warzonerat | 82572bb673e848ff6622ce079dd07a8434290e44499846952ddda1819d315db3

General

Target

invoice-2013790008755.bat.exe
Size

269KB
MD5

c37e3d75cffedf5dfd2710d0741012b8
SHA1

e0ef0f784d7be7b19d1ebe3f37bc0380061d24eb
SHA256

82572bb673e848ff6622ce079dd07a8434290e44499846952ddda1819d315db3
SHA512

c03f377264a544b2b3116b0a4036030e814b907050abd784ebe2ea9170b31c08cb0c253d077495e0b1e1266e6f02299b39d2defa7487d07af15434c9c5d90a1b

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

176.126.86.243:2021

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2816-125-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2816-126-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/2816-127-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1452-142-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/1452-144-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

microsoftupdate.exemicrosoftupdate.exe

pid process

1140 microsoftupdate.exe
1452 microsoftupdate.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

2172 svchost.exe

pid	process
1140	microsoftupdate.exe
1452	microsoftupdate.exe

pid	process
2172	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

invoice-2013790008755.bat.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsdefender = "C:\\ProgramData\\microsoftupdate.exe"	invoice-2013790008755.bat.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

microsoftupdate.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	microsoftupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	microsoftupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	microsoftupdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\AwtlkFj = "0"	microsoftupdate.exe

Drops file in System32 directory 2 IoCs

Processes:

microsoftupdate.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	microsoftupdate.exe
File opened for modification	C:\Windows\System32\rfxvmt.dll	microsoftupdate.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

invoice-2013790008755.bat.exemicrosoftupdate.exe

description	pid	process	target process
PID 2428 set thread context of 2816	2428	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 1140 set thread context of 1452	1140	microsoftupdate.exe	microsoftupdate.exe

Drops file in Program Files directory 2 IoCs

Processes:

microsoftupdate.exe

description	ioc	process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	microsoftupdate.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	microsoftupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2284 schtasks.exe
1264 schtasks.exe

pid	process
2284	schtasks.exe
1264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

invoice-2013790008755.bat.exemicrosoftupdate.exesvchost.exe

pid	process
2428	invoice-2013790008755.bat.exe
2428	invoice-2013790008755.bat.exe
2428	invoice-2013790008755.bat.exe
2428	invoice-2013790008755.bat.exe
2428	invoice-2013790008755.bat.exe
2428	invoice-2013790008755.bat.exe
2428	invoice-2013790008755.bat.exe
2428	invoice-2013790008755.bat.exe
2428	invoice-2013790008755.bat.exe
1140	microsoftupdate.exe
1140	microsoftupdate.exe
1140	microsoftupdate.exe
1140	microsoftupdate.exe
1140	microsoftupdate.exe
1140	microsoftupdate.exe
1140	microsoftupdate.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

624

pid	process
624

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

invoice-2013790008755.bat.exemicrosoftupdate.exemicrosoftupdate.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2428	invoice-2013790008755.bat.exe
Token: SeDebugPrivilege	1140	microsoftupdate.exe
Token: SeDebugPrivilege	1452	microsoftupdate.exe
Token: SeAuditPrivilege	2172	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

invoice-2013790008755.bat.exeinvoice-2013790008755.bat.exemicrosoftupdate.exemicrosoftupdate.exe

description	pid	process	target process
PID 2428 wrote to memory of 2284	2428	invoice-2013790008755.bat.exe	schtasks.exe
PID 2428 wrote to memory of 2284	2428	invoice-2013790008755.bat.exe	schtasks.exe
PID 2428 wrote to memory of 2284	2428	invoice-2013790008755.bat.exe	schtasks.exe
PID 2428 wrote to memory of 2084	2428	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 2428 wrote to memory of 2084	2428	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 2428 wrote to memory of 2084	2428	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 2428 wrote to memory of 2816	2428	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 2428 wrote to memory of 2816	2428	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 2428 wrote to memory of 2816	2428	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 2428 wrote to memory of 2816	2428	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 2428 wrote to memory of 2816	2428	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 2428 wrote to memory of 2816	2428	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 2428 wrote to memory of 2816	2428	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 2428 wrote to memory of 2816	2428	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 2428 wrote to memory of 2816	2428	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 2428 wrote to memory of 2816	2428	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 2428 wrote to memory of 2816	2428	invoice-2013790008755.bat.exe	invoice-2013790008755.bat.exe
PID 2816 wrote to memory of 1140	2816	invoice-2013790008755.bat.exe	microsoftupdate.exe
PID 2816 wrote to memory of 1140	2816	invoice-2013790008755.bat.exe	microsoftupdate.exe
PID 2816 wrote to memory of 1140	2816	invoice-2013790008755.bat.exe	microsoftupdate.exe
PID 1140 wrote to memory of 1264	1140	microsoftupdate.exe	schtasks.exe
PID 1140 wrote to memory of 1264	1140	microsoftupdate.exe	schtasks.exe
PID 1140 wrote to memory of 1264	1140	microsoftupdate.exe	schtasks.exe
PID 1140 wrote to memory of 1452	1140	microsoftupdate.exe	microsoftupdate.exe
PID 1140 wrote to memory of 1452	1140	microsoftupdate.exe	microsoftupdate.exe
PID 1140 wrote to memory of 1452	1140	microsoftupdate.exe	microsoftupdate.exe
PID 1140 wrote to memory of 1452	1140	microsoftupdate.exe	microsoftupdate.exe
PID 1140 wrote to memory of 1452	1140	microsoftupdate.exe	microsoftupdate.exe
PID 1140 wrote to memory of 1452	1140	microsoftupdate.exe	microsoftupdate.exe
PID 1140 wrote to memory of 1452	1140	microsoftupdate.exe	microsoftupdate.exe
PID 1140 wrote to memory of 1452	1140	microsoftupdate.exe	microsoftupdate.exe
PID 1140 wrote to memory of 1452	1140	microsoftupdate.exe	microsoftupdate.exe
PID 1140 wrote to memory of 1452	1140	microsoftupdate.exe	microsoftupdate.exe
PID 1140 wrote to memory of 1452	1140	microsoftupdate.exe	microsoftupdate.exe
PID 1452 wrote to memory of 2064	1452	microsoftupdate.exe	cmd.exe
PID 1452 wrote to memory of 2064	1452	microsoftupdate.exe	cmd.exe
PID 1452 wrote to memory of 2064	1452	microsoftupdate.exe	cmd.exe
PID 1452 wrote to memory of 2064	1452	microsoftupdate.exe	cmd.exe
PID 1452 wrote to memory of 2064	1452	microsoftupdate.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe
"C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\stXLEjB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5427.tmp"
2⤵
- Creates scheduled task(s)
PID:2284

C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe
"C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe"
2⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe
"C:\Users\Admin\AppData\Local\Temp\invoice-2013790008755.bat.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2816

C:\ProgramData\microsoftupdate.exe
"C:\ProgramData\microsoftupdate.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\stXLEjB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp310A.tmp"
4⤵
- Creates scheduled task(s)
PID:1264

C:\ProgramData\microsoftupdate.exe
"C:\ProgramData\microsoftupdate.exe"
4⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:2064

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:3216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

2

T1060

Winlogon Helper DLL

1

T1004

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\microsoftupdate.exe
MD5
c37e3d75cffedf5dfd2710d0741012b8

SHA1
e0ef0f784d7be7b19d1ebe3f37bc0380061d24eb

SHA256
82572bb673e848ff6622ce079dd07a8434290e44499846952ddda1819d315db3

SHA512
c03f377264a544b2b3116b0a4036030e814b907050abd784ebe2ea9170b31c08cb0c253d077495e0b1e1266e6f02299b39d2defa7487d07af15434c9c5d90a1b

Download Submit
C:\ProgramData\microsoftupdate.exe
MD5
c37e3d75cffedf5dfd2710d0741012b8

SHA1
e0ef0f784d7be7b19d1ebe3f37bc0380061d24eb

SHA256
82572bb673e848ff6622ce079dd07a8434290e44499846952ddda1819d315db3

SHA512
c03f377264a544b2b3116b0a4036030e814b907050abd784ebe2ea9170b31c08cb0c253d077495e0b1e1266e6f02299b39d2defa7487d07af15434c9c5d90a1b

Download Submit
C:\ProgramData\microsoftupdate.exe
MD5
c37e3d75cffedf5dfd2710d0741012b8

SHA1
e0ef0f784d7be7b19d1ebe3f37bc0380061d24eb

SHA256
82572bb673e848ff6622ce079dd07a8434290e44499846952ddda1819d315db3

SHA512
c03f377264a544b2b3116b0a4036030e814b907050abd784ebe2ea9170b31c08cb0c253d077495e0b1e1266e6f02299b39d2defa7487d07af15434c9c5d90a1b

Download Submit
\??\c:\program files\microsoft dn1\rdpwrap.ini
MD5
dddd741ab677bdac8dcd4fa0dda05da2

SHA1
69d328c70046029a1866fd440c3e4a63563200f9

SHA256
7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

SHA512
6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

Download Submit
\??\c:\program files\microsoft dn1\sqlmap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
memory/1140-128-0x0000000000000000-mapping.dmp

Download
memory/1140-137-0x0000000002AC0000-0x0000000002B52000-memory.dmp

Filesize
584KB

Download
memory/1264-140-0x0000000000000000-mapping.dmp

Download
memory/1452-144-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1452-142-0x0000000000405CE2-mapping.dmp

Download
memory/2064-146-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2064-145-0x0000000000000000-mapping.dmp

Download
memory/2284-124-0x0000000000000000-mapping.dmp

Download
memory/2428-122-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/2428-121-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/2428-120-0x0000000006400000-0x0000000006405000-memory.dmp

Filesize
20KB

Download
memory/2428-123-0x00000000066E0000-0x000000000671E000-memory.dmp

Filesize
248KB

Download
memory/2428-115-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2428-119-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/2428-118-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/2428-117-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/2816-125-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2816-126-0x0000000000405CE2-mapping.dmp

Download
memory/2816-127-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads