warzonerat | 05727939f8fbf5d00c8540b04253d0e4a87733d38f14a7918ce780ef2f970896

Analysis

max time kernel
135s
max time network
148s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

APP GFINQD31TADMUR D-31 PROPOSED VILLA.exe
Size

1.1MB
MD5

aade82384a7d3618a47f5fa1149c3b4a
SHA1

faf647d771fc219f1d0145dfffa8941af97d88e1
SHA256

05727939f8fbf5d00c8540b04253d0e4a87733d38f14a7918ce780ef2f970896
SHA512

b8af3a53141ef57162b97f1ee486ea8c00168bc9b2e3573b728ca9ef9b49e251485e3a74b6c4fbaf1f14aa531fd1f04c36a57f002d566d12a21db679c9df190c
SSDEEP

24576:rAOcZGR0G5lPotFkoYddiw2JEeJTcTr+Mo5pemHI0YuyqRE:tVrPmFNzFtmxo5EmHWqRE

Score

10^/10

warzonerat evasion infostealer persistence rat upx

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/520-69-0x0000000000270000-0x00000000008D2000-memory.dmp	warzonerat
behavioral1/memory/520-70-0x000000000027B556-mapping.dmp	warzonerat
behavioral1/memory/520-74-0x0000000000270000-0x00000000008D2000-memory.dmp	warzonerat
behavioral1/memory/520-75-0x0000000000270000-0x00000000008D2000-memory.dmp	warzonerat
behavioral1/memory/520-76-0x0000000000270000-0x00000000008D2000-memory.dmp	warzonerat

Executes dropped EXE 3 IoCs

Processes:

pgclwv.exeRegSvcs.exe23.exe

pid process

1688 pgclwv.exe
520 RegSvcs.exe
856 23.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1960 netsh.exe

pid	process
1688	pgclwv.exe
520	RegSvcs.exe
856	23.exe

pid	process
1960	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	RegSvcs.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\23.exe	upx
C:\Users\Admin\AppData\Local\Temp\23.exe	upx
behavioral1/memory/856-84-0x0000000000F40000-0x0000000000F6D000-memory.dmp	upx
behavioral1/memory/856-87-0x0000000000F40000-0x0000000000F6D000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

WScript.exepgclwv.exeRegSvcs.exe

pid process

2008 WScript.exe
1688 pgclwv.exe
520 RegSvcs.exe
1528

pid	process
2008	WScript.exe
1688	pgclwv.exe
520	RegSvcs.exe
1528

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pgclwv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	pgclwv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2_55\\pgclwv.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\2_55\\vkwov.rdo"	pgclwv.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	RegSvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	RegSvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\hnklpiK = "0"	RegSvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RegSvcs.exe

Drops file in System32 directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File created C:\Windows\System32\rfxvmt.dll RegSvcs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

pgclwv.exe

description pid process target process

PID 1688 set thread context of 520 1688 pgclwv.exe RegSvcs.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	RegSvcs.exe

description	pid	process	target process
PID 1688 set thread context of 520	1688	pgclwv.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	RegSvcs.exe
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pgclwv.exe

pid process

1688 pgclwv.exe
1688 pgclwv.exe
1688 pgclwv.exe
1688 pgclwv.exe
1688 pgclwv.exe
1688 pgclwv.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

1528
1528
1528
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 520 RegSvcs.exe

pid	process
1688	pgclwv.exe
1688	pgclwv.exe
1688	pgclwv.exe
1688	pgclwv.exe
1688	pgclwv.exe
1688	pgclwv.exe

pid	process
1528
1528
1528

description	pid	process
Token: SeDebugPrivilege	520	RegSvcs.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

APP GFINQD31TADMUR D-31 PROPOSED VILLA.exeWScript.exepgclwv.exeRegSvcs.exe23.exe

description	pid	process	target process
PID 1900 wrote to memory of 2008	1900	APP GFINQD31TADMUR D-31 PROPOSED VILLA.exe	WScript.exe
PID 1900 wrote to memory of 2008	1900	APP GFINQD31TADMUR D-31 PROPOSED VILLA.exe	WScript.exe
PID 1900 wrote to memory of 2008	1900	APP GFINQD31TADMUR D-31 PROPOSED VILLA.exe	WScript.exe
PID 1900 wrote to memory of 2008	1900	APP GFINQD31TADMUR D-31 PROPOSED VILLA.exe	WScript.exe
PID 2008 wrote to memory of 1688	2008	WScript.exe	pgclwv.exe
PID 2008 wrote to memory of 1688	2008	WScript.exe	pgclwv.exe
PID 2008 wrote to memory of 1688	2008	WScript.exe	pgclwv.exe
PID 2008 wrote to memory of 1688	2008	WScript.exe	pgclwv.exe
PID 1688 wrote to memory of 520	1688	pgclwv.exe	RegSvcs.exe
PID 1688 wrote to memory of 520	1688	pgclwv.exe	RegSvcs.exe
PID 1688 wrote to memory of 520	1688	pgclwv.exe	RegSvcs.exe
PID 1688 wrote to memory of 520	1688	pgclwv.exe	RegSvcs.exe
PID 1688 wrote to memory of 520	1688	pgclwv.exe	RegSvcs.exe
PID 1688 wrote to memory of 520	1688	pgclwv.exe	RegSvcs.exe
PID 1688 wrote to memory of 520	1688	pgclwv.exe	RegSvcs.exe
PID 1688 wrote to memory of 520	1688	pgclwv.exe	RegSvcs.exe
PID 1688 wrote to memory of 520	1688	pgclwv.exe	RegSvcs.exe
PID 520 wrote to memory of 856	520	RegSvcs.exe	23.exe
PID 520 wrote to memory of 856	520	RegSvcs.exe	23.exe
PID 520 wrote to memory of 856	520	RegSvcs.exe	23.exe
PID 520 wrote to memory of 856	520	RegSvcs.exe	23.exe
PID 856 wrote to memory of 1960	856	23.exe	netsh.exe
PID 856 wrote to memory of 1960	856	23.exe	netsh.exe
PID 856 wrote to memory of 1960	856	23.exe	netsh.exe
PID 856 wrote to memory of 1960	856	23.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\APP GFINQD31TADMUR D-31 PROPOSED VILLA.exe
"C:\Users\Admin\AppData\Local\Temp\APP GFINQD31TADMUR D-31 PROPOSED VILLA.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\2_55\ktpmrm.vbe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\2_55\pgclwv.exe
    "C:\Users\Admin\AppData\Local\Temp\2_55\pgclwv.exe" vkwov.rdo
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      Sets DLL path for service in the registry
      Loads dropped DLL
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:520
    - - C:\Users\Admin\AppData\Local\Temp\23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\23.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
        6⤵
        Modifies Windows Firewall
        
        PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23.exe

Filesize
70KB

MD5
ca96229390a0e6a53e8f2125f2c01114

SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_55\fmbsu.msc

Filesize
61KB

MD5
c578a1472708b5aef10e7c25898b36e6

SHA1
d51145efbc032720075cae47176d5f0976f32866

SHA256
28eb7af59880fc53240202eccc272980889cb5ac987adda46534fbc05eb53b34

SHA512
49b16bf1b65f726ea9d5ea12042ad917e2fddbc6abb16f40afc26101174dc56b89fd87fb9ce6c14468882457ad907d266745d18d9fe60679a61ece25950cc14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_55\icxathau.kqj

Filesize
379KB

MD5
5419ccfad74ce1cb8cce903079a14281

SHA1
c9e2517097f2ecf575c258cd2eef3869c76eb125

SHA256
d1cb4cfb9dca9764fc6586aeec5640eaf8b3edf0fdbcf43fde4c9981e0a0b893

SHA512
36800fed4172bb9b49210f93bcc478287c44628ed0bc8c7c3be090c5aa8cc8b9a56f2c70ea54107c80d0fa4128de2157448ab4e9634876a836ff922e5edfaa6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_55\pgclwv.exe

Filesize
1.0MB

MD5
b153044cf36a027e19eb94b06003f09c

SHA1
9c5137654c78d249b318d7612a4d3dd2710c3aea

SHA256
cbcdc1eecb091c7e3418706dd0aafaca9018474150f73d2d4b1cc55595dcf550

SHA512
ef301b7c23b5012909e6b2a48d7bffbfc122e6c18180b66bd7ac16c8e9a27f3eff6b7cbab8a997857e6d101f8275ca87ba30d153fecb62e630aad14d923d7b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_55\pgclwv.exe

Filesize
1.0MB

MD5
b153044cf36a027e19eb94b06003f09c

SHA1
9c5137654c78d249b318d7612a4d3dd2710c3aea

SHA256
cbcdc1eecb091c7e3418706dd0aafaca9018474150f73d2d4b1cc55595dcf550

SHA512
ef301b7c23b5012909e6b2a48d7bffbfc122e6c18180b66bd7ac16c8e9a27f3eff6b7cbab8a997857e6d101f8275ca87ba30d153fecb62e630aad14d923d7b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_55\vkwov.rdo

Filesize
129.5MB

MD5
4c8f7539c808e81b046af9841ba95331

SHA1
3a16bfa28f9371e171a9c9c0a8f0d6ca6a7483f7

SHA256
fcc4560dcccbfc58217910891f749b79976ffad2c957d8599f05c312ffb9bb62

SHA512
daebc34e3d9f412a5304a9b1ccc69d5e460aef3f9215e50591b68949756d4c848f492644a3526a45b4f169e5406ff665bbd4ef6c1647eb8ed9b1075313fd9ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\temp\2_55\ktpmrm.vbe

Filesize
34KB

MD5
e146d0814871fe36347aadf65f59469c

SHA1
fdf43534f47e3ae1470cb611e5b254e8af29b1c4

SHA256
8179daea33ea668a6159af5c7d4f06842b37ecd2908b066c93a2878dffe1875b

SHA512
4d1698f273ea72b8e8453821f5b1d04aa0cb0c130912e75ba8d7cb3ef2ee8e6711514a763f36beb37ad9c1d0e19755620db58ffbb10ffc113c9773fb9deffabc

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\AppData\Local\Temp\23.exe

Filesize
70KB

MD5
ca96229390a0e6a53e8f2125f2c01114

SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

Download Submit
\Users\Admin\AppData\Local\Temp\2_55\pgclwv.exe

Filesize
1.0MB

MD5
b153044cf36a027e19eb94b06003f09c

SHA1
9c5137654c78d249b318d7612a4d3dd2710c3aea

SHA256
cbcdc1eecb091c7e3418706dd0aafaca9018474150f73d2d4b1cc55595dcf550

SHA512
ef301b7c23b5012909e6b2a48d7bffbfc122e6c18180b66bd7ac16c8e9a27f3eff6b7cbab8a997857e6d101f8275ca87ba30d153fecb62e630aad14d923d7b96

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/520-75-0x0000000000270000-0x00000000008D2000-memory.dmp

Filesize
6.4MB

Download
memory/520-83-0x0000000005300000-0x000000000532D000-memory.dmp

Filesize
180KB

Download
memory/520-74-0x0000000000270000-0x00000000008D2000-memory.dmp

Filesize
6.4MB

Download
memory/520-86-0x0000000005300000-0x000000000532D000-memory.dmp

Filesize
180KB

Download
memory/520-76-0x0000000000270000-0x00000000008D2000-memory.dmp

Filesize
6.4MB

Download
memory/520-69-0x0000000000270000-0x00000000008D2000-memory.dmp

Filesize
6.4MB

Download
memory/520-67-0x0000000000270000-0x00000000008D2000-memory.dmp

Filesize
6.4MB

Download
memory/520-70-0x000000000027B556-mapping.dmp

Download
memory/856-79-0x0000000000000000-mapping.dmp

Download
memory/856-84-0x0000000000F40000-0x0000000000F6D000-memory.dmp

Filesize
180KB

Download
memory/856-87-0x0000000000F40000-0x0000000000F6D000-memory.dmp

Filesize
180KB

Download
memory/1688-60-0x0000000000000000-mapping.dmp

Download
memory/1900-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1960-81-0x0000000000000000-mapping.dmp

Download
memory/2008-55-0x0000000000000000-mapping.dmp

Download