warzonerat | 5e47be22f5e470990084884a07f41c0f997c24ae37b26d8f41b01776bbc6588b

Analysis

max time kernel
142s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2022 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windll32.exe
Size

144KB
MD5

64fac32b120e4ff32d2b630b034475be
SHA1

081605cd23a89a864fa4e4e16f00329cd9cdfc10
SHA256

5e47be22f5e470990084884a07f41c0f997c24ae37b26d8f41b01776bbc6588b
SHA512

e5febfd95602f42431ed03df46387ba95324b20f8fadb32b2fe9cfbf8ae1b740e7e6cdd3ed78db08e0ea58b9d3bfd915a0cb863cf570ce2c75ff80986a33b768
SSDEEP

3072:F7W9jps0Tx4azG6GweOTir5axbjNCz45LT7auXkP0N:FwpsERzGKurEXCzeLT7auX1N

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

162.55.126.123:1111

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Documents\images.exe	warzonerat
C:\Users\Admin\Documents\images.exe	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

5048 images.exe

pid	process
5048	images.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\images.exe"	windll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

windll32.exeimages.exe

description	pid	process	target process
PID 3804 wrote to memory of 5048	3804	windll32.exe	images.exe
PID 3804 wrote to memory of 5048	3804	windll32.exe	images.exe
PID 3804 wrote to memory of 5048	3804	windll32.exe	images.exe
PID 5048 wrote to memory of 4024	5048	images.exe	cmd.exe
PID 5048 wrote to memory of 4024	5048	images.exe	cmd.exe
PID 5048 wrote to memory of 4024	5048	images.exe	cmd.exe
PID 5048 wrote to memory of 4024	5048	images.exe	cmd.exe
PID 5048 wrote to memory of 4024	5048	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\windll32.exe
"C:\Users\Admin\AppData\Local\Temp\windll32.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3804

C:\Users\Admin\Documents\images.exe
"C:\Users\Admin\Documents\images.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\images.exe
Filesize
144KB

MD5
64fac32b120e4ff32d2b630b034475be

SHA1
081605cd23a89a864fa4e4e16f00329cd9cdfc10

SHA256
5e47be22f5e470990084884a07f41c0f997c24ae37b26d8f41b01776bbc6588b

SHA512
e5febfd95602f42431ed03df46387ba95324b20f8fadb32b2fe9cfbf8ae1b740e7e6cdd3ed78db08e0ea58b9d3bfd915a0cb863cf570ce2c75ff80986a33b768

Download Submit
C:\Users\Admin\Documents\images.exe
Filesize
144KB

MD5
64fac32b120e4ff32d2b630b034475be

SHA1
081605cd23a89a864fa4e4e16f00329cd9cdfc10

SHA256
5e47be22f5e470990084884a07f41c0f997c24ae37b26d8f41b01776bbc6588b

SHA512
e5febfd95602f42431ed03df46387ba95324b20f8fadb32b2fe9cfbf8ae1b740e7e6cdd3ed78db08e0ea58b9d3bfd915a0cb863cf570ce2c75ff80986a33b768

Download Submit
memory/3804-147-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-128-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-117-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-118-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-119-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-120-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-123-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-122-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-124-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-121-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-125-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-126-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-127-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-148-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-129-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-130-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-131-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-132-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-133-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-134-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-135-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-136-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-137-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-138-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-139-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-140-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-141-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-142-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-143-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-144-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-149-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-145-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-152-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-116-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-146-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-151-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-150-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-115-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-153-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-154-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-155-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-156-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-157-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-158-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-159-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-160-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-161-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-162-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-163-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-164-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-165-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-166-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-167-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-168-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-169-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-170-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-171-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-172-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-174-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-177-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-179-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-237-0x0000000000000000-mapping.dmp

Download
memory/5048-173-0x0000000000000000-mapping.dmp

Download
memory/5048-178-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5048-180-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5048-176-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download