warzonerat | 8757c5b86ad6d98c723473fd79bae3349b3c308da3ba8cf7c0fa8696e3d69d3a

General

Target

Quotation-937847836-178474.exe
Size

188KB
MD5

bbc4ffcf3ffdd24fda14f1d234966e33
SHA1

9d4d3b412493806601fa61492d0b58f06bce3ee1
SHA256

4a1f7dc3d33366c303e8fb2c7c44d4929d5898f219bcf952bafba336b8056e91
SHA512

f1e33bee03ddaaee6682b351a522ea3a8759b324a1aefeb885ae5407d78b18053f21336d247cb1b9ddbb7c0d2b00c85c44165c04b47191650812913850d46f3b

Score

10^/10

warzonerat evasion infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

newzone.from-ne.com:3200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1508-135-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/1508-137-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/1508-138-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Quotation-937847836-178474.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Quotation-937847836-178474.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Quotation-937847836-178474.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Quotation-937847836-178474.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Quotation-937847836-178474.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Quotation-937847836-178474.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Quotation-937847836-178474.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Quotation-937847836-178474.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Quotation-937847836-178474.exe

description pid process target process

PID 4892 set thread context of 1508 4892 Quotation-937847836-178474.exe Quotation-937847836-178474.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4968 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Quotation-937847836-178474.exe

pid process

4892 Quotation-937847836-178474.exe
4892 Quotation-937847836-178474.exe
4892 Quotation-937847836-178474.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Quotation-937847836-178474.exe

description pid process

Token: SeDebugPrivilege 4892 Quotation-937847836-178474.exe

description	pid	process	target process
PID 4892 set thread context of 1508	4892	Quotation-937847836-178474.exe	Quotation-937847836-178474.exe

pid	process
4968	schtasks.exe

pid	process
4892	Quotation-937847836-178474.exe
4892	Quotation-937847836-178474.exe
4892	Quotation-937847836-178474.exe

description	pid	process
Token: SeDebugPrivilege	4892	Quotation-937847836-178474.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Quotation-937847836-178474.exe

C:\Users\Admin\AppData\Local\Temp\Quotation-937847836-178474.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation-937847836-178474.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HhnIFenoEC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1DAA.tmp"
2⤵
- Creates scheduled task(s)
PID:4968

C:\Users\Admin\AppData\Local\Temp\Quotation-937847836-178474.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation-937847836-178474.exe"
2⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\Quotation-937847836-178474.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation-937847836-178474.exe"
2⤵
PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1DAA.tmp

Filesize
1KB

MD5
985639ce4805fccf79eb96f8ae67eafe

SHA1
a16ea18d873eebcd15f06239da8416e8c5e0bef5

SHA256
85114fb9a809cf01b269f84b7c3c2d69642414f8d1917298b57dcbf521cd000a

SHA512
ca8eec5ae162ec38d83bfeaedaada74afa0428007d3ca61161640f45857bcaada7b4b50bda369b1a100e2fa78364e0e35446c660bc59ac3d318ccde32fffb813

Download Submit
memory/1508-134-0x0000000000000000-mapping.dmp

Download
memory/1508-135-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1508-137-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1508-138-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4012-133-0x0000000000000000-mapping.dmp

Download
memory/4892-130-0x0000000075150000-0x0000000075701000-memory.dmp

Filesize
5.7MB

Download
memory/4968-131-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 4892 wrote to memory of 4968	4892	Quotation-937847836-178474.exe	schtasks.exe
PID 4892 wrote to memory of 4968	4892	Quotation-937847836-178474.exe	schtasks.exe
PID 4892 wrote to memory of 4968	4892	Quotation-937847836-178474.exe	schtasks.exe
PID 4892 wrote to memory of 4012	4892	Quotation-937847836-178474.exe	Quotation-937847836-178474.exe
PID 4892 wrote to memory of 4012	4892	Quotation-937847836-178474.exe	Quotation-937847836-178474.exe
PID 4892 wrote to memory of 4012	4892	Quotation-937847836-178474.exe	Quotation-937847836-178474.exe
PID 4892 wrote to memory of 1508	4892	Quotation-937847836-178474.exe	Quotation-937847836-178474.exe
PID 4892 wrote to memory of 1508	4892	Quotation-937847836-178474.exe	Quotation-937847836-178474.exe
PID 4892 wrote to memory of 1508	4892	Quotation-937847836-178474.exe	Quotation-937847836-178474.exe
PID 4892 wrote to memory of 1508	4892	Quotation-937847836-178474.exe	Quotation-937847836-178474.exe
PID 4892 wrote to memory of 1508	4892	Quotation-937847836-178474.exe	Quotation-937847836-178474.exe
PID 4892 wrote to memory of 1508	4892	Quotation-937847836-178474.exe	Quotation-937847836-178474.exe
PID 4892 wrote to memory of 1508	4892	Quotation-937847836-178474.exe	Quotation-937847836-178474.exe
PID 4892 wrote to memory of 1508	4892	Quotation-937847836-178474.exe	Quotation-937847836-178474.exe
PID 4892 wrote to memory of 1508	4892	Quotation-937847836-178474.exe	Quotation-937847836-178474.exe
PID 4892 wrote to memory of 1508	4892	Quotation-937847836-178474.exe	Quotation-937847836-178474.exe
PID 4892 wrote to memory of 1508	4892	Quotation-937847836-178474.exe	Quotation-937847836-178474.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads