warzonerat | 014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

General

Target

STATEMENT OF ACCOUNT_2021-10-04989829.exe
Size

415KB
MD5

ba089fe4546d19803adad582ca6f2ec5
SHA1

32c00e95b5f398c7bb7261feb35290e34c59d21f
SHA256

014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228
SHA512

1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

176.126.86.243:2021

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2752-125-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2752-126-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/2752-127-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/648-144-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/648-146-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 4 IoCs

Processes:

microsoftupdate.exemicrosoftupdate.exemicrosoftupdate.exemicrosoftupdate.exe

pid process

2144 microsoftupdate.exe
2032 microsoftupdate.exe
2068 microsoftupdate.exe
648 microsoftupdate.exe

pid	process
2144	microsoftupdate.exe
2032	microsoftupdate.exe
2068	microsoftupdate.exe
648	microsoftupdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

STATEMENT OF ACCOUNT_2021-10-04989829.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsdefender = "C:\\ProgramData\\microsoftupdate.exe"	STATEMENT OF ACCOUNT_2021-10-04989829.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

microsoftupdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	microsoftupdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\lxvIuy. = "0"	microsoftupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	microsoftupdate.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

STATEMENT OF ACCOUNT_2021-10-04989829.exemicrosoftupdate.exe

description	pid	process	target process
PID 1776 set thread context of 2752	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe	STATEMENT OF ACCOUNT_2021-10-04989829.exe
PID 2144 set thread context of 648	2144	microsoftupdate.exe	microsoftupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3192 schtasks.exe
3248 schtasks.exe

pid	process
3192	schtasks.exe
3248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

STATEMENT OF ACCOUNT_2021-10-04989829.exemicrosoftupdate.exe

pid	process
1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe
1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe
1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe
1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe
1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe
1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe
1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe
2144	microsoftupdate.exe
2144	microsoftupdate.exe
2144	microsoftupdate.exe
2144	microsoftupdate.exe
2144	microsoftupdate.exe
2144	microsoftupdate.exe
2144	microsoftupdate.exe
2144	microsoftupdate.exe
2144	microsoftupdate.exe
2144	microsoftupdate.exe
2144	microsoftupdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

STATEMENT OF ACCOUNT_2021-10-04989829.exemicrosoftupdate.exe

description pid process

Token: SeDebugPrivilege 1776 STATEMENT OF ACCOUNT_2021-10-04989829.exe
Token: SeDebugPrivilege 2144 microsoftupdate.exe

description	pid	process
Token: SeDebugPrivilege	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe
Token: SeDebugPrivilege	2144	microsoftupdate.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

STATEMENT OF ACCOUNT_2021-10-04989829.exeSTATEMENT OF ACCOUNT_2021-10-04989829.exemicrosoftupdate.exemicrosoftupdate.exe

description	pid	process	target process
PID 1776 wrote to memory of 3192	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe	schtasks.exe
PID 1776 wrote to memory of 3192	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe	schtasks.exe
PID 1776 wrote to memory of 3192	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe	schtasks.exe
PID 1776 wrote to memory of 2752	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe	STATEMENT OF ACCOUNT_2021-10-04989829.exe
PID 1776 wrote to memory of 2752	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe	STATEMENT OF ACCOUNT_2021-10-04989829.exe
PID 1776 wrote to memory of 2752	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe	STATEMENT OF ACCOUNT_2021-10-04989829.exe
PID 1776 wrote to memory of 2752	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe	STATEMENT OF ACCOUNT_2021-10-04989829.exe
PID 1776 wrote to memory of 2752	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe	STATEMENT OF ACCOUNT_2021-10-04989829.exe
PID 1776 wrote to memory of 2752	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe	STATEMENT OF ACCOUNT_2021-10-04989829.exe
PID 1776 wrote to memory of 2752	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe	STATEMENT OF ACCOUNT_2021-10-04989829.exe
PID 1776 wrote to memory of 2752	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe	STATEMENT OF ACCOUNT_2021-10-04989829.exe
PID 1776 wrote to memory of 2752	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe	STATEMENT OF ACCOUNT_2021-10-04989829.exe
PID 1776 wrote to memory of 2752	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe	STATEMENT OF ACCOUNT_2021-10-04989829.exe
PID 1776 wrote to memory of 2752	1776	STATEMENT OF ACCOUNT_2021-10-04989829.exe	STATEMENT OF ACCOUNT_2021-10-04989829.exe
PID 2752 wrote to memory of 2144	2752	STATEMENT OF ACCOUNT_2021-10-04989829.exe	microsoftupdate.exe
PID 2752 wrote to memory of 2144	2752	STATEMENT OF ACCOUNT_2021-10-04989829.exe	microsoftupdate.exe
PID 2752 wrote to memory of 2144	2752	STATEMENT OF ACCOUNT_2021-10-04989829.exe	microsoftupdate.exe
PID 2144 wrote to memory of 3248	2144	microsoftupdate.exe	schtasks.exe
PID 2144 wrote to memory of 3248	2144	microsoftupdate.exe	schtasks.exe
PID 2144 wrote to memory of 3248	2144	microsoftupdate.exe	schtasks.exe
PID 2144 wrote to memory of 2032	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 2032	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 2032	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 2068	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 2068	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 2068	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 648	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 648	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 648	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 648	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 648	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 648	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 648	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 648	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 648	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 648	2144	microsoftupdate.exe	microsoftupdate.exe
PID 2144 wrote to memory of 648	2144	microsoftupdate.exe	microsoftupdate.exe
PID 648 wrote to memory of 2212	648	microsoftupdate.exe	cmd.exe
PID 648 wrote to memory of 2212	648	microsoftupdate.exe	cmd.exe
PID 648 wrote to memory of 2212	648	microsoftupdate.exe	cmd.exe
PID 648 wrote to memory of 2212	648	microsoftupdate.exe	cmd.exe
PID 648 wrote to memory of 2212	648	microsoftupdate.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_2021-10-04989829.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_2021-10-04989829.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ExzJZVEPzsavn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5FF3.tmp"
2⤵
- Creates scheduled task(s)
PID:3192

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_2021-10-04989829.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_2021-10-04989829.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2752

C:\ProgramData\microsoftupdate.exe
"C:\ProgramData\microsoftupdate.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ExzJZVEPzsavn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp25E.tmp"
4⤵
- Creates scheduled task(s)
PID:3248

C:\ProgramData\microsoftupdate.exe
"C:\ProgramData\microsoftupdate.exe"
4⤵
- Executes dropped EXE
PID:2032

C:\ProgramData\microsoftupdate.exe
"C:\ProgramData\microsoftupdate.exe"
4⤵
- Executes dropped EXE
PID:2068

C:\ProgramData\microsoftupdate.exe
"C:\ProgramData\microsoftupdate.exe"
4⤵
- Executes dropped EXE
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Winlogon Helper DLL

1

T1004

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\microsoftupdate.exe
MD5
ba089fe4546d19803adad582ca6f2ec5

SHA1
32c00e95b5f398c7bb7261feb35290e34c59d21f

SHA256
014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

SHA512
1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

Download Submit
C:\ProgramData\microsoftupdate.exe
MD5
ba089fe4546d19803adad582ca6f2ec5

SHA1
32c00e95b5f398c7bb7261feb35290e34c59d21f

SHA256
014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

SHA512
1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

Download Submit
C:\ProgramData\microsoftupdate.exe
MD5
ba089fe4546d19803adad582ca6f2ec5

SHA1
32c00e95b5f398c7bb7261feb35290e34c59d21f

SHA256
014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

SHA512
1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

Download Submit
C:\ProgramData\microsoftupdate.exe
MD5
ba089fe4546d19803adad582ca6f2ec5

SHA1
32c00e95b5f398c7bb7261feb35290e34c59d21f

SHA256
014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

SHA512
1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

Download Submit
C:\ProgramData\microsoftupdate.exe
MD5
ba089fe4546d19803adad582ca6f2ec5

SHA1
32c00e95b5f398c7bb7261feb35290e34c59d21f

SHA256
014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

SHA512
1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

Download Submit
memory/648-146-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/648-144-0x0000000000405CE2-mapping.dmp

Download
memory/1776-122-0x0000000005C30000-0x0000000005C3A000-memory.dmp

Filesize
40KB

Download
memory/1776-121-0x0000000008710000-0x0000000008711000-memory.dmp

Filesize
4KB

Download
memory/1776-117-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/1776-118-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/1776-119-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/1776-120-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/1776-123-0x0000000008AF0000-0x0000000008B31000-memory.dmp

Filesize
260KB

Download
memory/1776-115-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/2144-128-0x0000000000000000-mapping.dmp

Download
memory/2144-137-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download
memory/2212-147-0x0000000000000000-mapping.dmp

Download
memory/2212-148-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/2752-127-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2752-126-0x0000000000405CE2-mapping.dmp

Download
memory/2752-125-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3192-124-0x0000000000000000-mapping.dmp

Download
memory/3248-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads