warzonerat | 1c2e2cbb43d0e1fb959efad9fb85730d708ca9a4e55fda7fcd1eb54f4c9b4533

Analysis

max time kernel
139s
max time network
159s
platform
windows10_x64
resource
win10v20210410
submitted
13-07-2021 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c2e2cbb43d0e1fb959efad9fb85730d708ca9a4e55fda7fcd1eb54f4c9b4533.exe
Size

349KB
MD5

fdfe68e39f18af54ae5bcae5c592be08
SHA1

fbebee446990f1c6e870589ffba1c6b0bab07e87
SHA256

1c2e2cbb43d0e1fb959efad9fb85730d708ca9a4e55fda7fcd1eb54f4c9b4533
SHA512

e9c3425a36e924cfa8779d47213881fcfd79e6dcfe021af0d0a3a667ea20ef0579601b37bf63dbe2e92142d864fab0862c93096a12686c6c255f57e0ccf3df16

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

gecisdiktatura.chickenkiller.com:5200

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1772 created 1276 1772 WerFault.exe 2.exe
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

description	pid	process	target process
PID 1772 created 1276	1772	WerFault.exe	2.exe

Warzone RAT Payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe	warzonerat
C:\ProgramData\svchost.exe	warzonerat
C:\ProgramData\svchost.exe	warzonerat

Executes dropped EXE 3 IoCs

Processes:

svchost.exe2.exesvchost.exe

pid process

4004 svchost.exe
1276 2.exe
3120 svchost.exe

pid	process
4004	svchost.exe
1276	2.exe
3120	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe"	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

2.exe

description ioc process

File created C:\Windows\CSGhostTemp\startcsgo.bat 2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1296 1276 WerFault.exe 2.exe
1772 1276 WerFault.exe 2.exe

description	ioc	process
File created	C:\Windows\CSGhostTemp\startcsgo.bat	2.exe

pid	pid_target	process	target process
1296	1276	WerFault.exe	2.exe
1772	1276	WerFault.exe	2.exe

Modifies registry class 1 IoCs

Processes:

1c2e2cbb43d0e1fb959efad9fb85730d708ca9a4e55fda7fcd1eb54f4c9b4533.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	1c2e2cbb43d0e1fb959efad9fb85730d708ca9a4e55fda7fcd1eb54f4c9b4533.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

2.exeWerFault.exepowershell.exepowershell.exeWerFault.exe

pid	process
1276	2.exe
1276	2.exe
1276	2.exe
1276	2.exe
1276	2.exe
1276	2.exe
1276	2.exe
1276	2.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
3736	powershell.exe
3736	powershell.exe
2828	powershell.exe
3736	powershell.exe
2828	powershell.exe
2828	powershell.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

WerFault.exepowershell.exepowershell.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	1296	WerFault.exe
Token: SeBackupPrivilege	1296	WerFault.exe
Token: SeDebugPrivilege	1296	WerFault.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	1772	WerFault.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

1c2e2cbb43d0e1fb959efad9fb85730d708ca9a4e55fda7fcd1eb54f4c9b4533.exeWScript.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2228 wrote to memory of 4020	2228	1c2e2cbb43d0e1fb959efad9fb85730d708ca9a4e55fda7fcd1eb54f4c9b4533.exe	WScript.exe
PID 2228 wrote to memory of 4020	2228	1c2e2cbb43d0e1fb959efad9fb85730d708ca9a4e55fda7fcd1eb54f4c9b4533.exe	WScript.exe
PID 2228 wrote to memory of 4020	2228	1c2e2cbb43d0e1fb959efad9fb85730d708ca9a4e55fda7fcd1eb54f4c9b4533.exe	WScript.exe
PID 4020 wrote to memory of 4004	4020	WScript.exe	svchost.exe
PID 4020 wrote to memory of 4004	4020	WScript.exe	svchost.exe
PID 4020 wrote to memory of 4004	4020	WScript.exe	svchost.exe
PID 4020 wrote to memory of 1276	4020	WScript.exe	2.exe
PID 4020 wrote to memory of 1276	4020	WScript.exe	2.exe
PID 4020 wrote to memory of 1276	4020	WScript.exe	2.exe
PID 4004 wrote to memory of 3736	4004	svchost.exe	powershell.exe
PID 4004 wrote to memory of 3736	4004	svchost.exe	powershell.exe
PID 4004 wrote to memory of 3736	4004	svchost.exe	powershell.exe
PID 4004 wrote to memory of 3120	4004	svchost.exe	svchost.exe
PID 4004 wrote to memory of 3120	4004	svchost.exe	svchost.exe
PID 4004 wrote to memory of 3120	4004	svchost.exe	svchost.exe
PID 3120 wrote to memory of 2828	3120	svchost.exe	powershell.exe
PID 3120 wrote to memory of 2828	3120	svchost.exe	powershell.exe
PID 3120 wrote to memory of 2828	3120	svchost.exe	powershell.exe
PID 3120 wrote to memory of 3824	3120	svchost.exe	cmd.exe
PID 3120 wrote to memory of 3824	3120	svchost.exe	cmd.exe
PID 3120 wrote to memory of 3824	3120	svchost.exe	cmd.exe
PID 3120 wrote to memory of 3824	3120	svchost.exe	cmd.exe
PID 3120 wrote to memory of 3824	3120	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1c2e2cbb43d0e1fb959efad9fb85730d708ca9a4e55fda7fcd1eb54f4c9b4533.exe
"C:\Users\Admin\AppData\Local\Temp\1c2e2cbb43d0e1fb959efad9fb85730d708ca9a4e55fda7fcd1eb54f4c9b4533.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 804
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 804
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe
MD5
57361942a833f5444b22b45c3bf4412b

SHA1
b65a80c75acd9f1224f468147218769d472c2b22

SHA256
ed9ee108ad9308e54fa8f85d8a7b48b2c08872b5d29a5a3d2c8491ef5c024cdd

SHA512
7248ef8f715ff35210c777718d74f3b971891b48da2d25c53605b308e2d7069b26422a86c68405b7a03285aa034a77bb664450dc7f30f23c777b0775c92f53dd

Download Submit
C:\ProgramData\svchost.exe
MD5
57361942a833f5444b22b45c3bf4412b

SHA1
b65a80c75acd9f1224f468147218769d472c2b22

SHA256
ed9ee108ad9308e54fa8f85d8a7b48b2c08872b5d29a5a3d2c8491ef5c024cdd

SHA512
7248ef8f715ff35210c777718d74f3b971891b48da2d25c53605b308e2d7069b26422a86c68405b7a03285aa034a77bb664450dc7f30f23c777b0775c92f53dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7d1c4c3f4662cc4c021f14a07012eeca

SHA1
14395f9438f4e94ba686ff77101c6f7f9071c1e7

SHA256
aac25d7bf00ea4713de2837167d5eded35118da7f1011006f5003f34debc4077

SHA512
aaaf9cc87d659acc30804f7098a42ceb7e4f4a5f8ea04e73e3bc453f703a9be65453a08529223a1337525d787f5a2b94d4d9898b4843b842b314b420bf34647a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
MD5
8f336143e8e7b8f07af70c5d1ff26dba

SHA1
1da5ab7ba489c1fa69ae03404d14ae7004df598c

SHA256
3a55acf3268b5ec82bd2d879622d1da1a0231c27dcd2a869527c0a077f877452

SHA512
24bc2667ade37c108589c8d611dbecbe209f7ecdc01389d1cf6c43dae2d7890893c74ad33c31259569c7fcfba92d882bceaeae0e42f5d1863a2cbadd20078f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
MD5
8f336143e8e7b8f07af70c5d1ff26dba

SHA1
1da5ab7ba489c1fa69ae03404d14ae7004df598c

SHA256
3a55acf3268b5ec82bd2d879622d1da1a0231c27dcd2a869527c0a077f877452

SHA512
24bc2667ade37c108589c8d611dbecbe209f7ecdc01389d1cf6c43dae2d7890893c74ad33c31259569c7fcfba92d882bceaeae0e42f5d1863a2cbadd20078f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs
MD5
d2edb8bcb630a5a2ffcfe20ae4b016dc

SHA1
b79dccd9cccfc055e0b1e894eddc26005ed950c3

SHA256
22ce37b26028114c9ddefa20562b6d4bc63def3dca2064d0070ad3bc47c0b77e

SHA512
e45df5615e6c51f4ccd6cd0fc5f50eaabc4f4e061a486f21679324cd6d337b51f551bb3fd5ce7c1aca7cd71bacb65e6319d277aba79b8e9ed645b172e269569b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe
MD5
57361942a833f5444b22b45c3bf4412b

SHA1
b65a80c75acd9f1224f468147218769d472c2b22

SHA256
ed9ee108ad9308e54fa8f85d8a7b48b2c08872b5d29a5a3d2c8491ef5c024cdd

SHA512
7248ef8f715ff35210c777718d74f3b971891b48da2d25c53605b308e2d7069b26422a86c68405b7a03285aa034a77bb664450dc7f30f23c777b0775c92f53dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe
MD5
57361942a833f5444b22b45c3bf4412b

SHA1
b65a80c75acd9f1224f468147218769d472c2b22

SHA256
ed9ee108ad9308e54fa8f85d8a7b48b2c08872b5d29a5a3d2c8491ef5c024cdd

SHA512
7248ef8f715ff35210c777718d74f3b971891b48da2d25c53605b308e2d7069b26422a86c68405b7a03285aa034a77bb664450dc7f30f23c777b0775c92f53dd

Download Submit
memory/1276-122-0x0000000000000000-mapping.dmp

Download
memory/2828-140-0x0000000000000000-mapping.dmp

Download
memory/2828-201-0x0000000006DE3000-0x0000000006DE4000-memory.dmp

Filesize
4KB

Download
memory/2828-199-0x000000007F020000-0x000000007F021000-memory.dmp

Filesize
4KB

Download
memory/2828-196-0x0000000009680000-0x0000000009681000-memory.dmp

Filesize
4KB

Download
memory/2828-156-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

Filesize
4KB

Download
memory/2828-157-0x0000000006DE2000-0x0000000006DE3000-memory.dmp

Filesize
4KB

Download
memory/3120-125-0x0000000000000000-mapping.dmp

Download
memory/3736-136-0x0000000007C30000-0x0000000007C31000-memory.dmp

Filesize
4KB

Download
memory/3736-198-0x000000007E7C0000-0x000000007E7C1000-memory.dmp

Filesize
4KB

Download
memory/3736-137-0x0000000007D10000-0x0000000007D11000-memory.dmp

Filesize
4KB

Download
memory/3736-138-0x0000000008060000-0x0000000008061000-memory.dmp

Filesize
4KB

Download
memory/3736-139-0x0000000008220000-0x0000000008221000-memory.dmp

Filesize
4KB

Download
memory/3736-135-0x0000000007CA0000-0x0000000007CA1000-memory.dmp

Filesize
4KB

Download
memory/3736-124-0x0000000000000000-mapping.dmp

Download
memory/3736-142-0x00000000084D0000-0x00000000084D1000-memory.dmp

Filesize
4KB

Download
memory/3736-134-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/3736-133-0x0000000004922000-0x0000000004923000-memory.dmp

Filesize
4KB

Download
memory/3736-165-0x0000000009460000-0x0000000009493000-memory.dmp

Filesize
204KB

Download
memory/3736-174-0x0000000009420000-0x0000000009421000-memory.dmp

Filesize
4KB

Download
memory/3736-183-0x0000000009590000-0x0000000009591000-memory.dmp

Filesize
4KB

Download
memory/3736-132-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/3736-200-0x0000000004923000-0x0000000004924000-memory.dmp

Filesize
4KB

Download
memory/3736-131-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/3736-598-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/3736-130-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/3736-586-0x0000000007010000-0x0000000007011000-memory.dmp

Filesize
4KB

Download
memory/3824-141-0x0000000000000000-mapping.dmp

Download
memory/4004-119-0x0000000000000000-mapping.dmp

Download
memory/4020-116-0x0000000000000000-mapping.dmp

Download