warzonerat | 1a0353868f82c688e13b205719e1cdde7a05c018662d364ea05df8038534aebc

General

Target

UPS 1Z1E31080372565980.cmd.exe
Size

928KB
MD5

eaf8556f373e47066026977ae8924a02
SHA1

1e9e4bd736398e64391db945aead5d41b71bbc42
SHA256

1a0353868f82c688e13b205719e1cdde7a05c018662d364ea05df8038534aebc
SHA512

1bb4798fd0e6d901a4bd8ccbd17f30f70f73f4ebe2a06c3dde1fcc49180859a8b27e350e6dfab8ea98f7c31dd3c48293faa4897525105acdc983a71b50f7ff29
SSDEEP

12288:cmTb4ScxQiE2iNzpqAwtjgLvk+jrasr4CxBHE2NybtQGJm8V01:Hf+E1SAwFgLvr94UX4BQG88O

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

pastorcc.duckdns.org:2223

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UPS 1Z1E31080372565980.cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	UPS 1Z1E31080372565980.cmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

UPS 1Z1E31080372565980.cmd.exe

description pid process target process

PID 3204 set thread context of 2332 3204 UPS 1Z1E31080372565980.cmd.exe UPS 1Z1E31080372565980.cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3204 set thread context of 2332	3204	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

UPS 1Z1E31080372565980.cmd.exepowershell.exepowershell.exe

pid	process
3204	UPS 1Z1E31080372565980.cmd.exe
3204	UPS 1Z1E31080372565980.cmd.exe
3204	UPS 1Z1E31080372565980.cmd.exe
3204	UPS 1Z1E31080372565980.cmd.exe
3204	UPS 1Z1E31080372565980.cmd.exe
3204	UPS 1Z1E31080372565980.cmd.exe
3204	UPS 1Z1E31080372565980.cmd.exe
3204	UPS 1Z1E31080372565980.cmd.exe
3204	UPS 1Z1E31080372565980.cmd.exe
4340	powershell.exe
2720	powershell.exe
4340	powershell.exe
2720	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

UPS 1Z1E31080372565980.cmd.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3204	UPS 1Z1E31080372565980.cmd.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

UPS 1Z1E31080372565980.cmd.exeUPS 1Z1E31080372565980.cmd.exe

C:\Users\Admin\AppData\Local\Temp\UPS 1Z1E31080372565980.cmd.exe
"C:\Users\Admin\AppData\Local\Temp\UPS 1Z1E31080372565980.cmd.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\UPS 1Z1E31080372565980.cmd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Users\Admin\AppData\Local\Temp\UPS 1Z1E31080372565980.cmd.exe
  "C:\Users\Admin\AppData\Local\Temp\UPS 1Z1E31080372565980.cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2332-138-0x0000000000000000-mapping.dmp

Download
memory/2332-150-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2332-143-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2332-141-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2332-139-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2720-149-0x0000000004810000-0x000000000482E000-memory.dmp

Filesize
120KB

Download
memory/2720-152-0x0000000070850000-0x000000007089C000-memory.dmp

Filesize
304KB

Download
memory/2720-162-0x0000000007160000-0x0000000007168000-memory.dmp

Filesize
32KB

Download
memory/2720-161-0x0000000007170000-0x000000000718A000-memory.dmp

Filesize
104KB

Download
memory/2720-156-0x0000000007400000-0x0000000007A7A000-memory.dmp

Filesize
6.5MB

Download
memory/2720-154-0x0000000006050000-0x000000000606E000-memory.dmp

Filesize
120KB

Download
memory/2720-148-0x0000000000000000-mapping.dmp

Download
memory/3204-136-0x00000000095F0000-0x000000000968C000-memory.dmp

Filesize
624KB

Download
memory/3204-133-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/3204-135-0x00000000057B0000-0x00000000057BA000-memory.dmp

Filesize
40KB

Download
memory/3204-132-0x0000000000C70000-0x0000000000D5E000-memory.dmp

Filesize
952KB

Download
memory/3204-134-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/4340-146-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/4340-158-0x0000000007C20000-0x0000000007C2A000-memory.dmp

Filesize
40KB

Download
memory/4340-153-0x0000000070850000-0x000000007089C000-memory.dmp

Filesize
304KB

Download
memory/4340-155-0x0000000006E60000-0x0000000006E7E000-memory.dmp

Filesize
120KB

Download
memory/4340-147-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/4340-137-0x0000000000000000-mapping.dmp

Download
memory/4340-157-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

Filesize
104KB

Download
memory/4340-151-0x0000000006E80000-0x0000000006EB2000-memory.dmp

Filesize
200KB

Download
memory/4340-159-0x0000000007E30000-0x0000000007EC6000-memory.dmp

Filesize
600KB

Download
memory/4340-160-0x0000000007F00000-0x0000000007F0E000-memory.dmp

Filesize
56KB

Download
memory/4340-145-0x00000000058F0000-0x0000000005912000-memory.dmp

Filesize
136KB

Download
memory/4340-163-0x0000000007F50000-0x0000000007F58000-memory.dmp

Filesize
32KB

Download
memory/4340-144-0x00000000059E0000-0x0000000006008000-memory.dmp

Filesize
6.2MB

Download
memory/4340-142-0x0000000002FC0000-0x0000000002FF6000-memory.dmp

Filesize
216KB

Download

description	pid	process	target process
PID 3204 wrote to memory of 4340	3204	UPS 1Z1E31080372565980.cmd.exe	powershell.exe
PID 3204 wrote to memory of 4340	3204	UPS 1Z1E31080372565980.cmd.exe	powershell.exe
PID 3204 wrote to memory of 4340	3204	UPS 1Z1E31080372565980.cmd.exe	powershell.exe
PID 3204 wrote to memory of 2332	3204	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 3204 wrote to memory of 2332	3204	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 3204 wrote to memory of 2332	3204	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 3204 wrote to memory of 2332	3204	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 3204 wrote to memory of 2332	3204	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 3204 wrote to memory of 2332	3204	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 3204 wrote to memory of 2332	3204	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 3204 wrote to memory of 2332	3204	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 3204 wrote to memory of 2332	3204	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 3204 wrote to memory of 2332	3204	UPS 1Z1E31080372565980.cmd.exe	UPS 1Z1E31080372565980.cmd.exe
PID 2332 wrote to memory of 2720	2332	UPS 1Z1E31080372565980.cmd.exe	powershell.exe
PID 2332 wrote to memory of 2720	2332	UPS 1Z1E31080372565980.cmd.exe	powershell.exe
PID 2332 wrote to memory of 2720	2332	UPS 1Z1E31080372565980.cmd.exe	powershell.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads