF40_DOC.EXE
PID 904 wrote to memory of 2116	904	SF40_DOC.EXE	SF40_DOC.EXE
PID 904 wrote to memory of 2116	904	SF40_DOC.EXE	SF40_DOC.EXE

C:\Users\Admin\AppData\Local\Temp\SF40_DOC.EXE
"C:\Users\Admin\AppData\Local\Temp\SF40_DOC.EXE"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QBlHdeDC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp957A.tmp"
2⤵
- Creates scheduled task(s)
PID:1156

C:\Users\Admin\AppData\Local\Temp\SF40_DOC.EXE
"C:\Users\Admin\AppData\Local\Temp\SF40_DOC.EXE"
2⤵
PID:2116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp957A.tmp

MD5
ed815d9a741aa90ff0756ea0ed9d812c

SHA1
5abbfec24d09cd94fa7bf26a63c2338bb9f9bd80

SHA256
1f307dbc4df590564002979cd154560681aa68930aba173a73be5df3d5c8a047

SHA512
a968ca684f9203553099b253573ec02b914593ec3e3feaeb67c5bb9753f62e8f31760ff6199362028c3f1b50282a8f4f458d9d19271abe6f87e58fb475d671b1

Download Submit
memory/904-119-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/904-124-0x0000000007D60000-0x0000000007D68000-memory.dmp

Filesize
32KB

Download
memory/904-118-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/904-114-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/904-120-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/904-121-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/904-117-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/904-123-0x0000000048E30000-0x0000000048E77000-memory.dmp

Filesize
284KB

Download
memory/904-122-0x0000000028D10000-0x0000000048CF8000-memory.dmp

Filesize
511.9MB

Download
memory/904-126-0x0000000048FC0000-0x0000000048FE9000-memory.dmp

Filesize
164KB

Download
memory/904-116-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/1156-127-0x0000000000000000-mapping.dmp

Download
memory/2116-129-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2116-130-0x0000000000405CE2-mapping.dmp

Download
memory/2116-131-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads