warzonerat | 3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8

General

Target

3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe
Size

1.8MB
MD5

61bbdb549ccbc81047a83e195b00a38b
SHA1

96b4d39428e9ddff6737cd3944b303f169078ebe
SHA256

3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8
SHA512

d0c83db4127ac94a01cccc06492aed8e69d69e0cbffb602debbb67a2bbe3037221d8659bfd4987c8da06d7dcdb926eb5b65653385197fa3632c5a19f72a02633
SSDEEP

12288:ej33yzo7xhMSK4ftKDjtkii0uuDVqMnoV8WUu1HHGYnjNVoWuLD/bfsycN01/Rn:ejyQoDhxjnoV8WUu1HmoknJ

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

192.3.111.154:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3500-132-0x0000000003010000-0x0000000003A10000-memory.dmp	warzonerat
behavioral2/memory/3500-133-0x0000000003A10000-0x0000000003B64000-memory.dmp	warzonerat
behavioral2/memory/4848-149-0x0000000003920000-0x0000000003A74000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

itunes.exe

pid process

4848 itunes.exe

pid	process
4848	itunes.exe

Drops startup file 2 IoCs

Processes:

3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\ProgramData\\itunes.exe"	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe

NTFS ADS 1 IoCs

Processes:

3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe

description ioc process

File created C:\ProgramData:ApplicationData 3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3792 powershell.exe
3792 powershell.exe
4768 powershell.exe
4768 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3792 powershell.exe
Token: SeDebugPrivilege 4768 powershell.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe

pid	process
3792	powershell.exe
3792	powershell.exe
4768	powershell.exe
4768	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exeitunes.exe

description	pid	process	target process
PID 3500 wrote to memory of 3792	3500	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe	powershell.exe
PID 3500 wrote to memory of 3792	3500	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe	powershell.exe
PID 3500 wrote to memory of 3792	3500	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe	powershell.exe
PID 3500 wrote to memory of 4848	3500	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe	itunes.exe
PID 3500 wrote to memory of 4848	3500	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe	itunes.exe
PID 3500 wrote to memory of 4848	3500	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe	itunes.exe
PID 4848 wrote to memory of 4768	4848	itunes.exe	powershell.exe
PID 4848 wrote to memory of 4768	4848	itunes.exe	powershell.exe
PID 4848 wrote to memory of 4768	4848	itunes.exe	powershell.exe
PID 4848 wrote to memory of 2476	4848	itunes.exe	cmd.exe
PID 4848 wrote to memory of 2476	4848	itunes.exe	cmd.exe
PID 4848 wrote to memory of 2476	4848	itunes.exe	cmd.exe
PID 4848 wrote to memory of 2476	4848	itunes.exe	cmd.exe
PID 4848 wrote to memory of 2476	4848	itunes.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe
"C:\Users\Admin\AppData\Local\Temp\3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath C:\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\ProgramData\itunes.exe
  "C:\ProgramData\itunes.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:2476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\itunes.exe

Filesize
1.8MB

MD5
61bbdb549ccbc81047a83e195b00a38b

SHA1
96b4d39428e9ddff6737cd3944b303f169078ebe

SHA256
3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8

SHA512
d0c83db4127ac94a01cccc06492aed8e69d69e0cbffb602debbb67a2bbe3037221d8659bfd4987c8da06d7dcdb926eb5b65653385197fa3632c5a19f72a02633

Download Submit
C:\ProgramData\itunes.exe

Filesize
1.8MB

MD5
61bbdb549ccbc81047a83e195b00a38b

SHA1
96b4d39428e9ddff6737cd3944b303f169078ebe

SHA256
3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8

SHA512
d0c83db4127ac94a01cccc06492aed8e69d69e0cbffb602debbb67a2bbe3037221d8659bfd4987c8da06d7dcdb926eb5b65653385197fa3632c5a19f72a02633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
de9ad0eb549399cef289f74d4de484a8

SHA1
514be48ba29670db3edc3ac1c10bb455c987f15e

SHA256
5e03d8c4cd5a409ef1b18930c88c6a4fe0b092c02b37c1dcd6ac69d853bef51f

SHA512
c498feba34c3b5d5f0582e3eb25540fd4e9204e5847cd9cc5ece1bd6073a095b0884341d953de0bf88b63443ea567aac09e6cf902c5cf9da4446d0d904003aff

Download Submit
memory/2476-156-0x0000000000000000-mapping.dmp

Download
memory/2476-161-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3500-133-0x0000000003A10000-0x0000000003B64000-memory.dmp

Filesize
1.3MB

Download
memory/3500-132-0x0000000003010000-0x0000000003A10000-memory.dmp

Filesize
10.0MB

Download
memory/3792-144-0x0000000005070000-0x0000000005698000-memory.dmp

Filesize
6.2MB

Download
memory/3792-143-0x0000000002360000-0x0000000002396000-memory.dmp

Filesize
216KB

Download
memory/3792-147-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/3792-148-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

Filesize
120KB

Download
memory/3792-139-0x0000000000000000-mapping.dmp

Download
memory/3792-168-0x0000000007260000-0x0000000007268000-memory.dmp

Filesize
32KB

Download
memory/3792-145-0x0000000004D10000-0x0000000004D32000-memory.dmp

Filesize
136KB

Download
memory/3792-157-0x0000000006E90000-0x0000000006EC2000-memory.dmp

Filesize
200KB

Download
memory/3792-159-0x0000000074B40000-0x0000000074B8C000-memory.dmp

Filesize
304KB

Download
memory/3792-165-0x0000000007270000-0x0000000007306000-memory.dmp

Filesize
600KB

Download
memory/3792-164-0x0000000007050000-0x000000000705A000-memory.dmp

Filesize
40KB

Download
memory/3792-146-0x0000000004FB0000-0x0000000005016000-memory.dmp

Filesize
408KB

Download
memory/3792-162-0x0000000007630000-0x0000000007CAA000-memory.dmp

Filesize
6.5MB

Download
memory/4768-163-0x0000000007A20000-0x0000000007A3A000-memory.dmp

Filesize
104KB

Download
memory/4768-160-0x0000000006CC0000-0x0000000006CDE000-memory.dmp

Filesize
120KB

Download
memory/4768-158-0x0000000074B40000-0x0000000074B8C000-memory.dmp

Filesize
304KB

Download
memory/4768-166-0x0000000007C60000-0x0000000007C6E000-memory.dmp

Filesize
56KB

Download
memory/4768-167-0x0000000007D60000-0x0000000007D7A000-memory.dmp

Filesize
104KB

Download
memory/4768-155-0x0000000000000000-mapping.dmp

Download
memory/4848-140-0x0000000000000000-mapping.dmp

Download
memory/4848-149-0x0000000003920000-0x0000000003A74000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads