warzonerat | 7ad82722eed02d63b24e0e99480e332d26074f9cadbacef5a653989f81bc9f7e

General

Target

MACHINE_.EXE
Size

552KB
MD5

dd29df9b14e9165a7e218ccb399934b5
SHA1

e5b3e6f043612e53cd9fbae00b93102596238f42
SHA256

9051b63011b57f14eb413563f9ee38a2e52a41b20a1c165f2daf057eb7dc2766
SHA512

7161a2df32c9da9823cf7bfd11874c8f71def013fc8ff12a06ac9c5c045bbba1e2d077b9f7bad32d1bbe88862804119da419f8951d5256bc57aef6cb3f393811

Score

10^/10

warzonerat infostealer rat upx

Malware Config

Extracted

Family

warzonerat

C2

2.56.59.131:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 2 IoCs

Processes:

images.exeimages.exe

pid process

2812 images.exe
3928 images.exe

pid	process
2812	images.exe
3928	images.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\images.exe	upx
C:\ProgramData\images.exe	upx
C:\ProgramData\images.exe	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

MACHINE_.EXEimages.exe

description	pid	process	target process
PID 3148 set thread context of 4048	3148	MACHINE_.EXE	MACHINE_.EXE
PID 2812 set thread context of 3928	2812	images.exe	images.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1452 3928 WerFault.exe images.exe

pid	pid_target	process	target process
1452	3928	WerFault.exe	images.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exeWerFault.exe

pid	process
1296	powershell.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1296	powershell.exe
1296	powershell.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

MACHINE_.EXEimages.exe

pid process

3148 MACHINE_.EXE
2812 images.exe
2812 images.exe

pid	process
3148	MACHINE_.EXE
2812	images.exe
2812	images.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	1452	WerFault.exe
Token: SeBackupPrivilege	1452	WerFault.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1452	WerFault.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

MACHINE_.EXEMACHINE_.EXEcmd.exeimages.exe

description	pid	process	target process
PID 3148 wrote to memory of 4048	3148	MACHINE_.EXE	MACHINE_.EXE
PID 3148 wrote to memory of 4048	3148	MACHINE_.EXE	MACHINE_.EXE
PID 3148 wrote to memory of 4048	3148	MACHINE_.EXE	MACHINE_.EXE
PID 3148 wrote to memory of 4048	3148	MACHINE_.EXE	MACHINE_.EXE
PID 4048 wrote to memory of 1296	4048	MACHINE_.EXE	powershell.exe
PID 4048 wrote to memory of 1296	4048	MACHINE_.EXE	powershell.exe
PID 4048 wrote to memory of 1296	4048	MACHINE_.EXE	powershell.exe
PID 4048 wrote to memory of 2128	4048	MACHINE_.EXE	cmd.exe
PID 4048 wrote to memory of 2128	4048	MACHINE_.EXE	cmd.exe
PID 4048 wrote to memory of 2128	4048	MACHINE_.EXE	cmd.exe
PID 4048 wrote to memory of 2812	4048	MACHINE_.EXE	images.exe
PID 4048 wrote to memory of 2812	4048	MACHINE_.EXE	images.exe
PID 4048 wrote to memory of 2812	4048	MACHINE_.EXE	images.exe
PID 2128 wrote to memory of 3544	2128	cmd.exe	reg.exe
PID 2128 wrote to memory of 3544	2128	cmd.exe	reg.exe
PID 2128 wrote to memory of 3544	2128	cmd.exe	reg.exe
PID 2812 wrote to memory of 3928	2812	images.exe	images.exe
PID 2812 wrote to memory of 3928	2812	images.exe	images.exe
PID 2812 wrote to memory of 3928	2812	images.exe	images.exe
PID 2812 wrote to memory of 3928	2812	images.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\MACHINE_.EXE
"C:\Users\Admin\AppData\Local\Temp\MACHINE_.EXE"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\MACHINE_.EXE
"C:\Users\Admin\AppData\Local\Temp\MACHINE_.EXE"
2⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
4⤵
PID:3544

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2812

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 544
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
dd29df9b14e9165a7e218ccb399934b5

SHA1
e5b3e6f043612e53cd9fbae00b93102596238f42

SHA256
9051b63011b57f14eb413563f9ee38a2e52a41b20a1c165f2daf057eb7dc2766

SHA512
7161a2df32c9da9823cf7bfd11874c8f71def013fc8ff12a06ac9c5c045bbba1e2d077b9f7bad32d1bbe88862804119da419f8951d5256bc57aef6cb3f393811

Download Submit
C:\ProgramData\images.exe
MD5
dd29df9b14e9165a7e218ccb399934b5

SHA1
e5b3e6f043612e53cd9fbae00b93102596238f42

SHA256
9051b63011b57f14eb413563f9ee38a2e52a41b20a1c165f2daf057eb7dc2766

SHA512
7161a2df32c9da9823cf7bfd11874c8f71def013fc8ff12a06ac9c5c045bbba1e2d077b9f7bad32d1bbe88862804119da419f8951d5256bc57aef6cb3f393811

Download Submit
C:\ProgramData\images.exe
MD5
dd29df9b14e9165a7e218ccb399934b5

SHA1
e5b3e6f043612e53cd9fbae00b93102596238f42

SHA256
9051b63011b57f14eb413563f9ee38a2e52a41b20a1c165f2daf057eb7dc2766

SHA512
7161a2df32c9da9823cf7bfd11874c8f71def013fc8ff12a06ac9c5c045bbba1e2d077b9f7bad32d1bbe88862804119da419f8951d5256bc57aef6cb3f393811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U0EJMF7X\NJLokKht[1]
MD5
bf741e9437b0641a0bf6c84589b670d7

SHA1
3d3fb4d32b5dc89c77f869332c41bfa7d78c73a7

SHA256
397a9971c89e963eeb01eefbeaf1fdadbc8665722945246e9aab59ba1e9c9295

SHA512
e056774014b5cd0b7e4001e7e89a5adf83d14e9ffb80587b2b2e4daa71d39a82eece9c0a302308623575084fc617b8a16a384a1b1daa3a2d9feabf3d2694498f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzlqcofliuzn
MD5
bf741e9437b0641a0bf6c84589b670d7

SHA1
3d3fb4d32b5dc89c77f869332c41bfa7d78c73a7

SHA256
397a9971c89e963eeb01eefbeaf1fdadbc8665722945246e9aab59ba1e9c9295

SHA512
e056774014b5cd0b7e4001e7e89a5adf83d14e9ffb80587b2b2e4daa71d39a82eece9c0a302308623575084fc617b8a16a384a1b1daa3a2d9feabf3d2694498f

Download Submit
memory/1296-132-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/1296-140-0x0000000008A30000-0x0000000008A31000-memory.dmp

Filesize
4KB

Download
memory/1296-362-0x0000000009CA0000-0x0000000009CA1000-memory.dmp

Filesize
4KB

Download
memory/1296-118-0x0000000000000000-mapping.dmp

Download
memory/1296-356-0x0000000009CB0000-0x0000000009CB1000-memory.dmp

Filesize
4KB

Download
memory/1296-163-0x0000000009D00000-0x0000000009D01000-memory.dmp

Filesize
4KB

Download
memory/1296-162-0x0000000005033000-0x0000000005034000-memory.dmp

Filesize
4KB

Download
memory/1296-161-0x000000007F0C0000-0x000000007F0C1000-memory.dmp

Filesize
4KB

Download
memory/1296-160-0x0000000009B50000-0x0000000009B51000-memory.dmp

Filesize
4KB

Download
memory/1296-130-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/1296-131-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/1296-155-0x00000000097E0000-0x00000000097E1000-memory.dmp

Filesize
4KB

Download
memory/1296-133-0x0000000005032000-0x0000000005033000-memory.dmp

Filesize
4KB

Download
memory/1296-134-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/1296-135-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/1296-136-0x0000000008130000-0x0000000008131000-memory.dmp

Filesize
4KB

Download
memory/1296-137-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/1296-138-0x00000000081C0000-0x00000000081C1000-memory.dmp

Filesize
4KB

Download
memory/1296-139-0x0000000008400000-0x0000000008401000-memory.dmp

Filesize
4KB

Download
memory/1296-148-0x0000000009800000-0x0000000009833000-memory.dmp

Filesize
204KB

Download
memory/2128-119-0x0000000000000000-mapping.dmp

Download
memory/2812-120-0x0000000000000000-mapping.dmp

Download
memory/3148-116-0x0000000006430000-0x0000000006432000-memory.dmp

Filesize
8KB

Download
memory/3148-115-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/3544-123-0x0000000000000000-mapping.dmp

Download
memory/3928-128-0x0000000000A05E28-mapping.dmp

Download
memory/4048-114-0x0000000000405E28-mapping.dmp

Download
memory/4048-117-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads