warzonerat | e5b4f0d80455434c5454347cce00f9f5367a19e9af19731ad04630e1c5cb5440

General

Target

RFQ- 28300NB.scr
Size

999KB
MD5

c10afb1541eafecc15387c8c0f3db1c9
SHA1

7cd612bfed4ba6350c192142d55392ac8aa5a0a5
SHA256

89416f4296bcee3a4230b3845988246b0dc489376238061d26e4b75e6ecf972e
SHA512

d94a03f9281c34bbe563d44c920a5188b18ed4aee44fc507e9c706930f93e52f6beccec7fe3462b07d88994f70dddbfd0b17c8aed2a0c3613a35378cfe411b34

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

membership.myddns.rocks:5191

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
C:\ProgramData\images.exe	warzonerat
C:\ProgramData\images.exe	warzonerat

Executes dropped EXE 3 IoCs

Processes:

Client-1.exemaxenlt.pifimages.exe

pid process

608 Client-1.exe
1324 maxenlt.pif
1792 images.exe

pid	process
608	Client-1.exe
1324	maxenlt.pif
1792	images.exe

Drops startup file 2 IoCs

Processes:

Client-1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	Client-1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	Client-1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Client-1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	Client-1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

Client-1.exe

description ioc process

File created C:\ProgramData:ApplicationData Client-1.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

2348 powershell.exe
1432 powershell.exe
1432 powershell.exe
2348 powershell.exe
2348 powershell.exe
1432 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2348 powershell.exe
Token: SeDebugPrivilege 1432 powershell.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	Client-1.exe

pid	process
2348	powershell.exe
1432	powershell.exe
1432	powershell.exe
2348	powershell.exe
2348	powershell.exe
1432	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

RFQ- 28300NB.scrClient-1.exeimages.exe

description	pid	process	target process
PID 664 wrote to memory of 608	664	RFQ- 28300NB.scr	Client-1.exe
PID 664 wrote to memory of 608	664	RFQ- 28300NB.scr	Client-1.exe
PID 664 wrote to memory of 608	664	RFQ- 28300NB.scr	Client-1.exe
PID 664 wrote to memory of 1324	664	RFQ- 28300NB.scr	maxenlt.pif
PID 664 wrote to memory of 1324	664	RFQ- 28300NB.scr	maxenlt.pif
PID 664 wrote to memory of 1324	664	RFQ- 28300NB.scr	maxenlt.pif
PID 608 wrote to memory of 1432	608	Client-1.exe	powershell.exe
PID 608 wrote to memory of 1432	608	Client-1.exe	powershell.exe
PID 608 wrote to memory of 1432	608	Client-1.exe	powershell.exe
PID 608 wrote to memory of 1792	608	Client-1.exe	images.exe
PID 608 wrote to memory of 1792	608	Client-1.exe	images.exe
PID 608 wrote to memory of 1792	608	Client-1.exe	images.exe
PID 1792 wrote to memory of 2348	1792	images.exe	powershell.exe
PID 1792 wrote to memory of 2348	1792	images.exe	powershell.exe
PID 1792 wrote to memory of 2348	1792	images.exe	powershell.exe
PID 1792 wrote to memory of 2540	1792	images.exe	cmd.exe
PID 1792 wrote to memory of 2540	1792	images.exe	cmd.exe
PID 1792 wrote to memory of 2540	1792	images.exe	cmd.exe
PID 1792 wrote to memory of 2540	1792	images.exe	cmd.exe
PID 1792 wrote to memory of 2540	1792	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\RFQ- 28300NB.scr
"C:\Users\Admin\AppData\Local\Temp\RFQ- 28300NB.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe
"C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe" Paul E. Patton (born May 26, 1937) is an American politician who served as the 59th governor of Kentucky from 1995 to 2003.
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:2540

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
2⤵
- Executes dropped EXE
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\ProgramData\images.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bd14884eeb5ed3fe35e3e056ac8539b7

SHA1
5a414f667eff6c24f11155523b9e0cc4e539b1cb

SHA256
805463d92e3dd095677cb7fa163588652a3b53c5a681a5603a364a343dd1d18c

SHA512
7885c50005956c12d6e64b8363018c196030e09025d80b77185ce5aad9bfefca9b13e5a4b16ff38c95974863bc8b4327cbce64fa252b4a469e6f019330e98776

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
memory/608-114-0x0000000000000000-mapping.dmp

Download
memory/1324-117-0x0000000000000000-mapping.dmp

Download
memory/1432-139-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/1432-126-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/1432-128-0x0000000000EA2000-0x0000000000EA3000-memory.dmp

Filesize
4KB

Download
memory/1432-127-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1432-119-0x0000000000000000-mapping.dmp

Download
memory/1432-166-0x0000000008B90000-0x0000000008BC3000-memory.dmp

Filesize
204KB

Download
memory/1432-594-0x0000000006910000-0x0000000006911000-memory.dmp

Filesize
4KB

Download
memory/1432-150-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/1432-582-0x0000000006920000-0x0000000006921000-memory.dmp

Filesize
4KB

Download
memory/1432-125-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/1432-240-0x0000000000EA3000-0x0000000000EA4000-memory.dmp

Filesize
4KB

Download
memory/1432-192-0x000000007EB20000-0x000000007EB21000-memory.dmp

Filesize
4KB

Download
memory/1432-190-0x0000000008CC0000-0x0000000008CC1000-memory.dmp

Filesize
4KB

Download
memory/1432-180-0x0000000008B50000-0x0000000008B51000-memory.dmp

Filesize
4KB

Download
memory/1792-120-0x0000000000000000-mapping.dmp

Download
memory/2348-135-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/2348-148-0x00000000082C0000-0x00000000082C1000-memory.dmp

Filesize
4KB

Download
memory/2348-145-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/2348-143-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/2348-193-0x000000007EAF0000-0x000000007EAF1000-memory.dmp

Filesize
4KB

Download
memory/2348-194-0x0000000009440000-0x0000000009441000-memory.dmp

Filesize
4KB

Download
memory/2348-237-0x00000000047F3000-0x00000000047F4000-memory.dmp

Filesize
4KB

Download
memory/2348-142-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/2348-137-0x00000000070E0000-0x00000000070E1000-memory.dmp

Filesize
4KB

Download
memory/2348-136-0x00000000047F2000-0x00000000047F3000-memory.dmp

Filesize
4KB

Download
memory/2348-129-0x0000000000000000-mapping.dmp

Download
memory/2540-147-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2540-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads