warzonerat | 4f436211b94c438f60c480c12c562805fba77ea6f11f5d735b6b9753f8f1a2bd

Analysis

max time kernel
128s
max time network
143s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14/09/2022, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.PWSX-gen.10392.exe
Size

859KB
MD5

52424c7aedb5c01a22c84a9f2e417b54
SHA1

e3a63a96409404211e5dca2988adc8d15735588c
SHA256

4f436211b94c438f60c480c12c562805fba77ea6f11f5d735b6b9753f8f1a2bd
SHA512

c768a60a61d4abd993cf512261421ac2cf4fdceaca684c66d31dad5a97adf79d59786c0e2dccbc9684b246289fe1219af1940c91fc856122b2a205cb06c632e0
SSDEEP

12288:GdV7uikFgZR+2ktZDSBkP0a9W+/iP3lSBOwsaLIwe5go6:KlubgqD3ca9S1SBPsLwe5a

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

51.75.209.232:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 9 IoCs

rat

resource	yara_rule
behavioral1/memory/1696-71-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1696-72-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1696-74-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1696-75-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1696-76-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1696-77-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1696-80-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1696-83-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1696-86-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	SecuriteInfo.com.Win32.PWSX-gen.10392.exe

Loads dropped DLL 1 IoCs

pid	Process
1616	Process not Found

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	SecuriteInfo.com.Win32.PWSX-gen.10392.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	SecuriteInfo.com.Win32.PWSX-gen.10392.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\cAjxCaD = "0"	SecuriteInfo.com.Win32.PWSX-gen.10392.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	SecuriteInfo.com.Win32.PWSX-gen.10392.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	SecuriteInfo.com.Win32.PWSX-gen.10392.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1584 set thread context of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	SecuriteInfo.com.Win32.PWSX-gen.10392.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	SecuriteInfo.com.Win32.PWSX-gen.10392.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe
1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe
1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe
1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe
1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe
1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe
1116	powershell.exe
1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe
1112	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1616	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1696	SecuriteInfo.com.Win32.PWSX-gen.10392.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1116	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	26
PID 1584 wrote to memory of 1116	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	26
PID 1584 wrote to memory of 1116	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	26
PID 1584 wrote to memory of 1116	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	26
PID 1584 wrote to memory of 1112	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	28
PID 1584 wrote to memory of 1112	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	28
PID 1584 wrote to memory of 1112	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	28
PID 1584 wrote to memory of 1112	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	28
PID 1584 wrote to memory of 1120	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	30
PID 1584 wrote to memory of 1120	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	30
PID 1584 wrote to memory of 1120	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	30
PID 1584 wrote to memory of 1120	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	30
PID 1584 wrote to memory of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32
PID 1584 wrote to memory of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32
PID 1584 wrote to memory of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32
PID 1584 wrote to memory of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32
PID 1584 wrote to memory of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32
PID 1584 wrote to memory of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32
PID 1584 wrote to memory of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32
PID 1584 wrote to memory of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32
PID 1584 wrote to memory of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32
PID 1584 wrote to memory of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32
PID 1584 wrote to memory of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32
PID 1584 wrote to memory of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32
PID 1584 wrote to memory of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32
PID 1584 wrote to memory of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32
PID 1584 wrote to memory of 1696	1584	SecuriteInfo.com.Win32.PWSX-gen.10392.exe	32

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10392.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10392.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10392.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xodllINgY.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xodllINgY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A1B.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1120
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10392.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10392.exe"
  2⤵
  - Sets DLL path for service in the registry
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4A1B.tmp

Filesize
1KB

MD5
1e1487b715999727726b951bd31da5a3

SHA1
7f65533006cb5991a125329ae4d176f79076663c

SHA256
d4d39284a52c6fc0d16eacad936a14578453ab4f8eef8955b26525ef6686671d

SHA512
e9d0e2fe7174bf31fb564670ac66217ed459c4dd99218377f99697cd77819d1dae2cbebf29032fb6d0327db6e505dcce673b6259e977fe004bed820b4c042e81

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
memory/1112-85-0x000000006EC30000-0x000000006F1DB000-memory.dmp

Filesize
5.7MB

Download
memory/1112-81-0x000000006EC30000-0x000000006F1DB000-memory.dmp

Filesize
5.7MB

Download
memory/1116-82-0x000000006EC30000-0x000000006F1DB000-memory.dmp

Filesize
5.7MB

Download
memory/1116-84-0x000000006EC30000-0x000000006F1DB000-memory.dmp

Filesize
5.7MB

Download
memory/1584-57-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/1584-65-0x0000000001030000-0x0000000001052000-memory.dmp

Filesize
136KB

Download
memory/1584-58-0x0000000005090000-0x000000000510C000-memory.dmp

Filesize
496KB

Download
memory/1584-54-0x00000000012F0000-0x00000000013CC000-memory.dmp

Filesize
880KB

Download
memory/1584-56-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1584-55-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1696-69-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1696-75-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1696-76-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1696-80-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1696-74-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1696-72-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1696-83-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1696-71-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1696-67-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1696-86-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1696-66-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download