General
Target

New Order.exe

Filesize

1MB

Completed

21-05-2022 18:41

Task

behavioral1

Score
10/10
MD5

fb5b35716632d1ec30f13ea6c1c8ac69

SHA1

c4a066ecb0e73b431561eb5f209af51e361f0467

SHA256

a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578

SHA512

c1028ab4f4830c1166ba393ac1fff986e6c6cb9ada84af54c707998342005297e3abb16129368c2420cecebd4877d11edc9dca1ed118eabe349521e58139245b

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.40:5200

Signatures 10

Filter: none

Defense Evasion
Persistence
  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1828-55-0x0000000000810000-0x0000000000963000-memory.dmpwarzonerat
    behavioral1/memory/1828-61-0x00000000000F0000-0x00000000001F0000-memory.dmpwarzonerat
    behavioral1/memory/2008-70-0x00000000005F0000-0x0000000000743000-memory.dmpwarzonerat
  • Executes dropped EXE
    images.exe

    Reported IOCs

    pidprocess
    2008images.exe
  • Drops startup file
    New Order.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.batNew Order.exe
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:startNew Order.exe
  • Loads dropped DLL
    New Order.exe

    Reported IOCs

    pidprocess
    1828New Order.exe
  • Adds Run key to start application
    New Order.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"New Order.exe
  • NTFS ADS
    New Order.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\ProgramData:ApplicationDataNew Order.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exe

    Reported IOCs

    pidprocess
    1984powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1984powershell.exe
  • Suspicious use of WriteProcessMemory
    New Order.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1828 wrote to memory of 19841828New Order.exepowershell.exe
    PID 1828 wrote to memory of 19841828New Order.exepowershell.exe
    PID 1828 wrote to memory of 19841828New Order.exepowershell.exe
    PID 1828 wrote to memory of 19841828New Order.exepowershell.exe
    PID 1828 wrote to memory of 20081828New Order.exeimages.exe
    PID 1828 wrote to memory of 20081828New Order.exeimages.exe
    PID 1828 wrote to memory of 20081828New Order.exeimages.exe
    PID 1828 wrote to memory of 20081828New Order.exeimages.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\New Order.exe
    "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
    Drops startup file
    Loads dropped DLL
    Adds Run key to start application
    NTFS ADS
    Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1984
    • C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      Executes dropped EXE
      PID:2008
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\ProgramData

                        MD5

                        d41d8cd98f00b204e9800998ecf8427e

                        SHA1

                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                        SHA256

                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                        SHA512

                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                      • C:\ProgramData\images.exe

                        MD5

                        fb5b35716632d1ec30f13ea6c1c8ac69

                        SHA1

                        c4a066ecb0e73b431561eb5f209af51e361f0467

                        SHA256

                        a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578

                        SHA512

                        c1028ab4f4830c1166ba393ac1fff986e6c6cb9ada84af54c707998342005297e3abb16129368c2420cecebd4877d11edc9dca1ed118eabe349521e58139245b

                      • \ProgramData\images.exe

                        MD5

                        fb5b35716632d1ec30f13ea6c1c8ac69

                        SHA1

                        c4a066ecb0e73b431561eb5f209af51e361f0467

                        SHA256

                        a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578

                        SHA512

                        c1028ab4f4830c1166ba393ac1fff986e6c6cb9ada84af54c707998342005297e3abb16129368c2420cecebd4877d11edc9dca1ed118eabe349521e58139245b

                      • memory/1828-54-0x0000000076851000-0x0000000076853000-memory.dmp

                      • memory/1828-61-0x00000000000F0000-0x00000000001F0000-memory.dmp

                      • memory/1828-55-0x0000000000810000-0x0000000000963000-memory.dmp

                      • memory/1984-62-0x0000000000000000-mapping.dmp

                      • memory/1984-68-0x0000000074940000-0x0000000074EEB000-memory.dmp

                      • memory/2008-66-0x0000000000000000-mapping.dmp

                      • memory/2008-70-0x00000000005F0000-0x0000000000743000-memory.dmp