warzonerat | 5cbb2697a315b04b71fd3f5e5b13122827bef573869fe0d594de05e42db9f7f9

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BFM-720-7388372883783888278.scr.exe
Size

265KB
MD5

df1fc07a0fc0ce859dbda2390519a8f0
SHA1

2aada949aa95b49f3663530960b7281b33ce9d5f
SHA256

5cbb2697a315b04b71fd3f5e5b13122827bef573869fe0d594de05e42db9f7f9
SHA512

344172221ea164f19d54b0735447c4eae20468d080b5564e22d3856b8448b4380f30046caf495f3724d415806cfa897971d0970d3357735b2ce2a6cc26afde0d
SSDEEP

6144:RNeZK0ylr/28KYKjWeHlYznEy/meM22Rv3A2oLB8W54ESaAOp5EzWu:RNxcJjWeHWLEqFH2WB8cTSaAOp5Ez

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Executes dropped EXE 2 IoCs

pid	Process
912	ubyfzryp.exe
800	imaAQges.exe

Loads dropped DLL 5 IoCs

pid	Process
1128	BFM-720-7388372883783888278.scr.exe
912	ubyfzryp.exe
836	ubyfzryp.exe
836	ubyfzryp.exe
692	imaAQges.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\imaAQges.exe"	ubyfzryp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 912 set thread context of 836	912	ubyfzryp.exe	28
PID 800 set thread context of 692	800	imaAQges.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 912	1128	BFM-720-7388372883783888278.scr.exe	27
PID 1128 wrote to memory of 912	1128	BFM-720-7388372883783888278.scr.exe	27
PID 1128 wrote to memory of 912	1128	BFM-720-7388372883783888278.scr.exe	27
PID 1128 wrote to memory of 912	1128	BFM-720-7388372883783888278.scr.exe	27
PID 912 wrote to memory of 836	912	ubyfzryp.exe	28
PID 912 wrote to memory of 836	912	ubyfzryp.exe	28
PID 912 wrote to memory of 836	912	ubyfzryp.exe	28
PID 912 wrote to memory of 836	912	ubyfzryp.exe	28
PID 912 wrote to memory of 836	912	ubyfzryp.exe	28
PID 836 wrote to memory of 800	836	ubyfzryp.exe	29
PID 836 wrote to memory of 800	836	ubyfzryp.exe	29
PID 836 wrote to memory of 800	836	ubyfzryp.exe	29
PID 836 wrote to memory of 800	836	ubyfzryp.exe	29
PID 800 wrote to memory of 692	800	imaAQges.exe	30
PID 800 wrote to memory of 692	800	imaAQges.exe	30
PID 800 wrote to memory of 692	800	imaAQges.exe	30
PID 800 wrote to memory of 692	800	imaAQges.exe	30
PID 800 wrote to memory of 692	800	imaAQges.exe	30

C:\Users\Admin\AppData\Local\Temp\BFM-720-7388372883783888278.scr.exe
"C:\Users\Admin\AppData\Local\Temp\BFM-720-7388372883783888278.scr.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe
  "C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe
    "C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\ProgramData\imaAQges.exe
      "C:\ProgramData\imaAQges.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:800
    - - C:\ProgramData\imaAQges.exe
        
        "C:\ProgramData\imaAQges.exe"
        5⤵
        Loads dropped DLL
        
        PID:692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\imaAQges.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\ProgramData\imaAQges.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\ProgramData\imaAQges.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrqmd.ilx

Filesize
4KB

MD5
45bccdaed105411e5b0c06defa795a3d

SHA1
4e999cd47123fe757bb70bd23cd778e6e5d6f62a

SHA256
2ab6d27e5c0f138b55f330726969614a85dd584493691da5630297e34aaa236e

SHA512
968668f1efb1d43252067a73a822c7cb5b9c36564ad224e620da13155a973fca82173ebf68df15c56a9fbc289ea2c1cbeb9e69f3cfa5e34329ac699d9ea99296

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnbegjw.j

Filesize
113KB

MD5
4954ddac3697515fd0e05f28a0d5948b

SHA1
96ea5ea350ea4fdbb8e009114168b8f41a50e22b

SHA256
393893c1e6efdce4f9947f64d863a57cdf80e9989db06fa08cef3d11fcaf0d3f

SHA512
1b1a2ce09a9fcba1fffa75a66f73362fd150fa7be2dd0908dfa5ea7a72e5cb62c5c89ad661ba246466931b7192dc121e1b0181a4f01e0d3bac68f7858b954c03

Download Submit
\ProgramData\imaAQges.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
\Users\Admin\AppData\Local\Temp\ubyfzryp.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
\Users\Admin\AppData\Local\Temp\ubyfzryp.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
memory/1128-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download