warzonerat | 7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679

Analysis

max time kernel
145s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
28-10-2022 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe
Size

287KB
MD5

7170cc643a9c4b5e35cbff4fdff3a8d7
SHA1

d3395f2ff313f8fae082adad9d9e892b860eb747
SHA256

7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679
SHA512

44662d34c37048a7fee0eb11e05818719a15afd618dfbe809c3eed1a903bd1df07eab1d90540e87390498c6b366a73719e7a1bda75a9d5eb4d712186f4436841
SSDEEP

6144:YVKVvfInUcpUm6KhJPWje13dCVdKrLXoJ8LL:DIUwdWjenCi/X1

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

chinagov.duckdns.org:5202

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1968-187-0x0000000000406DA4-mapping.dmp	warzonerat
behavioral1/memory/1968-277-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/1968-330-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systegbhhhm.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systegbhhhm.exe	Powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1756 set thread context of 1968	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe	68

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2324	Powershell.exe
2324	Powershell.exe
2324	Powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe
Token: SeDebugPrivilege	2324	Powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2324	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe	66
PID 1756 wrote to memory of 2324	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe	66
PID 1756 wrote to memory of 2324	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe	66
PID 1756 wrote to memory of 1968	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe	68
PID 1756 wrote to memory of 1968	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe	68
PID 1756 wrote to memory of 1968	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe	68
PID 1756 wrote to memory of 1968	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe	68
PID 1756 wrote to memory of 1968	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe	68
PID 1756 wrote to memory of 1968	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe	68
PID 1756 wrote to memory of 1968	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe	68
PID 1756 wrote to memory of 1968	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe	68
PID 1756 wrote to memory of 1968	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe	68
PID 1756 wrote to memory of 1968	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe	68
PID 1756 wrote to memory of 1968	1756	7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe	68

C:\Users\Admin\AppData\Local\Temp\7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe
"C:\Users\Admin\AppData\Local\Temp\7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  "Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\7e96a60f26b252ef89a4e1f3fb4264f224031f6d8c9bc592f3ec715a3307c679.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systegbhhhm.exe'
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1756-157-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-145-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-118-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-119-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-120-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-121-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-122-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-123-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-124-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-125-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-129-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-130-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-131-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-128-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-127-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-132-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-135-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-134-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-136-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-137-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-133-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-138-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-126-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-156-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-140-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-141-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-142-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-143-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-144-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-158-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-146-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-147-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-148-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-150-0x0000000000350000-0x000000000039C000-memory.dmp

Filesize
304KB

Download
memory/1756-149-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-152-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-151-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-153-0x0000000004CF0000-0x0000000004D8C000-memory.dmp

Filesize
624KB

Download
memory/1756-154-0x0000000005290000-0x000000000578E000-memory.dmp

Filesize
5.0MB

Download
memory/1756-155-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-139-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-117-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-116-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-159-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-160-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-161-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-162-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-164-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-163-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-165-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-168-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-170-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-173-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-174-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-175-0x0000000004CA0000-0x0000000004CBC000-memory.dmp

Filesize
112KB

Download
memory/1756-177-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1968-330-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1968-277-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2324-176-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/2324-179-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/2324-180-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/2324-181-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/2324-182-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/2324-183-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/2324-248-0x0000000007980000-0x0000000007FA8000-memory.dmp

Filesize
6.2MB

Download
memory/2324-236-0x0000000004E30000-0x0000000004E66000-memory.dmp

Filesize
216KB

Download
memory/2324-171-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/2324-172-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/2324-167-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/2324-184-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/2324-178-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/2324-292-0x0000000008020000-0x0000000008086000-memory.dmp

Filesize
408KB

Download
memory/2324-290-0x0000000007900000-0x0000000007922000-memory.dmp

Filesize
136KB

Download
memory/2324-293-0x0000000008190000-0x00000000081F6000-memory.dmp

Filesize
408KB

Download
memory/2324-297-0x0000000008200000-0x0000000008550000-memory.dmp

Filesize
3.3MB

Download
memory/2324-300-0x0000000008000000-0x000000000801C000-memory.dmp

Filesize
112KB

Download
memory/2324-301-0x0000000008B90000-0x0000000008BDB000-memory.dmp

Filesize
300KB

Download
memory/2324-305-0x0000000008940000-0x00000000089B6000-memory.dmp

Filesize
472KB

Download
memory/2324-316-0x00000000097A0000-0x0000000009834000-memory.dmp

Filesize
592KB

Download
memory/2324-319-0x0000000009740000-0x000000000975A000-memory.dmp

Filesize
104KB

Download
memory/2324-321-0x0000000009840000-0x0000000009862000-memory.dmp

Filesize
136KB

Download
memory/2324-169-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download