warzonerat | 584f57edb1dc561be7396494ea26a3fe5c4c24fed1594636ce2167db8418abe1

General

Target

SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
Size

1.0MB
MD5

dbd404136dad8130e5b1197fcbf287d1
SHA1

225b6204a93d7512d8bac3d533aff6836b5c4d3e
SHA256

584f57edb1dc561be7396494ea26a3fe5c4c24fed1594636ce2167db8418abe1
SHA512

d1111093ea89fdd2df4282dcc5097c55e2e34b522259baa1fd1758f75da33a69919a8ecb5188136da2c837aff27bc40200cd3e450f224b72007ec43b85346a23
SSDEEP

24576:rz3lDgh/awtCPSJLir9KcCWY56PH62Dz:rz3lch/dsPFTkyHF

Score

10^/10

warzonerat infostealer rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1568-69-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1568-70-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1568-72-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1568-74-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1568-75-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1568-76-0x000000000040B556-mapping.dmp	warzonerat
behavioral1/memory/1568-79-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1568-81-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe

description	pid	process	target process
PID 1724 set thread context of 1568	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

828 schtasks.exe

pid	process
828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exepowershell.exe

pid	process
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
1652	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1724 SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
Token: SeDebugPrivilege 1652 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
Token: SeDebugPrivilege	1652	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zLxcgGKWkNnjkV.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zLxcgGKWkNnjkV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEA12.tmp"
2⤵
- Creates scheduled task(s)
PID:828

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe"
2⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe"
2⤵
PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEA12.tmp

Filesize
1KB

MD5
53859db5472a528eaadbfa1fad80eb56

SHA1
905e183f5e89884aa8e4591c6ac57849b450511c

SHA256
1900867e7fb37adaebd8da33c07a228ee18e1902a9b02fe6a347a3a0ea01465f

SHA512
b4163d5e9199e56fa9d5f4b641710b4123ec8fcd4d561381202c09a21bb0e733ddf01abf0555eab40d19beda3bfc90c4663aa586f27173420c6e6c349e92eb0f

Download Submit
memory/828-60-0x0000000000000000-mapping.dmp

Download
memory/1568-74-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1568-79-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1568-81-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1568-76-0x000000000040B556-mapping.dmp

Download
memory/1568-75-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1568-72-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1568-70-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1568-64-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1568-65-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1568-67-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1568-69-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1652-59-0x0000000000000000-mapping.dmp

Download
memory/1652-80-0x000000006EF80000-0x000000006F52B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-82-0x000000006EF80000-0x000000006F52B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-83-0x000000006EF80000-0x000000006F52B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-63-0x0000000008030000-0x000000000809C000-memory.dmp

Filesize
432KB

Download
memory/1724-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1724-54-0x0000000000160000-0x0000000000272000-memory.dmp

Filesize
1.1MB

Download
memory/1724-56-0x0000000000490000-0x00000000004A8000-memory.dmp

Filesize
96KB

Download
memory/1724-57-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/1724-58-0x0000000005580000-0x0000000005624000-memory.dmp

Filesize
656KB

Download

description	pid	process	target process
PID 1724 wrote to memory of 1652	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	powershell.exe
PID 1724 wrote to memory of 1652	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	powershell.exe
PID 1724 wrote to memory of 1652	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	powershell.exe
PID 1724 wrote to memory of 1652	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	powershell.exe
PID 1724 wrote to memory of 828	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	schtasks.exe
PID 1724 wrote to memory of 828	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	schtasks.exe
PID 1724 wrote to memory of 828	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	schtasks.exe
PID 1724 wrote to memory of 828	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	schtasks.exe
PID 1724 wrote to memory of 1936	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
PID 1724 wrote to memory of 1936	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
PID 1724 wrote to memory of 1936	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
PID 1724 wrote to memory of 1936	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
PID 1724 wrote to memory of 1568	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
PID 1724 wrote to memory of 1568	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
PID 1724 wrote to memory of 1568	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
PID 1724 wrote to memory of 1568	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
PID 1724 wrote to memory of 1568	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
PID 1724 wrote to memory of 1568	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
PID 1724 wrote to memory of 1568	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
PID 1724 wrote to memory of 1568	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
PID 1724 wrote to memory of 1568	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
PID 1724 wrote to memory of 1568	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
PID 1724 wrote to memory of 1568	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe
PID 1724 wrote to memory of 1568	1724	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe	SecuriteInfo.com.Win32.PWSX-gen.15216.14078.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads