Behavioral Report

max time kernel110s
max time network46s
platformwindows7_x64
resourcewin7-20220414-en
submitted21-05-2022 18:38

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

New Order.exe

Filesize

1MB

Completed

21-05-2022 18:41

Task

behavioral1

Score

10^/10

MD5

fb5b35716632d1ec30f13ea6c1c8ac69

SHA1

c4a066ecb0e73b431561eb5f209af51e361f0467

SHA256

a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578

SHA512

c1028ab4f4830c1166ba393ac1fff986e6c6cb9ada84af54c707998342005297e3abb16129368c2420cecebd4877d11edc9dca1ed118eabe349521e58139245b

warzonerat infostealer persistence rat

Extracted

Family	warzonerat
C2	79.134.225.40:5200 79.134.225.40:5200

Defense Evasion

Persistence

WarzoneRat, AveMaria

Description

WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

Tags

rat infostealer warzonerat

Warzone RAT Payload

Reported IOCs

resource	yara_rule
behavioral1/memory/1828-55-0x0000000000810000-0x0000000000963000-memory.dmp	warzonerat
behavioral1/memory/1828-61-0x00000000000F0000-0x00000000001F0000-memory.dmp	warzonerat
behavioral1/memory/2008-70-0x00000000005F0000-0x0000000000743000-memory.dmp	warzonerat

Executes dropped EXE
images.exe

Reported IOCs

pid process

2008 images.exe

pid	process
2008	images.exe

Drops startup file

New Order.exe

Reported IOCs

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	New Order.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	New Order.exe

Loads dropped DLL
New Order.exe

Reported IOCs

pid process

1828 New Order.exe

pid	process
1828	New Order.exe

Adds Run key to start application

New Order.exe

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	New Order.exe

NTFS ADS
New Order.exe

Reported IOCs

description ioc process

File created C:\ProgramData:ApplicationData New Order.exe
Suspicious behavior: EnumeratesProcesses
powershell.exe

Reported IOCs

pid process

1984 powershell.exe
Suspicious use of AdjustPrivilegeToken
powershell.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 1984 powershell.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	New Order.exe

pid	process
1984	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1984	powershell.exe

Suspicious use of WriteProcessMemory

New Order.exe

Reported IOCs

description	pid	process	target process
PID 1828 wrote to memory of 1984	1828	New Order.exe	powershell.exe
PID 1828 wrote to memory of 1984	1828	New Order.exe	powershell.exe
PID 1828 wrote to memory of 1984	1828	New Order.exe	powershell.exe
PID 1828 wrote to memory of 1984	1828	New Order.exe	powershell.exe
PID 1828 wrote to memory of 2008	1828	New Order.exe	images.exe
PID 1828 wrote to memory of 2008	1828	New Order.exe	images.exe
PID 1828 wrote to memory of 2008	1828	New Order.exe	images.exe
PID 1828 wrote to memory of 2008	1828	New Order.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\New Order.exe

"C:\Users\Admin\AppData\Local\Temp\New Order.exe"

Drops startup file
Loads dropped DLL
Adds Run key to start application
NTFS ADS
Suspicious use of WriteProcessMemory

PID:1828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:1984

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

Executes dropped EXE

PID:2008

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\ProgramData
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\images.exe
MD5
fb5b35716632d1ec30f13ea6c1c8ac69

SHA1
c4a066ecb0e73b431561eb5f209af51e361f0467

SHA256
a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578

SHA512
c1028ab4f4830c1166ba393ac1fff986e6c6cb9ada84af54c707998342005297e3abb16129368c2420cecebd4877d11edc9dca1ed118eabe349521e58139245b

Download Submit
\ProgramData\images.exe
MD5
fb5b35716632d1ec30f13ea6c1c8ac69

SHA1
c4a066ecb0e73b431561eb5f209af51e361f0467

SHA256
a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578

SHA512
c1028ab4f4830c1166ba393ac1fff986e6c6cb9ada84af54c707998342005297e3abb16129368c2420cecebd4877d11edc9dca1ed118eabe349521e58139245b

Download Submit
memory/1828-54-0x0000000076851000-0x0000000076853000-memory.dmp

Download
memory/1828-61-0x00000000000F0000-0x00000000001F0000-memory.dmp

Download
memory/1828-55-0x0000000000810000-0x0000000000963000-memory.dmp

Download
memory/1984-62-0x0000000000000000-mapping.dmp

Download
memory/1984-68-0x0000000074940000-0x0000000074EEB000-memory.dmp

Download
memory/2008-66-0x0000000000000000-mapping.dmp

Download
memory/2008-70-0x00000000005F0000-0x0000000000743000-memory.dmp

Download

Extracted

Filter: none

Description

Tags

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title