warzonerat | 47fa3d12bbf90ed2c61bf71b5b6c84b78357635377654602b39d1452a297ea7b

General

Target

Quotation Request_20202605_20202605_20202605PDF.exe
Size

531KB
MD5

b1482e23bdf72a41744c093fbb8240c1
SHA1

158c3f82a524da53d69047a6ea5768ed17fa6fbc
SHA256

9eb63d2c299e7faae7179f56ea8b4c962270a9def733cad4839955d638ac7d00
SHA512

b3f110b3c05168eb734d0250502522ed1c7daab2ec50c705ab90d56d542d5fe285c348a14baa1e3370eb393f8d195138ed654b2356a8aa0a28557f5988fa61a6

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

45.137.22.143:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/932-63-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/932-64-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/932-66-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/932-67-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/932-68-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/932-69-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/932-72-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/932-73-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

Processes:

Quotation Request_20202605_20202605_20202605PDF.exe

description	pid	process	target process
PID 1944 set thread context of 932	1944	Quotation Request_20202605_20202605_20202605PDF.exe	Quotation Request_20202605_20202605_20202605PDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1248 schtasks.exe

pid	process
1248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Quotation Request_20202605_20202605_20202605PDF.exe

pid	process
1944	Quotation Request_20202605_20202605_20202605PDF.exe
1944	Quotation Request_20202605_20202605_20202605PDF.exe
1944	Quotation Request_20202605_20202605_20202605PDF.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Quotation Request_20202605_20202605_20202605PDF.exe

description pid process

Token: SeDebugPrivilege 1944 Quotation Request_20202605_20202605_20202605PDF.exe

description	pid	process
Token: SeDebugPrivilege	1944	Quotation Request_20202605_20202605_20202605PDF.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Quotation Request_20202605_20202605_20202605PDF.exe

C:\Users\Admin\AppData\Local\Temp\Quotation Request_20202605_20202605_20202605PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation Request_20202605_20202605_20202605PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iITuwBcw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFDA1.tmp"
2⤵
- Creates scheduled task(s)
PID:1248

C:\Users\Admin\AppData\Local\Temp\Quotation Request_20202605_20202605_20202605PDF.exe
"{path}"
2⤵
PID:932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFDA1.tmp
Filesize
1KB

MD5
57e3221b28145d1f39b7ff35ce64ce53

SHA1
3fa36950589720c8f31bb34e00625bbf20832b2a

SHA256
0444267f2f0db38c7f216b52cbaabcb601d77f9b7e28132065ba42624b39a743

SHA512
c4a0682133454a896e09e079157305954ffb373152a06dae74408943f73b290bed37f64bd135561a3730db21824b5a6cd5a14f3320dde5d7384b0b4603c4d678

Download Submit
memory/932-61-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/932-64-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/932-73-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/932-58-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/932-59-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/932-72-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/932-63-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/932-69-0x0000000000405CE2-mapping.dmp

Download
memory/932-66-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/932-67-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/932-68-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1248-56-0x0000000000000000-mapping.dmp

Download
memory/1944-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1944-55-0x0000000074E00000-0x00000000753AB000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 1944 wrote to memory of 1248	1944	Quotation Request_20202605_20202605_20202605PDF.exe	schtasks.exe
PID 1944 wrote to memory of 1248	1944	Quotation Request_20202605_20202605_20202605PDF.exe	schtasks.exe
PID 1944 wrote to memory of 1248	1944	Quotation Request_20202605_20202605_20202605PDF.exe	schtasks.exe
PID 1944 wrote to memory of 1248	1944	Quotation Request_20202605_20202605_20202605PDF.exe	schtasks.exe
PID 1944 wrote to memory of 932	1944	Quotation Request_20202605_20202605_20202605PDF.exe	Quotation Request_20202605_20202605_20202605PDF.exe
PID 1944 wrote to memory of 932	1944	Quotation Request_20202605_20202605_20202605PDF.exe	Quotation Request_20202605_20202605_20202605PDF.exe
PID 1944 wrote to memory of 932	1944	Quotation Request_20202605_20202605_20202605PDF.exe	Quotation Request_20202605_20202605_20202605PDF.exe
PID 1944 wrote to memory of 932	1944	Quotation Request_20202605_20202605_20202605PDF.exe	Quotation Request_20202605_20202605_20202605PDF.exe
PID 1944 wrote to memory of 932	1944	Quotation Request_20202605_20202605_20202605PDF.exe	Quotation Request_20202605_20202605_20202605PDF.exe
PID 1944 wrote to memory of 932	1944	Quotation Request_20202605_20202605_20202605PDF.exe	Quotation Request_20202605_20202605_20202605PDF.exe
PID 1944 wrote to memory of 932	1944	Quotation Request_20202605_20202605_20202605PDF.exe	Quotation Request_20202605_20202605_20202605PDF.exe
PID 1944 wrote to memory of 932	1944	Quotation Request_20202605_20202605_20202605PDF.exe	Quotation Request_20202605_20202605_20202605PDF.exe
PID 1944 wrote to memory of 932	1944	Quotation Request_20202605_20202605_20202605PDF.exe	Quotation Request_20202605_20202605_20202605PDF.exe
PID 1944 wrote to memory of 932	1944	Quotation Request_20202605_20202605_20202605PDF.exe	Quotation Request_20202605_20202605_20202605PDF.exe
PID 1944 wrote to memory of 932	1944	Quotation Request_20202605_20202605_20202605PDF.exe	Quotation Request_20202605_20202605_20202605PDF.exe
PID 1944 wrote to memory of 932	1944	Quotation Request_20202605_20202605_20202605PDF.exe	Quotation Request_20202605_20202605_20202605PDF.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads