warzonerat | aea7a35212e49f49012cdfffd1439eb1ad9e6e761345b17ebcfbc5a8dd9dd7a5

General

Target

New Order.exe
Size

182KB
MD5

87f1fa2cbb6d89478f3410e4275ee136
SHA1

eadfde48ac259605190da64fb577314e744f7e40
SHA256

aea7a35212e49f49012cdfffd1439eb1ad9e6e761345b17ebcfbc5a8dd9dd7a5
SHA512

81b865a594be3f7141ba78fa93c743dfbd43e99dada8bf87cfdda2c0783ec1ba258599bc9335ba698281624cfcfe4be0bec4935de6809b88d25e34284c9a2f75
SSDEEP

3072:WYJSq+ytGIon9KcHJnmZ6Fl2SfwM5p/jSalX5/8vJ+ztxoudG54QMwkloHYp4iqx:TEa0+Wz55hSvJFD54n3vKiCv7B

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

rajsavindia.hopto.org:5067

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1332-66-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1332-67-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

owukdjgb.exeowukdjgb.exe

pid process

1560 owukdjgb.exe
1332 owukdjgb.exe
Loads dropped DLL 2 IoCs

Processes:

New Order.exeowukdjgb.exe

pid process

1288 New Order.exe
1560 owukdjgb.exe

pid	process
1560	owukdjgb.exe
1332	owukdjgb.exe

pid	process
1288	New Order.exe
1560	owukdjgb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

owukdjgb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ohqw = "C:\\Users\\Admin\\AppData\\Roaming\\gbdoiggm\\sulviexdmo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\owukdjgb.exe\""	owukdjgb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

owukdjgb.exe

description pid process target process

PID 1560 set thread context of 1332 1560 owukdjgb.exe owukdjgb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

owukdjgb.exe

pid process

1560 owukdjgb.exe

description	pid	process	target process
PID 1560 set thread context of 1332	1560	owukdjgb.exe	owukdjgb.exe

pid	process
1560	owukdjgb.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

New Order.exeowukdjgb.exe

description	pid	process	target process
PID 1288 wrote to memory of 1560	1288	New Order.exe	owukdjgb.exe
PID 1288 wrote to memory of 1560	1288	New Order.exe	owukdjgb.exe
PID 1288 wrote to memory of 1560	1288	New Order.exe	owukdjgb.exe
PID 1288 wrote to memory of 1560	1288	New Order.exe	owukdjgb.exe
PID 1560 wrote to memory of 1332	1560	owukdjgb.exe	owukdjgb.exe
PID 1560 wrote to memory of 1332	1560	owukdjgb.exe	owukdjgb.exe
PID 1560 wrote to memory of 1332	1560	owukdjgb.exe	owukdjgb.exe
PID 1560 wrote to memory of 1332	1560	owukdjgb.exe	owukdjgb.exe
PID 1560 wrote to memory of 1332	1560	owukdjgb.exe	owukdjgb.exe

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\owukdjgb.exe
  "C:\Users\Admin\AppData\Local\Temp\owukdjgb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\owukdjgb.exe
    "C:\Users\Admin\AppData\Local\Temp\owukdjgb.exe"
    3⤵
    - Executes dropped EXE
    PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eyrfl.x

Filesize
113KB

MD5
bc2ef239e6e655e901e9ed225f3e834e

SHA1
a4e08a009b9e2dce7e6f8d02cadb102a6385f80b

SHA256
1a9d52c7b4faeeb88e711c27a9c31d717d10f0423985defb1e066a65fc6e01e6

SHA512
50ae4dbd08be759deb860af21bd598710699a74d286cd68bb380492e11b581c01e7ab3368e5658fd5d6d6f4ea5fe8df6d6fe70dc683aa6024e20022250c9178e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvaddz.ncl

Filesize
7KB

MD5
0eaaead25d85e7dc6ee4358e1d64fcb9

SHA1
a5312e323cc93a366b1c1b720f6e0122f1e5fa2c

SHA256
d999ae172b52bc94e1850a216742722dad5e8ae99c53a09b68b8d0f1d14d6b71

SHA512
2fca6bf7f90c95c8ecebb4d16ad4b14eda4f6b6ecb076869c396d6750dbb9d19e57b702bd30f94ff461741c75166e2e1c27b3d6e37480b33a7b8df2dabf42bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\owukdjgb.exe

Filesize
6KB

MD5
c066d7b4973fab7478809ba95f3cd018

SHA1
5e1d874316ef0f8f2167cb5727a607005744be57

SHA256
54403f3b5d3ad9d08405c743eb7886996d7b43f42c1d716b798d953d5bd71d14

SHA512
a50731cea3d881e80b0be0f92b7ef51e1e4ace036da6b78a571fc0f0179107efb77678a345a9842a81732069a2ac11d0b34146f6a773ab313d276dec61912d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\owukdjgb.exe

Filesize
6KB

MD5
c066d7b4973fab7478809ba95f3cd018

SHA1
5e1d874316ef0f8f2167cb5727a607005744be57

SHA256
54403f3b5d3ad9d08405c743eb7886996d7b43f42c1d716b798d953d5bd71d14

SHA512
a50731cea3d881e80b0be0f92b7ef51e1e4ace036da6b78a571fc0f0179107efb77678a345a9842a81732069a2ac11d0b34146f6a773ab313d276dec61912d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\owukdjgb.exe

Filesize
6KB

MD5
c066d7b4973fab7478809ba95f3cd018

SHA1
5e1d874316ef0f8f2167cb5727a607005744be57

SHA256
54403f3b5d3ad9d08405c743eb7886996d7b43f42c1d716b798d953d5bd71d14

SHA512
a50731cea3d881e80b0be0f92b7ef51e1e4ace036da6b78a571fc0f0179107efb77678a345a9842a81732069a2ac11d0b34146f6a773ab313d276dec61912d77

Download Submit
\Users\Admin\AppData\Local\Temp\owukdjgb.exe

Filesize
6KB

MD5
c066d7b4973fab7478809ba95f3cd018

SHA1
5e1d874316ef0f8f2167cb5727a607005744be57

SHA256
54403f3b5d3ad9d08405c743eb7886996d7b43f42c1d716b798d953d5bd71d14

SHA512
a50731cea3d881e80b0be0f92b7ef51e1e4ace036da6b78a571fc0f0179107efb77678a345a9842a81732069a2ac11d0b34146f6a773ab313d276dec61912d77

Download Submit
\Users\Admin\AppData\Local\Temp\owukdjgb.exe

Filesize
6KB

MD5
c066d7b4973fab7478809ba95f3cd018

SHA1
5e1d874316ef0f8f2167cb5727a607005744be57

SHA256
54403f3b5d3ad9d08405c743eb7886996d7b43f42c1d716b798d953d5bd71d14

SHA512
a50731cea3d881e80b0be0f92b7ef51e1e4ace036da6b78a571fc0f0179107efb77678a345a9842a81732069a2ac11d0b34146f6a773ab313d276dec61912d77

Download Submit
memory/1288-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1332-63-0x0000000000405CE2-mapping.dmp

Download
memory/1332-66-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1332-67-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1560-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads