warzonerat | 3e52503cc1b664efb9fa89c2bed4adff5d460bffbe0dba536363edb5cda1c603

General

Target

PO data file from project 029452.exe
Size

544KB
MD5

a977e0f159c0a6574c3274a1db5b7a67
SHA1

404e0e4a03baca74ec0ec08543917dcc1ce3a187
SHA256

3e52503cc1b664efb9fa89c2bed4adff5d460bffbe0dba536363edb5cda1c603
SHA512

7e5b8badab27963316865f92a8ca1ee323f0efcc03035cfa731cf9ed268a074d191004eaff08857ad89a9cee4fbf56fee93417f1f0caac77ea72518c3d55571e

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

engkaa.ddns.net:4545

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1472-57-0x0000000000000000-mapping.dmp	warzonerat
behavioral1/memory/1472-58-0x00000000001C0000-0x0000000000314000-memory.dmp	warzonerat
behavioral1/memory/1472-63-0x00000000001C0000-0x0000000000314000-memory.dmp	warzonerat
behavioral1/memory/1472-69-0x00000000001C0000-0x0000000000314000-memory.dmp	warzonerat

Loads dropped DLL 1 IoCs

Processes:

PO data file from project 029452.exe

pid process

1092 PO data file from project 029452.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1640 1472 WerFault.exe PO data file from project 029452.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1640 WerFault.exe
1640 WerFault.exe
1640 WerFault.exe
1640 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1640 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1640 WerFault.exe

pid	process
1092	PO data file from project 029452.exe

pid	pid_target	process	target process
1640	1472	WerFault.exe	PO data file from project 029452.exe

pid	process
1640	WerFault.exe
1640	WerFault.exe
1640	WerFault.exe
1640	WerFault.exe

pid	process
1640	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1640	WerFault.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

PO data file from project 029452.exePO data file from project 029452.exe

C:\Users\Admin\AppData\Local\Temp\PO data file from project 029452.exe
"C:\Users\Admin\AppData\Local\Temp\PO data file from project 029452.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\PO data file from project 029452.exe
"C:\Users\Admin\AppData\Local\Temp\PO data file from project 029452.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 200
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1640

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstF02A.tmp\ootkzcxq.dll
MD5
ec61597362b2d45bf0c5d98db7d94de3

SHA1
7c3af6293c30c64bf53d226eb889e12cf4e3ac38

SHA256
ce53ff0249b1154d4455c0185b9152817084da64ab43897a774857c2eea6611e

SHA512
fa771305e8a293a5ae31198da978c93de2aa5e46fe7ac47fa7cd25930df3e026175d3d91f3ed039040e1a71638b5f7ce26fdc6151d63d45fd4fd29e49034a6b9

Download Submit
memory/1092-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1472-57-0x0000000000000000-mapping.dmp

Download
memory/1472-58-0x00000000001C0000-0x0000000000314000-memory.dmp

Filesize
1.3MB

Download
memory/1472-63-0x00000000001C0000-0x0000000000314000-memory.dmp

Filesize
1.3MB

Download
memory/1472-69-0x00000000001C0000-0x0000000000314000-memory.dmp

Filesize
1.3MB

Download
memory/1640-70-0x0000000000000000-mapping.dmp

Download
memory/1640-71-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 1092 wrote to memory of 1472	1092	PO data file from project 029452.exe	PO data file from project 029452.exe
PID 1092 wrote to memory of 1472	1092	PO data file from project 029452.exe	PO data file from project 029452.exe
PID 1092 wrote to memory of 1472	1092	PO data file from project 029452.exe	PO data file from project 029452.exe
PID 1092 wrote to memory of 1472	1092	PO data file from project 029452.exe	PO data file from project 029452.exe
PID 1092 wrote to memory of 1472	1092	PO data file from project 029452.exe	PO data file from project 029452.exe
PID 1092 wrote to memory of 1472	1092	PO data file from project 029452.exe	PO data file from project 029452.exe
PID 1092 wrote to memory of 1472	1092	PO data file from project 029452.exe	PO data file from project 029452.exe
PID 1092 wrote to memory of 1472	1092	PO data file from project 029452.exe	PO data file from project 029452.exe
PID 1092 wrote to memory of 1472	1092	PO data file from project 029452.exe	PO data file from project 029452.exe
PID 1092 wrote to memory of 1472	1092	PO data file from project 029452.exe	PO data file from project 029452.exe
PID 1092 wrote to memory of 1472	1092	PO data file from project 029452.exe	PO data file from project 029452.exe
PID 1092 wrote to memory of 1472	1092	PO data file from project 029452.exe	PO data file from project 029452.exe
PID 1472 wrote to memory of 1640	1472	PO data file from project 029452.exe	WerFault.exe
PID 1472 wrote to memory of 1640	1472	PO data file from project 029452.exe	WerFault.exe
PID 1472 wrote to memory of 1640	1472	PO data file from project 029452.exe	WerFault.exe
PID 1472 wrote to memory of 1640	1472	PO data file from project 029452.exe	WerFault.exe

Analysis

Sharing