warzonerat | 1a0353868f82c688e13b205719e1cdde7a05c018662d364ea05df8038534aebc

General

Target

UPS 1Z1E31080372565980.cmd.exe
Size

928KB
MD5

eaf8556f373e47066026977ae8924a02
SHA1

1e9e4bd736398e64391db945aead5d41b71bbc42
SHA256

1a0353868f82c688e13b205719e1cdde7a05c018662d364ea05df8038534aebc
SHA512

1bb4798fd0e6d901a4bd8ccbd17f30f70f73f4ebe2a06c3dde1fcc49180859a8b27e350e6dfab8ea98f7c31dd3c48293faa4897525105acdc983a71b50f7ff29
SSDEEP

12288:cmTb4ScxQiE2iNzpqAwtjgLvk+jrasr4CxBHE2NybtQGJm8V01:Hf+E1SAwFgLvr94UX4BQG88O

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

pastorcc.duckdns.org:2223

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Suspicious use of SetThreadContext 1 IoCs

Processes:

UPS 1Z1E31080372565980.cmd.exe

description pid process target process

PID 1284 set thread context of 764 1284 UPS 1Z1E31080372565980.cmd.exe UPS 1Z1E31080372565980.cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1284 set thread context of 764	1284	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

UPS 1Z1E31080372565980.cmd.exepowershell.exepowershell.exe

pid	process
1284	UPS 1Z1E31080372565980.cmd.exe
1284	UPS 1Z1E31080372565980.cmd.exe
1284	UPS 1Z1E31080372565980.cmd.exe
1284	UPS 1Z1E31080372565980.cmd.exe
1284	UPS 1Z1E31080372565980.cmd.exe
1284	UPS 1Z1E31080372565980.cmd.exe
1720	powershell.exe
1800	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

UPS 1Z1E31080372565980.cmd.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1284	UPS 1Z1E31080372565980.cmd.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

UPS 1Z1E31080372565980.cmd.exeUPS 1Z1E31080372565980.cmd.exe

description	pid	process	target process
PID 1284 wrote to memory of 1720	1284	UPS 1Z1E31080372565980.cmd.exe	powershell.exe
PID 1284 wrote to memory of 1720	1284	UPS 1Z1E31080372565980.cmd.exe	powershell.exe
PID 1284 wrote to memory of 1720	1284	UPS 1Z1E31080372565980.cmd.exe	powershell.exe
PID 1284 wrote to memory of 1720	1284	UPS 1Z1E31080372565980.cmd.exe	powershell.exe
PID 1284 wrote to memory of 764	1284	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 1284 wrote to memory of 764	1284	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 1284 wrote to memory of 764	1284	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 1284 wrote to memory of 764	1284	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 1284 wrote to memory of 764	1284	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 1284 wrote to memory of 764	1284	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 1284 wrote to memory of 764	1284	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 1284 wrote to memory of 764	1284	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 1284 wrote to memory of 764	1284	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 1284 wrote to memory of 764	1284	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 1284 wrote to memory of 764	1284	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 764 wrote to memory of 1800	764	UPS 1Z1E31080372565980.cmd.exe	powershell.exe
PID 764 wrote to memory of 1800	764	UPS 1Z1E31080372565980.cmd.exe	powershell.exe
PID 764 wrote to memory of 1800	764	UPS 1Z1E31080372565980.cmd.exe	powershell.exe
PID 764 wrote to memory of 1800	764	UPS 1Z1E31080372565980.cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\UPS 1Z1E31080372565980.cmd.exe
"C:\Users\Admin\AppData\Local\Temp\UPS 1Z1E31080372565980.cmd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\UPS 1Z1E31080372565980.cmd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\UPS 1Z1E31080372565980.cmd.exe
  "C:\Users\Admin\AppData\Local\Temp\UPS 1Z1E31080372565980.cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fbfd4162e3d9d4c3d69a7c1f58c37d83

SHA1
3e430fa85b129c85a46fb87021b29e7b6385995b

SHA256
5ec76ab98fcca3d915184a88d153414fd1f32fa04d73a78df7dafad7dc31d8e0

SHA512
de38fcc140a865396b4fadbae9fa0e7ac11f5a6a73395d9e16657c9541bf326b08f4b276c95c4dd9ffcaced1b3feafceb111de002ba449b44da88fd832a32edc

Download Submit
memory/764-76-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/764-63-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/764-69-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/764-72-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/764-71-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/764-77-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/764-61-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/764-73-0x0000000000405E28-mapping.dmp

Download
memory/764-65-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/764-67-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1284-57-0x00000000008E0000-0x00000000008EC000-memory.dmp

Filesize
48KB

Download
memory/1284-56-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/1284-58-0x0000000005E10000-0x0000000005E9A000-memory.dmp

Filesize
552KB

Download
memory/1284-55-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1284-54-0x00000000008F0000-0x00000000009DE000-memory.dmp

Filesize
952KB

Download
memory/1284-60-0x00000000059C0000-0x0000000005A10000-memory.dmp

Filesize
320KB

Download
memory/1720-59-0x0000000000000000-mapping.dmp

Download
memory/1720-79-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-78-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-80-0x0000000000000000-mapping.dmp

Download
memory/1800-83-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads