warzonerat | 86cb4f209e01280e5e290d87427a19a09d77e28a42c08f805d2443f17db26706

Analysis

max time kernel
724s
max time network
1246s
platform
windows7_x64
resource
win7v20210410
submitted
13-07-2021 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO_00130721.xlsx
Size

674KB
MD5

a0287f52a42bec7b8756fef7fdb37be5
SHA1

788f23cba38a6780a1bb0f26f7eedeebfcdff089
SHA256

86cb4f209e01280e5e290d87427a19a09d77e28a42c08f805d2443f17db26706
SHA512

9d0afe0e3fd5a01871794fb4b42a7be4e624997dccf980785600c00ada0e762291dee991d66ac6ae9dc82eeb66cf2c57df424d38447d82c8f7aa551ba609baa8

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

taker1234.hopto.org:5032

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/924-72-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 316 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

tybghhju.exetybghhju.exe

pid process

1144 tybghhju.exe
924 tybghhju.exe

flow	pid	process
7	316	EQNEDT32.EXE

pid	process
1144	tybghhju.exe
924	tybghhju.exe

Loads dropped DLL 14 IoCs

Processes:

EQNEDT32.EXEtybghhju.exetybghhju.exe

pid	process
316	EQNEDT32.EXE
1144	tybghhju.exe
924	tybghhju.exe
924	tybghhju.exe
924	tybghhju.exe
924	tybghhju.exe
924	tybghhju.exe
924	tybghhju.exe
924	tybghhju.exe
924	tybghhju.exe
924	tybghhju.exe
924	tybghhju.exe
924	tybghhju.exe
924	tybghhju.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

tybghhju.exe

description pid process target process

PID 1144 set thread context of 924 1144 tybghhju.exe tybghhju.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1144 set thread context of 924	1144	tybghhju.exe	tybghhju.exe

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\tybghhju.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\tybghhju.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\tybghhju.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\tybghhju.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\tybghhju.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\tybghhju.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\tybghhju.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\tybghhju.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

316 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1056 EXCEL.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EXCEL.EXE

pid process

1056 EXCEL.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

tybghhju.exe

pid process

1144 tybghhju.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

EXCEL.EXE

description pid process

Token: SeShutdownPrivilege 1056 EXCEL.EXE
Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

EXCEL.EXE

pid process

1056 EXCEL.EXE
1056 EXCEL.EXE
1056 EXCEL.EXE
1056 EXCEL.EXE
1056 EXCEL.EXE
1056 EXCEL.EXE
1056 EXCEL.EXE
1056 EXCEL.EXE
1056 EXCEL.EXE
1056 EXCEL.EXE

pid	process
1056	EXCEL.EXE

pid	process
1056	EXCEL.EXE

pid	process
1144	tybghhju.exe

description	pid	process
Token: SeShutdownPrivilege	1056	EXCEL.EXE

pid	process
1056	EXCEL.EXE
1056	EXCEL.EXE
1056	EXCEL.EXE
1056	EXCEL.EXE
1056	EXCEL.EXE
1056	EXCEL.EXE
1056	EXCEL.EXE
1056	EXCEL.EXE
1056	EXCEL.EXE
1056	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

EQNEDT32.EXEtybghhju.exe

description	pid	process	target process
PID 316 wrote to memory of 1144	316	EQNEDT32.EXE	tybghhju.exe
PID 316 wrote to memory of 1144	316	EQNEDT32.EXE	tybghhju.exe
PID 316 wrote to memory of 1144	316	EQNEDT32.EXE	tybghhju.exe
PID 316 wrote to memory of 1144	316	EQNEDT32.EXE	tybghhju.exe
PID 1144 wrote to memory of 924	1144	tybghhju.exe	tybghhju.exe
PID 1144 wrote to memory of 924	1144	tybghhju.exe	tybghhju.exe
PID 1144 wrote to memory of 924	1144	tybghhju.exe	tybghhju.exe
PID 1144 wrote to memory of 924	1144	tybghhju.exe	tybghhju.exe
PID 1144 wrote to memory of 924	1144	tybghhju.exe	tybghhju.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO_00130721.xlsx
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1056

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Roaming\tybghhju.exe
C:\Users\Admin\AppData\Roaming\tybghhju.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Roaming\tybghhju.exe
C:\Users\Admin\AppData\Roaming\tybghhju.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\tybghhju.exe
MD5
3762cbb31e873b26f8aad4c630369425

SHA1
e4985cf0bf98a409cb874e02373f102deea78327

SHA256
533c95efa1684d0b2496bbc7f579dd67ff646a6ca5dea085383ca1209e9b3f54

SHA512
a0d2296987d51c2cdc823f1ab348cf17bc8b8dc1534e1d07deabae3a0db431db2a759c84d6032d6b7738b6f15c862348cd73e3137a61d3bc7fb48434febb7b96

Download Submit
C:\Users\Admin\AppData\Roaming\tybghhju.exe
MD5
3762cbb31e873b26f8aad4c630369425

SHA1
e4985cf0bf98a409cb874e02373f102deea78327

SHA256
533c95efa1684d0b2496bbc7f579dd67ff646a6ca5dea085383ca1209e9b3f54

SHA512
a0d2296987d51c2cdc823f1ab348cf17bc8b8dc1534e1d07deabae3a0db431db2a759c84d6032d6b7738b6f15c862348cd73e3137a61d3bc7fb48434febb7b96

Download Submit
C:\Users\Admin\AppData\Roaming\tybghhju.exe
MD5
3762cbb31e873b26f8aad4c630369425

SHA1
e4985cf0bf98a409cb874e02373f102deea78327

SHA256
533c95efa1684d0b2496bbc7f579dd67ff646a6ca5dea085383ca1209e9b3f54

SHA512
a0d2296987d51c2cdc823f1ab348cf17bc8b8dc1534e1d07deabae3a0db431db2a759c84d6032d6b7738b6f15c862348cd73e3137a61d3bc7fb48434febb7b96

Download Submit
\Users\Admin\AppData\Local\Temp\freebl3.dll
MD5
ef12ab9d0b231b8f898067b2114b1bc0

SHA1
6d90f27b2105945f9bb77039e8b892070a5f9442

SHA256
2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

SHA512
2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

Download Submit
\Users\Admin\AppData\Local\Temp\freebl3.dll
MD5
ef12ab9d0b231b8f898067b2114b1bc0

SHA1
6d90f27b2105945f9bb77039e8b892070a5f9442

SHA256
2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

SHA512
2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

Download Submit
\Users\Admin\AppData\Local\Temp\mozglue.dll
MD5
75f8cc548cabf0cc800c25047e4d3124

SHA1
602676768f9faecd35b48c38a0632781dfbde10c

SHA256
fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0

SHA512
ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

Download Submit
\Users\Admin\AppData\Local\Temp\mozglue.dll
MD5
75f8cc548cabf0cc800c25047e4d3124

SHA1
602676768f9faecd35b48c38a0632781dfbde10c

SHA256
fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0

SHA512
ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

Download Submit
\Users\Admin\AppData\Local\Temp\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll
MD5
99cdf4f57217acee504875e7d92251e7

SHA1
8397e3ef3b6bb838b35cb639daad8f1fef99d73a

SHA256
281437eae83246327a79bf2c10f6b6be3362d536fbc1ce12f73aab838344a291

SHA512
e703349fa0b71dc28dbb422a1b45435fae8bac765a5b4d524345bb60e09da5cec99e93abf19853858c1a87000d483377f74d1a7b1c973a90888563ee300adf0b

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll
MD5
99cdf4f57217acee504875e7d92251e7

SHA1
8397e3ef3b6bb838b35cb639daad8f1fef99d73a

SHA256
281437eae83246327a79bf2c10f6b6be3362d536fbc1ce12f73aab838344a291

SHA512
e703349fa0b71dc28dbb422a1b45435fae8bac765a5b4d524345bb60e09da5cec99e93abf19853858c1a87000d483377f74d1a7b1c973a90888563ee300adf0b

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll
MD5
99cdf4f57217acee504875e7d92251e7

SHA1
8397e3ef3b6bb838b35cb639daad8f1fef99d73a

SHA256
281437eae83246327a79bf2c10f6b6be3362d536fbc1ce12f73aab838344a291

SHA512
e703349fa0b71dc28dbb422a1b45435fae8bac765a5b4d524345bb60e09da5cec99e93abf19853858c1a87000d483377f74d1a7b1c973a90888563ee300adf0b

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll
MD5
99cdf4f57217acee504875e7d92251e7

SHA1
8397e3ef3b6bb838b35cb639daad8f1fef99d73a

SHA256
281437eae83246327a79bf2c10f6b6be3362d536fbc1ce12f73aab838344a291

SHA512
e703349fa0b71dc28dbb422a1b45435fae8bac765a5b4d524345bb60e09da5cec99e93abf19853858c1a87000d483377f74d1a7b1c973a90888563ee300adf0b

Download Submit
\Users\Admin\AppData\Local\Temp\yoeohrl.dll
MD5
a06f93ae835f108b287e4b36a7cc7a50

SHA1
2b2cefaacd35a064a523476961877b1087206f47

SHA256
f20d5db2348d918287dd69e893353670b97fd47e5e5788f34acb48befa806de9

SHA512
4e6082efeaf4dc394db713cb94212b48ee9ee892765034e017c93d002ead1b408cc351d4779a16ec44b80868ed47c86e84b4e48ce748d7382bb739ad9a5acf0f

Download Submit
\Users\Admin\AppData\Roaming\tybghhju.exe
MD5
3762cbb31e873b26f8aad4c630369425

SHA1
e4985cf0bf98a409cb874e02373f102deea78327

SHA256
533c95efa1684d0b2496bbc7f579dd67ff646a6ca5dea085383ca1209e9b3f54

SHA512
a0d2296987d51c2cdc823f1ab348cf17bc8b8dc1534e1d07deabae3a0db431db2a759c84d6032d6b7738b6f15c862348cd73e3137a61d3bc7fb48434febb7b96

Download Submit
memory/316-62-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/924-74-0x0000000004070000-0x00000000040F4000-memory.dmp

Filesize
528KB

Download
memory/924-73-0x0000000003790000-0x0000000003814000-memory.dmp

Filesize
528KB

Download
memory/924-72-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/924-69-0x0000000000405CE2-mapping.dmp

Download
memory/1056-59-0x000000002F671000-0x000000002F674000-memory.dmp

Filesize
12KB

Download
memory/1056-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1056-60-0x0000000070E41000-0x0000000070E43000-memory.dmp

Filesize
8KB

Download
memory/1144-64-0x0000000000000000-mapping.dmp

Download