warzonerat | 08e0c8fa9ccb60c98c51aaad96a1f9fd2e7df0120f94617f01d6e03e8de1fdba

General

Target

New order.exe
Size

1.1MB
MD5

d02f4fcad5288156d4afae51c120648a
SHA1

68c3f393f68bb4636c9e2f1a76e5d37259de620b
SHA256

886442e876aac74a0339513e0b70e04a808b6ddd9d6ac0ad0eded4f0bd47d101
SHA512

e22a8ddb83ed25a50c1f4b26d0549d6bb3ffa2fe6946193cbbbe614f940d21a1941102ebcffd0feacb5e398ca2b880c44a29385ec134976f12a4f92f3597732f
SSDEEP

24576:nAOcZXZZuapPSa+i7G2ooCN96HDhOrTCRb60i3/BSERD5KH4kCkj:ZePSiG2eGOHG3y/BNR9KH4c

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

willia2.ddns.net:5059

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 5 IoCs

rat

resource	yara_rule
behavioral2/memory/628-140-0x0000000000920000-0x0000000000F82000-memory.dmp	warzonerat
behavioral2/memory/628-141-0x0000000000925CE2-mapping.dmp	warzonerat
behavioral2/memory/628-143-0x0000000000920000-0x0000000000F82000-memory.dmp	warzonerat
behavioral2/memory/628-144-0x0000000000920000-0x0000000000F82000-memory.dmp	warzonerat
behavioral2/memory/628-146-0x0000000000920000-0x0000000000F82000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

pid	Process
4308	xaonfqnj.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	New order.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xaonfqnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_610\\xaonfqnj.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_610\\ahetcmvm.xig"	xaonfqnj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4308 set thread context of 628	4308	xaonfqnj.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	New order.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 4512	4244	New order.exe	80
PID 4244 wrote to memory of 4512	4244	New order.exe	80
PID 4244 wrote to memory of 4512	4244	New order.exe	80
PID 4512 wrote to memory of 4308	4512	WScript.exe	81
PID 4512 wrote to memory of 4308	4512	WScript.exe	81
PID 4512 wrote to memory of 4308	4512	WScript.exe	81
PID 4308 wrote to memory of 628	4308	xaonfqnj.exe	84
PID 4308 wrote to memory of 628	4308	xaonfqnj.exe	84
PID 4308 wrote to memory of 628	4308	xaonfqnj.exe	84
PID 4308 wrote to memory of 628	4308	xaonfqnj.exe	84
PID 4308 wrote to memory of 628	4308	xaonfqnj.exe	84

C:\Users\Admin\AppData\Local\Temp\New order.exe
"C:\Users\Admin\AppData\Local\Temp\New order.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\10_610\nppoww.vbe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\10_610\xaonfqnj.exe
    "C:\Users\Admin\AppData\Local\Temp\10_610\xaonfqnj.exe" ahetcmvm.xig
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10_610\ahetcmvm.xig

Filesize
125.3MB

MD5
f3cf2761303d09ddb09c53f8e1e2b59e

SHA1
01c2d773634398bffad168262ab12e76b6b434bf

SHA256
f466d794692425104e3892c449214d0de846d828bd459d014e799e5e51fa7725

SHA512
e971a34e7632f8f597228e6f92808b33f71d2f69f71841fefdd990b77eb30876dd7c39e1d2c3478f963c13e49b9fe9e231c0d60b1fc68eff445e25a1d7a9b79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10_610\ffkjsaeug.bmp

Filesize
66KB

MD5
f3d6e780ce05a0f9cd39154f8bead79a

SHA1
223ecb6e16907b3d61629daa48a9c058297778e0

SHA256
a3cd2c94946c83f2f7888f367cae3badfb53d9e014f01fb70470dcc64c25612b

SHA512
9f64a48d2d76d253fd9fd4f379b32b70809ab5f7537c4dcc608c197f0fd19448a4c28b7ee1bc996a929b24265e962b28526362bd8f99a802b18a0ef251309383

Download Submit
C:\Users\Admin\AppData\Local\Temp\10_610\hnjjgnga.fme

Filesize
226KB

MD5
5e5ba4e246ef1096561509c8c01a9a3c

SHA1
792809babe91c83ce07d5f46aa83eb8413f33bb2

SHA256
48bd43f286b9aca1fba4d0d43878a47b4752b90a46eec9dabce3216e9bc1cea0

SHA512
f0137506d2df520e31532e98411df6feb8ce0426176de1e5b3d1ac06c4189707248490d2d2156dbf4558761b63828e53573835aa026ad4c140354028932d1770

Download Submit
C:\Users\Admin\AppData\Local\Temp\10_610\xaonfqnj.exe

Filesize
1.0MB

MD5
d25b8906117edefdb2fe1a4ae2452332

SHA1
12e20ce3837b91b58e1ccfca5cd980d5763c9483

SHA256
22e5b143e21c56e4df3b47714975ad637ca601924c28821809952043b1ef69d1

SHA512
0a0dd5fa40de71fca23315a1c98def7a3b35c13d4cc1cc5467f9db9b768b5d8b9cc058a36a134d1feda66f04a3d96cea12dacbd2b825c957f41de8226fbc5766

Download Submit
C:\Users\Admin\AppData\Local\Temp\10_610\xaonfqnj.exe

Filesize
1.0MB

MD5
d25b8906117edefdb2fe1a4ae2452332

SHA1
12e20ce3837b91b58e1ccfca5cd980d5763c9483

SHA256
22e5b143e21c56e4df3b47714975ad637ca601924c28821809952043b1ef69d1

SHA512
0a0dd5fa40de71fca23315a1c98def7a3b35c13d4cc1cc5467f9db9b768b5d8b9cc058a36a134d1feda66f04a3d96cea12dacbd2b825c957f41de8226fbc5766

Download Submit
C:\Users\Admin\AppData\Local\temp\10_610\nppoww.vbe

Filesize
25KB

MD5
2382b237562fafe912dd2fe8b2b3061d

SHA1
ab9c19391ad47bfa9f4d125c8fec3dbc44881ee1

SHA256
f536d35c97b33e16ab887e43fcb7d19d00492f3ccda38ebcf91d7ad9dfc83f86

SHA512
86291d8ffdff59e15671816d3635356da289346af01b8f4c97580d41ac481beb4c5f71d15b94db3a1b8af2f2a955b4955bb675b4f313242cf057a6724ab25171

Download Submit
memory/628-140-0x0000000000920000-0x0000000000F82000-memory.dmp

Filesize
6.4MB

Download
memory/628-143-0x0000000000920000-0x0000000000F82000-memory.dmp

Filesize
6.4MB

Download
memory/628-144-0x0000000000920000-0x0000000000F82000-memory.dmp

Filesize
6.4MB

Download
memory/628-145-0x0000000004360000-0x00000000043E4000-memory.dmp

Filesize
528KB

Download
memory/628-146-0x0000000000920000-0x0000000000F82000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing