warzonerat | 396cf03c5637b57c3b391d5bb7b8c05fce62d23ee9df51f99669268c5be28742

General

Target

New Order.xls.exe
Size

361KB
MD5

0f3af49aed9b20bc69abe9f3c5b36364
SHA1

73e825d30b8666d15b5d229e8a1f96c435bd8f9f
SHA256

396cf03c5637b57c3b391d5bb7b8c05fce62d23ee9df51f99669268c5be28742
SHA512

c70e515a227571eede0072316ce28180c8883c27ea469b6fb04101253b6e1b4a6e0ffb155c87a7a869f7aedeec7240ec1416f5f5b419612117e9ff7bba9f8274

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

alliedofficewarz.ddns.net:6060

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1072-56-0x0000000000000000-mapping.dmp	warzonerat
behavioral1/memory/1072-57-0x00000000001C0000-0x0000000000314000-memory.dmp	warzonerat
behavioral1/memory/1072-62-0x00000000001C0000-0x0000000000314000-memory.dmp	warzonerat
behavioral1/memory/1072-68-0x00000000001C0000-0x0000000000314000-memory.dmp	warzonerat

Loads dropped DLL 1 IoCs

Processes:

New Order.xls.exe

pid process

1592 New Order.xls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1896 1072 WerFault.exe New Order.xls.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1896 WerFault.exe
1896 WerFault.exe
1896 WerFault.exe
1896 WerFault.exe
1896 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1896 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1896 WerFault.exe

pid	process
1592	New Order.xls.exe

pid	pid_target	process	target process
1896	1072	WerFault.exe	New Order.xls.exe

pid	process
1896	WerFault.exe
1896	WerFault.exe
1896	WerFault.exe
1896	WerFault.exe
1896	WerFault.exe

pid	process
1896	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1896	WerFault.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

New Order.xls.exeNew Order.xls.exe

description	pid	process	target process
PID 1592 wrote to memory of 1072	1592	New Order.xls.exe	New Order.xls.exe
PID 1592 wrote to memory of 1072	1592	New Order.xls.exe	New Order.xls.exe
PID 1592 wrote to memory of 1072	1592	New Order.xls.exe	New Order.xls.exe
PID 1592 wrote to memory of 1072	1592	New Order.xls.exe	New Order.xls.exe
PID 1592 wrote to memory of 1072	1592	New Order.xls.exe	New Order.xls.exe
PID 1592 wrote to memory of 1072	1592	New Order.xls.exe	New Order.xls.exe
PID 1592 wrote to memory of 1072	1592	New Order.xls.exe	New Order.xls.exe
PID 1592 wrote to memory of 1072	1592	New Order.xls.exe	New Order.xls.exe
PID 1592 wrote to memory of 1072	1592	New Order.xls.exe	New Order.xls.exe
PID 1592 wrote to memory of 1072	1592	New Order.xls.exe	New Order.xls.exe
PID 1592 wrote to memory of 1072	1592	New Order.xls.exe	New Order.xls.exe
PID 1592 wrote to memory of 1072	1592	New Order.xls.exe	New Order.xls.exe
PID 1072 wrote to memory of 1896	1072	New Order.xls.exe	WerFault.exe
PID 1072 wrote to memory of 1896	1072	New Order.xls.exe	WerFault.exe
PID 1072 wrote to memory of 1896	1072	New Order.xls.exe	WerFault.exe
PID 1072 wrote to memory of 1896	1072	New Order.xls.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\New Order.xls.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.xls.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\New Order.xls.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.xls.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 200
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1896

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd540A.tmp\sczlg.dll
MD5
050c40e88dc3bd1657dc0f35058a95ad

SHA1
dcc74c0fbb382cf0eb0cc3177b17d9190635e753

SHA256
b50a1bae00a83af133e834a25fd298f561aaf8d6f3b5e2d79622305afdeb6977

SHA512
9e2e8e6e9c39a8af67cfa66fc4ada5f559f4e6e82abb45d8fc4e49b284fa2728fe205ba85705448e8a02bd802c0922b3d8edccfd0cb42c7273bef2bcd5b918c9

Download Submit
memory/1072-56-0x0000000000000000-mapping.dmp

Download
memory/1072-57-0x00000000001C0000-0x0000000000314000-memory.dmp

Filesize
1.3MB

Download
memory/1072-62-0x00000000001C0000-0x0000000000314000-memory.dmp

Filesize
1.3MB

Download
memory/1072-68-0x00000000001C0000-0x0000000000314000-memory.dmp

Filesize
1.3MB

Download
memory/1592-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/1896-69-0x0000000000000000-mapping.dmp

Download
memory/1896-70-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing