warzonerat | 13221e70924c7c7eed105646282d0ace162ad1abc1e613219046fe131feb7818

General

Target

arajanlat·pdf.exe
Size

592KB
MD5

51f738511b4f0c749304b39bc68aaf36
SHA1

72a3cb0cc1ebf50b0325f53dcebe92b440b28f6c
SHA256

13221e70924c7c7eed105646282d0ace162ad1abc1e613219046fe131feb7818
SHA512

b64e325859f447f65f168546ccddbaf55fcac9fdc84bae0f8dc88037706ba0390ce072ea9b7159f4dbd932bfd008c8bc11db26b771624e7ee6063af8b68cf601
SSDEEP

12288:Iy5d/Jtp+LpXIhPE6AdmID8zxa3q1XZqslMM:IynBtALih86AdN8QkMM

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 12 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1828-67-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1828-68-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1828-70-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1828-72-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1828-73-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1828-74-0x000000000040B556-mapping.dmp	warzonerat
behavioral1/memory/1828-77-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1828-79-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1828-89-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1108-108-0x000000000040B556-mapping.dmp	warzonerat
behavioral1/memory/1108-112-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/1108-115-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

Adobe51990.exeAdobe51990.exe

pid process

1080 Adobe51990.exe
1108 Adobe51990.exe
Loads dropped DLL 2 IoCs

Processes:

arajanlat·pdf.exe

pid process

1828 arajanlat·pdf.exe
1828 arajanlat·pdf.exe

pid	process
1080	Adobe51990.exe
1108	Adobe51990.exe

pid	process
1828	arajanlat·pdf.exe
1828	arajanlat·pdf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

arajanlat·pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe51990 = "C:\\Users\\Admin\\Documents\\Adobe51990.exe"	arajanlat·pdf.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

arajanlat·pdf.exeAdobe51990.exe

description	pid	process	target process
PID 1612 set thread context of 1828	1612	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 1080 set thread context of 1108	1080	Adobe51990.exe	Adobe51990.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

arajanlat·pdf.exepowershell.exepowershell.exeAdobe51990.exepowershell.exe

pid process

1612 arajanlat·pdf.exe
1612 arajanlat·pdf.exe
1760 powershell.exe
1668 powershell.exe
1080 Adobe51990.exe
808 powershell.exe
1080 Adobe51990.exe

pid	process
1612	arajanlat·pdf.exe
1612	arajanlat·pdf.exe
1760	powershell.exe
1668	powershell.exe
1080	Adobe51990.exe
808	powershell.exe
1080	Adobe51990.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

arajanlat·pdf.exepowershell.exepowershell.exeAdobe51990.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1612	arajanlat·pdf.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	1080	Adobe51990.exe
Token: SeDebugPrivilege	808	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

arajanlat·pdf.exearajanlat·pdf.exeAdobe51990.exe

description	pid	process	target process
PID 1612 wrote to memory of 1760	1612	arajanlat·pdf.exe	powershell.exe
PID 1612 wrote to memory of 1760	1612	arajanlat·pdf.exe	powershell.exe
PID 1612 wrote to memory of 1760	1612	arajanlat·pdf.exe	powershell.exe
PID 1612 wrote to memory of 1760	1612	arajanlat·pdf.exe	powershell.exe
PID 1612 wrote to memory of 1828	1612	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 1612 wrote to memory of 1828	1612	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 1612 wrote to memory of 1828	1612	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 1612 wrote to memory of 1828	1612	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 1612 wrote to memory of 1828	1612	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 1612 wrote to memory of 1828	1612	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 1612 wrote to memory of 1828	1612	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 1612 wrote to memory of 1828	1612	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 1612 wrote to memory of 1828	1612	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 1612 wrote to memory of 1828	1612	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 1612 wrote to memory of 1828	1612	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 1612 wrote to memory of 1828	1612	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 1828 wrote to memory of 1668	1828	arajanlat·pdf.exe	powershell.exe
PID 1828 wrote to memory of 1668	1828	arajanlat·pdf.exe	powershell.exe
PID 1828 wrote to memory of 1668	1828	arajanlat·pdf.exe	powershell.exe
PID 1828 wrote to memory of 1668	1828	arajanlat·pdf.exe	powershell.exe
PID 1828 wrote to memory of 1080	1828	arajanlat·pdf.exe	Adobe51990.exe
PID 1828 wrote to memory of 1080	1828	arajanlat·pdf.exe	Adobe51990.exe
PID 1828 wrote to memory of 1080	1828	arajanlat·pdf.exe	Adobe51990.exe
PID 1828 wrote to memory of 1080	1828	arajanlat·pdf.exe	Adobe51990.exe
PID 1080 wrote to memory of 808	1080	Adobe51990.exe	powershell.exe
PID 1080 wrote to memory of 808	1080	Adobe51990.exe	powershell.exe
PID 1080 wrote to memory of 808	1080	Adobe51990.exe	powershell.exe
PID 1080 wrote to memory of 808	1080	Adobe51990.exe	powershell.exe
PID 1080 wrote to memory of 1108	1080	Adobe51990.exe	Adobe51990.exe
PID 1080 wrote to memory of 1108	1080	Adobe51990.exe	Adobe51990.exe
PID 1080 wrote to memory of 1108	1080	Adobe51990.exe	Adobe51990.exe
PID 1080 wrote to memory of 1108	1080	Adobe51990.exe	Adobe51990.exe
PID 1080 wrote to memory of 1108	1080	Adobe51990.exe	Adobe51990.exe
PID 1080 wrote to memory of 1108	1080	Adobe51990.exe	Adobe51990.exe
PID 1080 wrote to memory of 1108	1080	Adobe51990.exe	Adobe51990.exe
PID 1080 wrote to memory of 1108	1080	Adobe51990.exe	Adobe51990.exe
PID 1080 wrote to memory of 1108	1080	Adobe51990.exe	Adobe51990.exe
PID 1080 wrote to memory of 1108	1080	Adobe51990.exe	Adobe51990.exe
PID 1080 wrote to memory of 1108	1080	Adobe51990.exe	Adobe51990.exe
PID 1080 wrote to memory of 1108	1080	Adobe51990.exe	Adobe51990.exe

C:\Users\Admin\AppData\Local\Temp\arajanlat·pdf.exe
"C:\Users\Admin\AppData\Local\Temp\arajanlat·pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\arajanlat·pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Users\Admin\AppData\Local\Temp\arajanlat·pdf.exe
"C:\Users\Admin\AppData\Local\Temp\arajanlat·pdf.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Users\Admin\Documents\Adobe51990.exe
"C:\Users\Admin\Documents\Adobe51990.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\Adobe51990.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Users\Admin\Documents\Adobe51990.exe
"C:\Users\Admin\Documents\Adobe51990.exe"
4⤵
- Executes dropped EXE
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e866e4206a24b6946da23a2a5c92119f

SHA1
301b5c6690d2d28b658c5ef5508c9b5b95a6ec4a

SHA256
c48266fd4228d0820aa8a32d6f1030a4f12b5eef6377fd55b3b5acafccbd30c0

SHA512
96754f3a5b443fdc8e082d9ed07da75227cc8a1486a0c544ed537c1d57735a0a6c49f7fb052fd8957f3e6094f0ca43a43d6623f218777785c4bd146a3365db0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e866e4206a24b6946da23a2a5c92119f

SHA1
301b5c6690d2d28b658c5ef5508c9b5b95a6ec4a

SHA256
c48266fd4228d0820aa8a32d6f1030a4f12b5eef6377fd55b3b5acafccbd30c0

SHA512
96754f3a5b443fdc8e082d9ed07da75227cc8a1486a0c544ed537c1d57735a0a6c49f7fb052fd8957f3e6094f0ca43a43d6623f218777785c4bd146a3365db0d

Download Submit
C:\Users\Admin\Documents\Adobe51990.exe
Filesize
592KB

MD5
51f738511b4f0c749304b39bc68aaf36

SHA1
72a3cb0cc1ebf50b0325f53dcebe92b440b28f6c

SHA256
13221e70924c7c7eed105646282d0ace162ad1abc1e613219046fe131feb7818

SHA512
b64e325859f447f65f168546ccddbaf55fcac9fdc84bae0f8dc88037706ba0390ce072ea9b7159f4dbd932bfd008c8bc11db26b771624e7ee6063af8b68cf601

Download Submit
C:\Users\Admin\Documents\Adobe51990.exe
Filesize
592KB

MD5
51f738511b4f0c749304b39bc68aaf36

SHA1
72a3cb0cc1ebf50b0325f53dcebe92b440b28f6c

SHA256
13221e70924c7c7eed105646282d0ace162ad1abc1e613219046fe131feb7818

SHA512
b64e325859f447f65f168546ccddbaf55fcac9fdc84bae0f8dc88037706ba0390ce072ea9b7159f4dbd932bfd008c8bc11db26b771624e7ee6063af8b68cf601

Download Submit
C:\Users\Admin\Documents\Adobe51990.exe
Filesize
592KB

MD5
51f738511b4f0c749304b39bc68aaf36

SHA1
72a3cb0cc1ebf50b0325f53dcebe92b440b28f6c

SHA256
13221e70924c7c7eed105646282d0ace162ad1abc1e613219046fe131feb7818

SHA512
b64e325859f447f65f168546ccddbaf55fcac9fdc84bae0f8dc88037706ba0390ce072ea9b7159f4dbd932bfd008c8bc11db26b771624e7ee6063af8b68cf601

Download Submit
\Users\Admin\Documents\Adobe51990.exe
Filesize
592KB

MD5
51f738511b4f0c749304b39bc68aaf36

SHA1
72a3cb0cc1ebf50b0325f53dcebe92b440b28f6c

SHA256
13221e70924c7c7eed105646282d0ace162ad1abc1e613219046fe131feb7818

SHA512
b64e325859f447f65f168546ccddbaf55fcac9fdc84bae0f8dc88037706ba0390ce072ea9b7159f4dbd932bfd008c8bc11db26b771624e7ee6063af8b68cf601

Download Submit
\Users\Admin\Documents\Adobe51990.exe
Filesize
592KB

MD5
51f738511b4f0c749304b39bc68aaf36

SHA1
72a3cb0cc1ebf50b0325f53dcebe92b440b28f6c

SHA256
13221e70924c7c7eed105646282d0ace162ad1abc1e613219046fe131feb7818

SHA512
b64e325859f447f65f168546ccddbaf55fcac9fdc84bae0f8dc88037706ba0390ce072ea9b7159f4dbd932bfd008c8bc11db26b771624e7ee6063af8b68cf601

Download Submit
memory/808-93-0x0000000000000000-mapping.dmp

Download
memory/808-114-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/808-113-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/1080-91-0x0000000001140000-0x00000000011DA000-memory.dmp

Filesize
616KB

Download
memory/1080-87-0x0000000000000000-mapping.dmp

Download
memory/1108-115-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1108-112-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1108-108-0x000000000040B556-mapping.dmp

Download
memory/1612-60-0x0000000004850000-0x0000000004886000-memory.dmp

Filesize
216KB

Download
memory/1612-54-0x0000000000130000-0x00000000001CA000-memory.dmp

Filesize
616KB

Download
memory/1612-58-0x0000000005E30000-0x0000000005EA0000-memory.dmp

Filesize
448KB

Download
memory/1612-57-0x00000000002D0000-0x00000000002DE000-memory.dmp

Filesize
56KB

Download
memory/1612-56-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/1612-55-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/1668-81-0x0000000000000000-mapping.dmp

Download
memory/1668-84-0x0000000073740000-0x0000000073CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1760-59-0x0000000000000000-mapping.dmp

Download
memory/1760-78-0x000000006F890000-0x000000006FE3B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-80-0x000000006F890000-0x000000006FE3B000-memory.dmp

Filesize
5.7MB

Download
memory/1828-65-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1828-89-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1828-79-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1828-77-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1828-74-0x000000000040B556-mapping.dmp

Download
memory/1828-73-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1828-72-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1828-70-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1828-68-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1828-67-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1828-63-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1828-62-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads