warzonerat | e32e27ecb69ca65b8bcb23a748da370c3cd306bbe4d186d840b2632187b12109

General

Target

Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
Size

334KB
MD5

4176461be62d517adba95d7ab909e7bb
SHA1

e53120f9ad641252e41aa677de123152cd72215f
SHA256

4bd74f7785ffaf625efdf131775b504966321554e008bd156002f857f866d458
SHA512

4e959c76fdd76d5907c467da5168574e1bf320e7c47dec95c20a4e8f87a95c4e69fbbd5f454082295cb0f457f2d1d070d35d364868dfef9e390e1e2075ea07ed

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

176.126.86.243:2021

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4016 created 1896 4016 WerFault.exe Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

description	pid	process	target process
PID 4016 created 1896	4016	WerFault.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe

Warzone RAT Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1896-124-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1896-125-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1896-126-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1724-141-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1724-143-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 3 IoCs

Processes:

microsoftupdate.exemicrosoftupdate.exemicrosoftupdate.exe

pid process

412 microsoftupdate.exe
1824 microsoftupdate.exe
1724 microsoftupdate.exe

pid	process
412	microsoftupdate.exe
1824	microsoftupdate.exe
1724	microsoftupdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsdefender = "C:\\ProgramData\\microsoftupdate.exe"	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exemicrosoftupdate.exe

description	pid	process	target process
PID 2384 set thread context of 1896	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 412 set thread context of 1724	412	microsoftupdate.exe	microsoftupdate.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4016 1896 WerFault.exe Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe

pid	pid_target	process	target process
4016	1896	WerFault.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exemicrosoftupdate.exe

pid	process
2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
412	microsoftupdate.exe
412	microsoftupdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exemicrosoftupdate.exe

description	pid	process
Token: SeDebugPrivilege	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
Token: SeDebugPrivilege	412	microsoftupdate.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exeScan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exemicrosoftupdate.exemicrosoftupdate.exe

description	pid	process	target process
PID 2384 wrote to memory of 2748	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 2748	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 2748	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 2756	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 2756	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 2756	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 1896	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 1896	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 1896	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 1896	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 1896	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 1896	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 1896	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 1896	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 1896	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 1896	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 2384 wrote to memory of 1896	2384	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
PID 1896 wrote to memory of 412	1896	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	microsoftupdate.exe
PID 1896 wrote to memory of 412	1896	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	microsoftupdate.exe
PID 1896 wrote to memory of 412	1896	Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe	microsoftupdate.exe
PID 412 wrote to memory of 1824	412	microsoftupdate.exe	microsoftupdate.exe
PID 412 wrote to memory of 1824	412	microsoftupdate.exe	microsoftupdate.exe
PID 412 wrote to memory of 1824	412	microsoftupdate.exe	microsoftupdate.exe
PID 412 wrote to memory of 1724	412	microsoftupdate.exe	microsoftupdate.exe
PID 412 wrote to memory of 1724	412	microsoftupdate.exe	microsoftupdate.exe
PID 412 wrote to memory of 1724	412	microsoftupdate.exe	microsoftupdate.exe
PID 412 wrote to memory of 1724	412	microsoftupdate.exe	microsoftupdate.exe
PID 412 wrote to memory of 1724	412	microsoftupdate.exe	microsoftupdate.exe
PID 412 wrote to memory of 1724	412	microsoftupdate.exe	microsoftupdate.exe
PID 412 wrote to memory of 1724	412	microsoftupdate.exe	microsoftupdate.exe
PID 412 wrote to memory of 1724	412	microsoftupdate.exe	microsoftupdate.exe
PID 412 wrote to memory of 1724	412	microsoftupdate.exe	microsoftupdate.exe
PID 412 wrote to memory of 1724	412	microsoftupdate.exe	microsoftupdate.exe
PID 412 wrote to memory of 1724	412	microsoftupdate.exe	microsoftupdate.exe
PID 1724 wrote to memory of 1988	1724	microsoftupdate.exe	cmd.exe
PID 1724 wrote to memory of 1988	1724	microsoftupdate.exe	cmd.exe
PID 1724 wrote to memory of 1988	1724	microsoftupdate.exe	cmd.exe
PID 1724 wrote to memory of 1988	1724	microsoftupdate.exe	cmd.exe
PID 1724 wrote to memory of 1988	1724	microsoftupdate.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe"
2⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe"
2⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1896

C:\ProgramData\microsoftupdate.exe
"C:\ProgramData\microsoftupdate.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412

C:\ProgramData\microsoftupdate.exe
"C:\ProgramData\microsoftupdate.exe"
4⤵
- Executes dropped EXE
PID:1824

C:\ProgramData\microsoftupdate.exe
"C:\ProgramData\microsoftupdate.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 580
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:4016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\microsoftupdate.exe
MD5
4176461be62d517adba95d7ab909e7bb

SHA1
e53120f9ad641252e41aa677de123152cd72215f

SHA256
4bd74f7785ffaf625efdf131775b504966321554e008bd156002f857f866d458

SHA512
4e959c76fdd76d5907c467da5168574e1bf320e7c47dec95c20a4e8f87a95c4e69fbbd5f454082295cb0f457f2d1d070d35d364868dfef9e390e1e2075ea07ed

Download Submit
C:\ProgramData\microsoftupdate.exe
MD5
4176461be62d517adba95d7ab909e7bb

SHA1
e53120f9ad641252e41aa677de123152cd72215f

SHA256
4bd74f7785ffaf625efdf131775b504966321554e008bd156002f857f866d458

SHA512
4e959c76fdd76d5907c467da5168574e1bf320e7c47dec95c20a4e8f87a95c4e69fbbd5f454082295cb0f457f2d1d070d35d364868dfef9e390e1e2075ea07ed

Download Submit
C:\ProgramData\microsoftupdate.exe
MD5
4176461be62d517adba95d7ab909e7bb

SHA1
e53120f9ad641252e41aa677de123152cd72215f

SHA256
4bd74f7785ffaf625efdf131775b504966321554e008bd156002f857f866d458

SHA512
4e959c76fdd76d5907c467da5168574e1bf320e7c47dec95c20a4e8f87a95c4e69fbbd5f454082295cb0f457f2d1d070d35d364868dfef9e390e1e2075ea07ed

Download Submit
C:\ProgramData\microsoftupdate.exe
MD5
4176461be62d517adba95d7ab909e7bb

SHA1
e53120f9ad641252e41aa677de123152cd72215f

SHA256
4bd74f7785ffaf625efdf131775b504966321554e008bd156002f857f866d458

SHA512
4e959c76fdd76d5907c467da5168574e1bf320e7c47dec95c20a4e8f87a95c4e69fbbd5f454082295cb0f457f2d1d070d35d364868dfef9e390e1e2075ea07ed

Download Submit
memory/412-127-0x0000000000000000-mapping.dmp

Download
memory/412-135-0x00000000053C0000-0x00000000058BE000-memory.dmp

Filesize
5.0MB

Download
memory/1724-143-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1724-141-0x0000000000405CE2-mapping.dmp

Download
memory/1896-126-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1896-125-0x0000000000405CE2-mapping.dmp

Download
memory/1896-124-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1988-144-0x0000000000000000-mapping.dmp

Download
memory/1988-145-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2384-115-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2384-123-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/2384-122-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/2384-121-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/2384-120-0x0000000005000000-0x00000000054FE000-memory.dmp

Filesize
5.0MB

Download
memory/2384-119-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/2384-118-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/2384-117-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads