warzonerat | 5cbb2697a315b04b71fd3f5e5b13122827bef573869fe0d594de05e42db9f7f9

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BFM-720-7388372883783888278.scr.exe
Size

265KB
MD5

df1fc07a0fc0ce859dbda2390519a8f0
SHA1

2aada949aa95b49f3663530960b7281b33ce9d5f
SHA256

5cbb2697a315b04b71fd3f5e5b13122827bef573869fe0d594de05e42db9f7f9
SHA512

344172221ea164f19d54b0735447c4eae20468d080b5564e22d3856b8448b4380f30046caf495f3724d415806cfa897971d0970d3357735b2ce2a6cc26afde0d
SSDEEP

6144:RNeZK0ylr/28KYKjWeHlYznEy/meM22Rv3A2oLB8W54ESaAOp5EzWu:RNxcJjWeHWLEqFH2WB8cTSaAOp5Ez

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

185.216.71.58:1856

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/396-143-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4220-154-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 7 IoCs

pid	Process
388	ubyfzryp.exe
5036	ubyfzryp.exe
3752	imaAQges.exe
1928	imaAQges.exe
1860	imaAQges.exe
2408	imaAQges.exe
2292	imaAQges.exe

Loads dropped DLL 2 IoCs

pid	Process
396	ubyfzryp.exe
4220	imaAQges.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\imaAQges.exe"	ubyfzryp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 388 set thread context of 396	388	ubyfzryp.exe	85
PID 3752 set thread context of 4220	3752	imaAQges.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1448	388	WerFault.exe	83
220	3752	WerFault.exe	88
4128	3752	WerFault.exe	88
1680	3752	WerFault.exe	88

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 388	2864	BFM-720-7388372883783888278.scr.exe	83
PID 2864 wrote to memory of 388	2864	BFM-720-7388372883783888278.scr.exe	83
PID 2864 wrote to memory of 388	2864	BFM-720-7388372883783888278.scr.exe	83
PID 388 wrote to memory of 5036	388	ubyfzryp.exe	84
PID 388 wrote to memory of 5036	388	ubyfzryp.exe	84
PID 388 wrote to memory of 5036	388	ubyfzryp.exe	84
PID 388 wrote to memory of 396	388	ubyfzryp.exe	85
PID 388 wrote to memory of 396	388	ubyfzryp.exe	85
PID 388 wrote to memory of 396	388	ubyfzryp.exe	85
PID 388 wrote to memory of 396	388	ubyfzryp.exe	85
PID 396 wrote to memory of 3752	396	ubyfzryp.exe	88
PID 396 wrote to memory of 3752	396	ubyfzryp.exe	88
PID 396 wrote to memory of 3752	396	ubyfzryp.exe	88
PID 3752 wrote to memory of 1928	3752	imaAQges.exe	89
PID 3752 wrote to memory of 1928	3752	imaAQges.exe	89
PID 3752 wrote to memory of 1928	3752	imaAQges.exe	89
PID 3752 wrote to memory of 1860	3752	imaAQges.exe	90
PID 3752 wrote to memory of 1860	3752	imaAQges.exe	90
PID 3752 wrote to memory of 1860	3752	imaAQges.exe	90
PID 3752 wrote to memory of 2408	3752	imaAQges.exe	91
PID 3752 wrote to memory of 2408	3752	imaAQges.exe	91
PID 3752 wrote to memory of 2408	3752	imaAQges.exe	91
PID 3752 wrote to memory of 2292	3752	imaAQges.exe	92
PID 3752 wrote to memory of 2292	3752	imaAQges.exe	92
PID 3752 wrote to memory of 2292	3752	imaAQges.exe	92
PID 3752 wrote to memory of 4220	3752	imaAQges.exe	93
PID 3752 wrote to memory of 4220	3752	imaAQges.exe	93
PID 3752 wrote to memory of 4220	3752	imaAQges.exe	93
PID 3752 wrote to memory of 4220	3752	imaAQges.exe	93

C:\Users\Admin\AppData\Local\Temp\BFM-720-7388372883783888278.scr.exe
"C:\Users\Admin\AppData\Local\Temp\BFM-720-7388372883783888278.scr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe
  "C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe
    "C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe"
    3⤵
    - Executes dropped EXE
    PID:5036
- - C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe
    "C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\ProgramData\imaAQges.exe
      "C:\ProgramData\imaAQges.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3752
    - - C:\ProgramData\imaAQges.exe
        
        "C:\ProgramData\imaAQges.exe"
        5⤵
        Executes dropped EXE
        
        PID:1928
    - - C:\ProgramData\imaAQges.exe
        
        "C:\ProgramData\imaAQges.exe"
        5⤵
        Executes dropped EXE
        
        PID:1860
    - - C:\ProgramData\imaAQges.exe
        
        "C:\ProgramData\imaAQges.exe"
        5⤵
        Executes dropped EXE
        
        PID:2408
    - - C:\ProgramData\imaAQges.exe
        
        "C:\ProgramData\imaAQges.exe"
        5⤵
        Executes dropped EXE
        
        PID:2292
    - - C:\ProgramData\imaAQges.exe
        
        "C:\ProgramData\imaAQges.exe"
        5⤵
        Loads dropped DLL
        
        PID:4220
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 616
        5⤵
        Program crash
        
        PID:220
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 616
        5⤵
        Program crash
        
        PID:4128
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 636
        5⤵
        Program crash
        
        PID:1680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 588
    3⤵
    - Program crash
    PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 388 -ip 388
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3752 -ip 3752
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3752 -ip 3752
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3752 -ip 3752
1⤵
PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\imaAQges.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\ProgramData\imaAQges.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\ProgramData\imaAQges.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\ProgramData\imaAQges.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\ProgramData\imaAQges.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\ProgramData\imaAQges.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\ProgramData\imaAQges.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubyfzryp.exe

Filesize
124KB

MD5
174738bf752b5823885e9cadbcc9c0ae

SHA1
fdc1fdceb5e8c653616a722ae28ec37bfa9a8c6d

SHA256
5227385027f87182e37a4e120f24ff48395653e927bb7e0bffc9f4f75ec36039

SHA512
03075b57c6e23006e1ac6652921281e161a00bf3469ae269d2195f6acd4b953eafdf7915a166fa52d17b0b89f900a794606fd061efc721106753371264125112

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrqmd.ilx

Filesize
4KB

MD5
45bccdaed105411e5b0c06defa795a3d

SHA1
4e999cd47123fe757bb70bd23cd778e6e5d6f62a

SHA256
2ab6d27e5c0f138b55f330726969614a85dd584493691da5630297e34aaa236e

SHA512
968668f1efb1d43252067a73a822c7cb5b9c36564ad224e620da13155a973fca82173ebf68df15c56a9fbc289ea2c1cbeb9e69f3cfa5e34329ac699d9ea99296

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnbegjw.j

Filesize
113KB

MD5
4954ddac3697515fd0e05f28a0d5948b

SHA1
96ea5ea350ea4fdbb8e009114168b8f41a50e22b

SHA256
393893c1e6efdce4f9947f64d863a57cdf80e9989db06fa08cef3d11fcaf0d3f

SHA512
1b1a2ce09a9fcba1fffa75a66f73362fd150fa7be2dd0908dfa5ea7a72e5cb62c5c89ad661ba246466931b7192dc121e1b0181a4f01e0d3bac68f7858b954c03

Download Submit
memory/396-143-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4220-154-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download