warzonerat | b4b14f0512858ecd957152f6f21d06070ad3f371206568871d0f92d5a41ecd83

General

Target

cargo documents.pdf.exe
Size

183KB
MD5

f0bec0deb10b8bc59a5b2d207b4cdeef
SHA1

452b936847f131abd4b872815ab35c9b9bcd9cbb
SHA256

b4b14f0512858ecd957152f6f21d06070ad3f371206568871d0f92d5a41ecd83
SHA512

a57437bba1a5b9bb8ce2754290e80a5ed78adb8a8017305fe30ac1a7a95c5480fd771a7b35ccd048d17dba2409f74e8c407523a0f0aa61559392c4f0fc95164e

Score

10^/10

warzonerat infostealer persistence rat suricata upx

Malware Config

Extracted

Family

warzonerat

C2

udooiuyt.dynamic-dns.net:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
suricata
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
suricata

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1156-56-0x0000000000550000-0x00000000006A4000-memory.dmp	warzonerat
behavioral1/memory/1156-62-0x0000000001ED0000-0x00000000028D0000-memory.dmp	warzonerat
behavioral1/memory/1904-94-0x0000000002890000-0x00000000029E4000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

1904 images.exe

pid	process
1904	images.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1156-55-0x0000000000400000-0x0000000000544000-memory.dmp	upx
\ProgramData\images.exe	upx
C:\ProgramData\images.exe	upx
behavioral1/memory/1904-69-0x0000000000400000-0x0000000000544000-memory.dmp	upx
C:\ProgramData\images.exe	upx

Loads dropped DLL 1 IoCs

Processes:

cargo documents.pdf.exe

pid process

1156 cargo documents.pdf.exe

pid	process
1156	cargo documents.pdf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cargo documents.pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	cargo documents.pdf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2016 powershell.exe
1664 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2016 powershell.exe
Token: SeDebugPrivilege 1664 powershell.exe

pid	process
2016	powershell.exe
1664	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cargo documents.pdf.exeimages.exe

description	pid	process	target process
PID 1156 wrote to memory of 2016	1156	cargo documents.pdf.exe	powershell.exe
PID 1156 wrote to memory of 2016	1156	cargo documents.pdf.exe	powershell.exe
PID 1156 wrote to memory of 2016	1156	cargo documents.pdf.exe	powershell.exe
PID 1156 wrote to memory of 2016	1156	cargo documents.pdf.exe	powershell.exe
PID 1156 wrote to memory of 1904	1156	cargo documents.pdf.exe	images.exe
PID 1156 wrote to memory of 1904	1156	cargo documents.pdf.exe	images.exe
PID 1156 wrote to memory of 1904	1156	cargo documents.pdf.exe	images.exe
PID 1156 wrote to memory of 1904	1156	cargo documents.pdf.exe	images.exe
PID 1904 wrote to memory of 1664	1904	images.exe	powershell.exe
PID 1904 wrote to memory of 1664	1904	images.exe	powershell.exe
PID 1904 wrote to memory of 1664	1904	images.exe	powershell.exe
PID 1904 wrote to memory of 1664	1904	images.exe	powershell.exe
PID 1904 wrote to memory of 1056	1904	images.exe	cmd.exe
PID 1904 wrote to memory of 1056	1904	images.exe	cmd.exe
PID 1904 wrote to memory of 1056	1904	images.exe	cmd.exe
PID 1904 wrote to memory of 1056	1904	images.exe	cmd.exe
PID 1904 wrote to memory of 1056	1904	images.exe	cmd.exe
PID 1904 wrote to memory of 1056	1904	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\cargo documents.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\cargo documents.pdf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
Filesize
183KB

MD5
f0bec0deb10b8bc59a5b2d207b4cdeef

SHA1
452b936847f131abd4b872815ab35c9b9bcd9cbb

SHA256
b4b14f0512858ecd957152f6f21d06070ad3f371206568871d0f92d5a41ecd83

SHA512
a57437bba1a5b9bb8ce2754290e80a5ed78adb8a8017305fe30ac1a7a95c5480fd771a7b35ccd048d17dba2409f74e8c407523a0f0aa61559392c4f0fc95164e

Download Submit
C:\ProgramData\images.exe
Filesize
183KB

MD5
f0bec0deb10b8bc59a5b2d207b4cdeef

SHA1
452b936847f131abd4b872815ab35c9b9bcd9cbb

SHA256
b4b14f0512858ecd957152f6f21d06070ad3f371206568871d0f92d5a41ecd83

SHA512
a57437bba1a5b9bb8ce2754290e80a5ed78adb8a8017305fe30ac1a7a95c5480fd771a7b35ccd048d17dba2409f74e8c407523a0f0aa61559392c4f0fc95164e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
6892789f214cfb36a75170a07817f468

SHA1
4cfb4656786753fca317bc5d4cf0c1aefd1a930d

SHA256
222ac0dad75d1d1b8d5d6cd17ccb815cbeb9f1f93d70dbb380b036623277130e

SHA512
47401e02885de46671026c03961d935955516fcaba43e2963032eb533596ddfa74c194c651c6af3a2308f9333367b55eb743a4fa836c576bc59442f99f6c0910

Download Submit
\ProgramData\images.exe
Filesize
183KB

MD5
f0bec0deb10b8bc59a5b2d207b4cdeef

SHA1
452b936847f131abd4b872815ab35c9b9bcd9cbb

SHA256
b4b14f0512858ecd957152f6f21d06070ad3f371206568871d0f92d5a41ecd83

SHA512
a57437bba1a5b9bb8ce2754290e80a5ed78adb8a8017305fe30ac1a7a95c5480fd771a7b35ccd048d17dba2409f74e8c407523a0f0aa61559392c4f0fc95164e

Download Submit
memory/1056-103-0x0000000000000000-mapping.dmp

Download
memory/1056-121-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1156-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1156-55-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/1156-56-0x0000000000550000-0x00000000006A4000-memory.dmp

Filesize
1.3MB

Download
memory/1156-62-0x0000000001ED0000-0x00000000028D0000-memory.dmp

Filesize
10.0MB

Download
memory/1664-109-0x0000000072D70000-0x0000000072FA5000-memory.dmp

Filesize
2.2MB

Download
memory/1664-105-0x0000000073A90000-0x000000007403B000-memory.dmp

Filesize
5.7MB

Download
memory/1664-114-0x0000000072CD0000-0x0000000072D6C000-memory.dmp

Filesize
624KB

Download
memory/1664-115-0x0000000071730000-0x00000000718CE000-memory.dmp

Filesize
1.6MB

Download
memory/1664-111-0x0000000073A40000-0x0000000073A8B000-memory.dmp

Filesize
300KB

Download
memory/1664-116-0x0000000071660000-0x0000000071723000-memory.dmp

Filesize
780KB

Download
memory/1664-117-0x0000000073A10000-0x0000000073A3D000-memory.dmp

Filesize
180KB

Download
memory/1664-118-0x0000000071010000-0x0000000071114000-memory.dmp

Filesize
1.0MB

Download
memory/1664-120-0x0000000070890000-0x0000000070EE1000-memory.dmp

Filesize
6.3MB

Download
memory/1664-119-0x0000000070EF0000-0x0000000071004000-memory.dmp

Filesize
1.1MB

Download
memory/1664-112-0x0000000074120000-0x0000000074145000-memory.dmp

Filesize
148KB

Download
memory/1664-122-0x0000000071120000-0x0000000071656000-memory.dmp

Filesize
5.2MB

Download
memory/1664-110-0x00000000718D0000-0x000000007214A000-memory.dmp

Filesize
8.5MB

Download
memory/1664-108-0x0000000074480000-0x0000000074501000-memory.dmp

Filesize
516KB

Download
memory/1664-107-0x0000000072FB0000-0x000000007374C000-memory.dmp

Filesize
7.6MB

Download
memory/1664-106-0x0000000072150000-0x0000000072C48000-memory.dmp

Filesize
11.0MB

Download
memory/1664-113-0x0000000073780000-0x0000000073805000-memory.dmp

Filesize
532KB

Download
memory/1664-101-0x0000000000000000-mapping.dmp

Download
memory/1904-65-0x0000000000000000-mapping.dmp

Download
memory/1904-69-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/1904-94-0x0000000002890000-0x00000000029E4000-memory.dmp

Filesize
1.3MB

Download
memory/2016-75-0x00000000741E0000-0x0000000074415000-memory.dmp

Filesize
2.2MB

Download
memory/2016-93-0x00000000724B0000-0x0000000072C4C000-memory.dmp

Filesize
7.6MB

Download
memory/2016-92-0x0000000073BB0000-0x000000007415B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-91-0x00000000717A0000-0x000000007193E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-90-0x0000000073B20000-0x0000000073BA5000-memory.dmp

Filesize
532KB

Download
memory/2016-89-0x0000000070900000-0x0000000070F51000-memory.dmp

Filesize
6.3MB

Download
memory/2016-88-0x0000000071940000-0x00000000721BA000-memory.dmp

Filesize
8.5MB

Download
memory/2016-87-0x0000000074570000-0x00000000745F1000-memory.dmp

Filesize
516KB

Download
memory/2016-86-0x0000000071190000-0x00000000716C6000-memory.dmp

Filesize
5.2MB

Download
memory/2016-85-0x0000000072C50000-0x0000000073748000-memory.dmp

Filesize
11.0MB

Download
memory/2016-84-0x00000000741B0000-0x00000000741DD000-memory.dmp

Filesize
180KB

Download
memory/2016-83-0x0000000070F60000-0x0000000071074000-memory.dmp

Filesize
1.1MB

Download
memory/2016-82-0x0000000071080000-0x0000000071184000-memory.dmp

Filesize
1.0MB

Download
memory/2016-81-0x00000000716D0000-0x0000000071793000-memory.dmp

Filesize
780KB

Download
memory/2016-80-0x00000000717A0000-0x000000007193E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-79-0x0000000073A80000-0x0000000073B1C000-memory.dmp

Filesize
624KB

Download
memory/2016-78-0x0000000073B20000-0x0000000073BA5000-memory.dmp

Filesize
532KB

Download
memory/2016-77-0x00000000744B0000-0x00000000744D5000-memory.dmp

Filesize
148KB

Download
memory/2016-76-0x0000000074520000-0x000000007456B000-memory.dmp

Filesize
300KB

Download
memory/2016-74-0x0000000071940000-0x00000000721BA000-memory.dmp

Filesize
8.5MB

Download
memory/2016-73-0x0000000074570000-0x00000000745F1000-memory.dmp

Filesize
516KB

Download
memory/2016-72-0x00000000724B0000-0x0000000072C4C000-memory.dmp

Filesize
7.6MB

Download
memory/2016-71-0x0000000072C50000-0x0000000073748000-memory.dmp

Filesize
11.0MB

Download
memory/2016-70-0x0000000073BB0000-0x000000007415B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads