warzonerat | e5b4f0d80455434c5454347cce00f9f5367a19e9af19731ad04630e1c5cb5440

General

Target

RFQ- 28300NB.scr
Size

999KB
MD5

c10afb1541eafecc15387c8c0f3db1c9
SHA1

7cd612bfed4ba6350c192142d55392ac8aa5a0a5
SHA256

89416f4296bcee3a4230b3845988246b0dc489376238061d26e4b75e6ecf972e
SHA512

d94a03f9281c34bbe563d44c920a5188b18ed4aee44fc507e9c706930f93e52f6beccec7fe3462b07d88994f70dddbfd0b17c8aed2a0c3613a35378cfe411b34

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

membership.myddns.rocks:5191

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
C:\ProgramData\images.exe	warzonerat
C:\ProgramData\images.exe	warzonerat

Executes dropped EXE 3 IoCs

Processes:

Client-1.exemaxenlt.pifimages.exe

pid process

2516 Client-1.exe
3808 maxenlt.pif
3960 images.exe

pid	process
2516	Client-1.exe
3808	maxenlt.pif
3960	images.exe

Drops startup file 2 IoCs

Processes:

Client-1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	Client-1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	Client-1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Client-1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	Client-1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

Client-1.exe

description ioc process

File created C:\ProgramData:ApplicationData Client-1.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

660 powershell.exe
660 powershell.exe
1100 powershell.exe
660 powershell.exe
1100 powershell.exe
1100 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 660 powershell.exe
Token: SeDebugPrivilege 1100 powershell.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	Client-1.exe

pid	process
660	powershell.exe
660	powershell.exe
1100	powershell.exe
660	powershell.exe
1100	powershell.exe
1100	powershell.exe

description	pid	process
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

RFQ- 28300NB.scrClient-1.exeimages.exe

description	pid	process	target process
PID 2276 wrote to memory of 2516	2276	RFQ- 28300NB.scr	Client-1.exe
PID 2276 wrote to memory of 2516	2276	RFQ- 28300NB.scr	Client-1.exe
PID 2276 wrote to memory of 2516	2276	RFQ- 28300NB.scr	Client-1.exe
PID 2276 wrote to memory of 3808	2276	RFQ- 28300NB.scr	maxenlt.pif
PID 2276 wrote to memory of 3808	2276	RFQ- 28300NB.scr	maxenlt.pif
PID 2276 wrote to memory of 3808	2276	RFQ- 28300NB.scr	maxenlt.pif
PID 2516 wrote to memory of 660	2516	Client-1.exe	powershell.exe
PID 2516 wrote to memory of 660	2516	Client-1.exe	powershell.exe
PID 2516 wrote to memory of 660	2516	Client-1.exe	powershell.exe
PID 2516 wrote to memory of 3960	2516	Client-1.exe	images.exe
PID 2516 wrote to memory of 3960	2516	Client-1.exe	images.exe
PID 2516 wrote to memory of 3960	2516	Client-1.exe	images.exe
PID 3960 wrote to memory of 1100	3960	images.exe	powershell.exe
PID 3960 wrote to memory of 1100	3960	images.exe	powershell.exe
PID 3960 wrote to memory of 1100	3960	images.exe	powershell.exe
PID 3960 wrote to memory of 956	3960	images.exe	cmd.exe
PID 3960 wrote to memory of 956	3960	images.exe	cmd.exe
PID 3960 wrote to memory of 956	3960	images.exe	cmd.exe
PID 3960 wrote to memory of 956	3960	images.exe	cmd.exe
PID 3960 wrote to memory of 956	3960	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\RFQ- 28300NB.scr
"C:\Users\Admin\AppData\Local\Temp\RFQ- 28300NB.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe
  "C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe" Paul E. Patton (born May 26, 1937) is an American politician who served as the 59th governor of Kentucky from 1995 to 2003.
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:660
- - C:\ProgramData\images.exe
    "C:\ProgramData\images.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3960
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1100
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:956
- C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
  "C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
  2⤵
  - Executes dropped EXE
  PID:3808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\ProgramData\images.exe

MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7a352a4b14b70c572aef1357b924b3c5

SHA1
ae18a3a0f0112273a4600c5d0e27f82a8afa13ec

SHA256
71a456f562420a47d0727cd5a4bc193e634071c5e09aa3a1d4a1cb1c8d3593e9

SHA512
9f986fca11dc3e747309e37b5a45471e371a5616062eb79565efd720da97bee43aaf8f626c0ba614572b4558dd75d1912f90fea6fbfb95ae30124f2ac86ff152

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe

MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe

MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif

MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
memory/660-135-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/660-143-0x0000000007F50000-0x0000000007F51000-memory.dmp

Filesize
4KB

Download
memory/660-126-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/660-127-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/660-128-0x0000000006E90000-0x0000000006E91000-memory.dmp

Filesize
4KB

Download
memory/660-130-0x0000000000B12000-0x0000000000B13000-memory.dmp

Filesize
4KB

Download
memory/660-129-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/660-131-0x0000000006F30000-0x0000000006F31000-memory.dmp

Filesize
4KB

Download
memory/660-132-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/660-133-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/660-134-0x0000000007060000-0x0000000007061000-memory.dmp

Filesize
4KB

Download
memory/660-120-0x0000000000000000-mapping.dmp

Download
memory/660-595-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/660-234-0x0000000000B13000-0x0000000000B14000-memory.dmp

Filesize
4KB

Download
memory/660-195-0x0000000009240000-0x0000000009241000-memory.dmp

Filesize
4KB

Download
memory/660-180-0x000000007EBF0000-0x000000007EBF1000-memory.dmp

Filesize
4KB

Download
memory/660-174-0x0000000008E20000-0x0000000008E21000-memory.dmp

Filesize
4KB

Download
memory/660-169-0x0000000008CC0000-0x0000000008CC1000-memory.dmp

Filesize
4KB

Download
memory/660-162-0x0000000008CE0000-0x0000000008D13000-memory.dmp

Filesize
204KB

Download
memory/956-154-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/956-137-0x0000000000000000-mapping.dmp

Download
memory/1100-153-0x0000000000FF2000-0x0000000000FF3000-memory.dmp

Filesize
4KB

Download
memory/1100-182-0x000000007E350000-0x000000007E351000-memory.dmp

Filesize
4KB

Download
memory/1100-141-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1100-237-0x0000000000FF3000-0x0000000000FF4000-memory.dmp

Filesize
4KB

Download
memory/1100-584-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download
memory/1100-136-0x0000000000000000-mapping.dmp

Download
memory/2516-115-0x0000000000000000-mapping.dmp

Download
memory/3808-118-0x0000000000000000-mapping.dmp

Download
memory/3960-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads