warzonerat | 78df1676000a461cdda4e1493b26619e3a934d183fee71987a2175c590cf69b4

Analysis

max time kernel
132s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78df1676000a461cdda4e1493b26619e3a934d183fee7.exe
Size

305KB
MD5

5e6e80de8f7d0e5da3656ef938d5d986
SHA1

69de6a0d7861592604f9495b5e0a7c2e7d4c0021
SHA256

78df1676000a461cdda4e1493b26619e3a934d183fee71987a2175c590cf69b4
SHA512

79f80953b5f68baef34851f9e3100021764a646daec3336700f6ebda429a17f49d254e159814a4dbeafc3f5c01ae9599b7b49a2b2bf0714b45c97c6c6ad98922
SSDEEP

6144:3wq3Nphr3dZZ6ZmiYOS0dNgbDIr1kruxJ+3WTHNP34JX5/y:3zNjfZWy9wK4x6CNP34v/y

Score

10^/10

warzonerat discovery evasion infostealer persistence rat upx

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Executes dropped EXE 1 IoCs

pid	Process
2112	30.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4088	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	ieinstal.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0001000000022de4-147.dat	upx
behavioral2/files/0x0001000000022de4-146.dat	upx
behavioral2/memory/2112-150-0x0000000000BB0000-0x0000000000BDD000-memory.dmp	upx
behavioral2/memory/2112-156-0x0000000000BB0000-0x0000000000BDD000-memory.dmp	upx

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	78df1676000a461cdda4e1493b26619e3a934d183fee7.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	ieinstal.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	ieinstal.exe

Loads dropped DLL 2 IoCs

pid	Process
3548	78df1676000a461cdda4e1493b26619e3a934d183fee7.exe
2144	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe"	ieinstal.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	ieinstal.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
4628	ieinstal.exe
4628	ieinstal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3548	78df1676000a461cdda4e1493b26619e3a934d183fee7.exe
4628	ieinstal.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3548 set thread context of 4628	3548	78df1676000a461cdda4e1493b26619e3a934d183fee7.exe	87

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	ieinstal.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	ieinstal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4332	4572	WerFault.exe	88

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	ieinstal.exe
File opened for modification	C:\Users\Admin\Documents\Documents:ApplicationData	ieinstal.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe
2144	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3548	78df1676000a461cdda4e1493b26619e3a934d183fee7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	ieinstal.exe
Token: SeAuditPrivilege	2144	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4628	ieinstal.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 4628	3548	78df1676000a461cdda4e1493b26619e3a934d183fee7.exe	87
PID 3548 wrote to memory of 4628	3548	78df1676000a461cdda4e1493b26619e3a934d183fee7.exe	87
PID 3548 wrote to memory of 4628	3548	78df1676000a461cdda4e1493b26619e3a934d183fee7.exe	87
PID 3548 wrote to memory of 4628	3548	78df1676000a461cdda4e1493b26619e3a934d183fee7.exe	87
PID 4628 wrote to memory of 4572	4628	ieinstal.exe	88
PID 4628 wrote to memory of 4572	4628	ieinstal.exe	88
PID 4628 wrote to memory of 4572	4628	ieinstal.exe	88
PID 4628 wrote to memory of 4572	4628	ieinstal.exe	88
PID 4628 wrote to memory of 4572	4628	ieinstal.exe	88
PID 4628 wrote to memory of 2112	4628	ieinstal.exe	93
PID 4628 wrote to memory of 2112	4628	ieinstal.exe	93
PID 4628 wrote to memory of 2112	4628	ieinstal.exe	93
PID 2112 wrote to memory of 4088	2112	30.exe	94
PID 2112 wrote to memory of 4088	2112	30.exe	94
PID 2112 wrote to memory of 4088	2112	30.exe	94

C:\Users\Admin\AppData\Local\Temp\78df1676000a461cdda4e1493b26619e3a934d183fee7.exe
"C:\Users\Admin\AppData\Local\Temp\78df1676000a461cdda4e1493b26619e3a934d183fee7.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Program Files (x86)\internet explorer\ieinstal.exe
  "C:\Users\Admin\AppData\Local\Temp\78df1676000a461cdda4e1493b26619e3a934d183fee7.exe"
  2⤵
  - Sets DLL path for service in the registry
  - Checks QEMU agent file
  - Drops startup file
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:4572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 328
      4⤵
      Program crash
      PID:4332
- - C:\Users\Admin\AppData\Local\Temp\30.exe
    "C:\Users\Admin\AppData\Local\Temp\30.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
      4⤵
      Modifies Windows Firewall
      PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4572 -ip 4572
1⤵
PID:1372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft DN1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\30.exe

Filesize
70KB

MD5
ca96229390a0e6a53e8f2125f2c01114

SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\30.exe

Filesize
70KB

MD5
ca96229390a0e6a53e8f2125f2c01114

SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd90CD.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\??\c:\program files\microsoft dn1\rdpwrap.ini

Filesize
291KB

MD5
914d30cdc026d77366e6ac105cd5eefc

SHA1
95e0c8463f4995bf126fa0cffab4a8a947963a1a

SHA256
f00109618610375ea494b1406fa7e5548d75a52669b1bf1761a80394301b42f8

SHA512
184c1c12c18b02e27a8674476c768b0dcaef7dff722dfd27e4f342ba7ce65653c399eed0bedc3d9cbca0fec0fa5a17077e8e71f4d7807e2119eec1687ccc7635

Download Submit
\??\c:\program files\microsoft dn1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
memory/2112-156-0x0000000000BB0000-0x0000000000BDD000-memory.dmp

Filesize
180KB

Download
memory/2112-150-0x0000000000BB0000-0x0000000000BDD000-memory.dmp

Filesize
180KB

Download
memory/3548-139-0x0000000077BC0000-0x0000000077D63000-memory.dmp

Filesize
1.6MB

Download
memory/3548-136-0x0000000077BC0000-0x0000000077D63000-memory.dmp

Filesize
1.6MB

Download
memory/3548-135-0x00007FFDD4B90000-0x00007FFDD4D85000-memory.dmp

Filesize
2.0MB

Download
memory/3548-134-0x0000000003160000-0x000000000323B000-memory.dmp

Filesize
876KB

Download
memory/3548-133-0x0000000003160000-0x000000000323B000-memory.dmp

Filesize
876KB

Download
memory/4572-144-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/4628-149-0x0000000024CA0000-0x0000000024E40000-memory.dmp

Filesize
1.6MB

Download
memory/4628-142-0x0000000077BC0000-0x0000000077D63000-memory.dmp

Filesize
1.6MB

Download
memory/4628-141-0x00007FFDD4B90000-0x00007FFDD4D85000-memory.dmp

Filesize
2.0MB

Download
memory/4628-140-0x0000000001270000-0x0000000001370000-memory.dmp

Filesize
1024KB

Download
memory/4628-138-0x0000000001270000-0x0000000001370000-memory.dmp

Filesize
1024KB

Download
memory/4628-154-0x00007FFDD4B90000-0x00007FFDD4D85000-memory.dmp

Filesize
2.0MB

Download
memory/4628-155-0x0000000077BC0000-0x0000000077D63000-memory.dmp

Filesize
1.6MB

Download