warzonerat | b4b14f0512858ecd957152f6f21d06070ad3f371206568871d0f92d5a41ecd83

General

Target

cargo documents.pdf.exe
Size

183KB
MD5

f0bec0deb10b8bc59a5b2d207b4cdeef
SHA1

452b936847f131abd4b872815ab35c9b9bcd9cbb
SHA256

b4b14f0512858ecd957152f6f21d06070ad3f371206568871d0f92d5a41ecd83
SHA512

a57437bba1a5b9bb8ce2754290e80a5ed78adb8a8017305fe30ac1a7a95c5480fd771a7b35ccd048d17dba2409f74e8c407523a0f0aa61559392c4f0fc95164e

Score

10^/10

warzonerat infostealer persistence rat suricata upx

Malware Config

Extracted

Family

warzonerat

C2

udooiuyt.dynamic-dns.net:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
suricata
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
suricata

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3472-131-0x0000000002E40000-0x0000000002F94000-memory.dmp	warzonerat
behavioral2/memory/3472-137-0x0000000002440000-0x0000000002E40000-memory.dmp	warzonerat
behavioral2/memory/4496-159-0x0000000002CE0000-0x0000000002E34000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

4496 images.exe

pid	process
4496	images.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3472-130-0x0000000000400000-0x0000000000544000-memory.dmp	upx
C:\ProgramData\images.exe	upx
C:\ProgramData\images.exe	upx
behavioral2/memory/4496-142-0x0000000000400000-0x0000000000544000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cargo documents.pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	cargo documents.pdf.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4500 powershell.exe
4500 powershell.exe
32 powershell.exe
32 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4500 powershell.exe
Token: SeDebugPrivilege 32 powershell.exe

pid	process
4500	powershell.exe
4500	powershell.exe
32	powershell.exe
32	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	32	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

cargo documents.pdf.exeimages.exe

description	pid	process	target process
PID 3472 wrote to memory of 4500	3472	cargo documents.pdf.exe	powershell.exe
PID 3472 wrote to memory of 4500	3472	cargo documents.pdf.exe	powershell.exe
PID 3472 wrote to memory of 4500	3472	cargo documents.pdf.exe	powershell.exe
PID 3472 wrote to memory of 4496	3472	cargo documents.pdf.exe	images.exe
PID 3472 wrote to memory of 4496	3472	cargo documents.pdf.exe	images.exe
PID 3472 wrote to memory of 4496	3472	cargo documents.pdf.exe	images.exe
PID 4496 wrote to memory of 32	4496	images.exe	powershell.exe
PID 4496 wrote to memory of 32	4496	images.exe	powershell.exe
PID 4496 wrote to memory of 32	4496	images.exe	powershell.exe
PID 4496 wrote to memory of 4124	4496	images.exe	cmd.exe
PID 4496 wrote to memory of 4124	4496	images.exe	cmd.exe
PID 4496 wrote to memory of 4124	4496	images.exe	cmd.exe
PID 4496 wrote to memory of 4124	4496	images.exe	cmd.exe
PID 4496 wrote to memory of 4124	4496	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\cargo documents.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\cargo documents.pdf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
Filesize
183KB

MD5
f0bec0deb10b8bc59a5b2d207b4cdeef

SHA1
452b936847f131abd4b872815ab35c9b9bcd9cbb

SHA256
b4b14f0512858ecd957152f6f21d06070ad3f371206568871d0f92d5a41ecd83

SHA512
a57437bba1a5b9bb8ce2754290e80a5ed78adb8a8017305fe30ac1a7a95c5480fd771a7b35ccd048d17dba2409f74e8c407523a0f0aa61559392c4f0fc95164e

Download Submit
C:\ProgramData\images.exe
Filesize
183KB

MD5
f0bec0deb10b8bc59a5b2d207b4cdeef

SHA1
452b936847f131abd4b872815ab35c9b9bcd9cbb

SHA256
b4b14f0512858ecd957152f6f21d06070ad3f371206568871d0f92d5a41ecd83

SHA512
a57437bba1a5b9bb8ce2754290e80a5ed78adb8a8017305fe30ac1a7a95c5480fd771a7b35ccd048d17dba2409f74e8c407523a0f0aa61559392c4f0fc95164e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
bb467b2d713da20b76e7a7625dd34291

SHA1
9af8892ea2cb9fee9668ebe972ef52755820c61a

SHA256
b28ecffd5fee362cbbbda7168ff8975679f9a0e3df43059328cd4447fb5d4f3e

SHA512
5661252486fb07cdf3b71bfe91ef601b5645721263d8ffbe880c216e0c16d1df123951ff0c3d4d4dd37e38f62633962886c7e8dbada7a1886bd52ddadba0c4c7

Download Submit
memory/32-170-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/32-165-0x0000000000000000-mapping.dmp

Download
memory/3472-137-0x0000000002440000-0x0000000002E40000-memory.dmp

Filesize
10.0MB

Download
memory/3472-130-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/3472-131-0x0000000002E40000-0x0000000002F94000-memory.dmp

Filesize
1.3MB

Download
memory/4124-169-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/4124-166-0x0000000000000000-mapping.dmp

Download
memory/4496-139-0x0000000000000000-mapping.dmp

Download
memory/4496-142-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/4496-159-0x0000000002CE0000-0x0000000002E34000-memory.dmp

Filesize
1.3MB

Download
memory/4500-149-0x0000000006830000-0x0000000006862000-memory.dmp

Filesize
200KB

Download
memory/4500-158-0x0000000007890000-0x0000000007898000-memory.dmp

Filesize
32KB

Download
memory/4500-151-0x0000000006810000-0x000000000682E000-memory.dmp

Filesize
120KB

Download
memory/4500-152-0x0000000007BB0000-0x000000000822A000-memory.dmp

Filesize
6.5MB

Download
memory/4500-153-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/4500-154-0x00000000075E0000-0x00000000075EA000-memory.dmp

Filesize
40KB

Download
memory/4500-155-0x00000000077F0000-0x0000000007886000-memory.dmp

Filesize
600KB

Download
memory/4500-156-0x00000000077A0000-0x00000000077AE000-memory.dmp

Filesize
56KB

Download
memory/4500-157-0x00000000078B0000-0x00000000078CA000-memory.dmp

Filesize
104KB

Download
memory/4500-150-0x0000000075010000-0x000000007505C000-memory.dmp

Filesize
304KB

Download
memory/4500-148-0x0000000006260000-0x000000000627E000-memory.dmp

Filesize
120KB

Download
memory/4500-147-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/4500-146-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/4500-145-0x00000000052B0000-0x00000000052D2000-memory.dmp

Filesize
136KB

Download
memory/4500-144-0x00000000054E0000-0x0000000005B08000-memory.dmp

Filesize
6.2MB

Download
memory/4500-143-0x00000000029B0000-0x00000000029E6000-memory.dmp

Filesize
216KB

Download
memory/4500-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads