warzonerat | 13221e70924c7c7eed105646282d0ace162ad1abc1e613219046fe131feb7818

Analysis

max time kernel
105s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arajanlat·pdf.exe
Size

592KB
MD5

51f738511b4f0c749304b39bc68aaf36
SHA1

72a3cb0cc1ebf50b0325f53dcebe92b440b28f6c
SHA256

13221e70924c7c7eed105646282d0ace162ad1abc1e613219046fe131feb7818
SHA512

b64e325859f447f65f168546ccddbaf55fcac9fdc84bae0f8dc88037706ba0390ce072ea9b7159f4dbd932bfd008c8bc11db26b771624e7ee6063af8b68cf601
SSDEEP

12288:Iy5d/Jtp+LpXIhPE6AdmID8zxa3q1XZqslMM:IynBtALih86AdN8QkMM

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2716-139-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/2716-141-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/2716-144-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/2716-161-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/3956-171-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/3956-173-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/3956-181-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

Adobe51990.exeAdobe51990.exe

pid process

5068 Adobe51990.exe
3956 Adobe51990.exe

pid	process
5068	Adobe51990.exe
3956	Adobe51990.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

arajanlat·pdf.exeAdobe51990.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	arajanlat·pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Adobe51990.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

arajanlat·pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe51990 = "C:\\Users\\Admin\\Documents\\Adobe51990.exe"	arajanlat·pdf.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

arajanlat·pdf.exeAdobe51990.exe

description	pid	process	target process
PID 2532 set thread context of 2716	2532	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 5068 set thread context of 3956	5068	Adobe51990.exe	Adobe51990.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

arajanlat·pdf.exepowershell.exepowershell.exeAdobe51990.exepowershell.exepowershell.exe

pid	process
2532	arajanlat·pdf.exe
2532	arajanlat·pdf.exe
4852	powershell.exe
4852	powershell.exe
1880	powershell.exe
1880	powershell.exe
5068	Adobe51990.exe
5068	Adobe51990.exe
4192	powershell.exe
4192	powershell.exe
2980	powershell.exe
2980	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

arajanlat·pdf.exepowershell.exepowershell.exeAdobe51990.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2532	arajanlat·pdf.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	5068	Adobe51990.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Adobe51990.exe

pid process

3956 Adobe51990.exe

pid	process
3956	Adobe51990.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

arajanlat·pdf.exearajanlat·pdf.exeAdobe51990.exeAdobe51990.exe

description	pid	process	target process
PID 2532 wrote to memory of 4852	2532	arajanlat·pdf.exe	powershell.exe
PID 2532 wrote to memory of 4852	2532	arajanlat·pdf.exe	powershell.exe
PID 2532 wrote to memory of 4852	2532	arajanlat·pdf.exe	powershell.exe
PID 2532 wrote to memory of 2716	2532	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 2532 wrote to memory of 2716	2532	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 2532 wrote to memory of 2716	2532	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 2532 wrote to memory of 2716	2532	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 2532 wrote to memory of 2716	2532	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 2532 wrote to memory of 2716	2532	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 2532 wrote to memory of 2716	2532	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 2532 wrote to memory of 2716	2532	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 2532 wrote to memory of 2716	2532	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 2532 wrote to memory of 2716	2532	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 2532 wrote to memory of 2716	2532	arajanlat·pdf.exe	arajanlat·pdf.exe
PID 2716 wrote to memory of 1880	2716	arajanlat·pdf.exe	powershell.exe
PID 2716 wrote to memory of 1880	2716	arajanlat·pdf.exe	powershell.exe
PID 2716 wrote to memory of 1880	2716	arajanlat·pdf.exe	powershell.exe
PID 2716 wrote to memory of 5068	2716	arajanlat·pdf.exe	Adobe51990.exe
PID 2716 wrote to memory of 5068	2716	arajanlat·pdf.exe	Adobe51990.exe
PID 2716 wrote to memory of 5068	2716	arajanlat·pdf.exe	Adobe51990.exe
PID 5068 wrote to memory of 4192	5068	Adobe51990.exe	powershell.exe
PID 5068 wrote to memory of 4192	5068	Adobe51990.exe	powershell.exe
PID 5068 wrote to memory of 4192	5068	Adobe51990.exe	powershell.exe
PID 5068 wrote to memory of 3956	5068	Adobe51990.exe	Adobe51990.exe
PID 5068 wrote to memory of 3956	5068	Adobe51990.exe	Adobe51990.exe
PID 5068 wrote to memory of 3956	5068	Adobe51990.exe	Adobe51990.exe
PID 5068 wrote to memory of 3956	5068	Adobe51990.exe	Adobe51990.exe
PID 5068 wrote to memory of 3956	5068	Adobe51990.exe	Adobe51990.exe
PID 5068 wrote to memory of 3956	5068	Adobe51990.exe	Adobe51990.exe
PID 5068 wrote to memory of 3956	5068	Adobe51990.exe	Adobe51990.exe
PID 5068 wrote to memory of 3956	5068	Adobe51990.exe	Adobe51990.exe
PID 5068 wrote to memory of 3956	5068	Adobe51990.exe	Adobe51990.exe
PID 5068 wrote to memory of 3956	5068	Adobe51990.exe	Adobe51990.exe
PID 5068 wrote to memory of 3956	5068	Adobe51990.exe	Adobe51990.exe
PID 3956 wrote to memory of 2980	3956	Adobe51990.exe	powershell.exe
PID 3956 wrote to memory of 2980	3956	Adobe51990.exe	powershell.exe
PID 3956 wrote to memory of 2980	3956	Adobe51990.exe	powershell.exe
PID 3956 wrote to memory of 4900	3956	Adobe51990.exe	cmd.exe
PID 3956 wrote to memory of 4900	3956	Adobe51990.exe	cmd.exe
PID 3956 wrote to memory of 4900	3956	Adobe51990.exe	cmd.exe
PID 3956 wrote to memory of 4900	3956	Adobe51990.exe	cmd.exe
PID 3956 wrote to memory of 4900	3956	Adobe51990.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\arajanlat·pdf.exe
"C:\Users\Admin\AppData\Local\Temp\arajanlat·pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\arajanlat·pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Users\Admin\AppData\Local\Temp\arajanlat·pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\arajanlat·pdf.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1880
- - C:\Users\Admin\Documents\Adobe51990.exe
    "C:\Users\Admin\Documents\Adobe51990.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\Adobe51990.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4192
  - - C:\Users\Admin\Documents\Adobe51990.exe
      "C:\Users\Admin\Documents\Adobe51990.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:4900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
656410f1da4f94f9fb7898c1e995d907

SHA1
e19ab7fc7a481363eb1ce42e005ff1dff45662f9

SHA256
3a669fcdbcc1737970d25b1f84204ec07db9be05e74e9b8582594be98d7cbf78

SHA512
251d5bc8a90d8fce45875063a726676aa135e8cc0eb8b74652239a699865a98c8811eebb2c78e2ca1e21e96858e56ba1cb63a2c339c1ed7a2826a0bc44328ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
18840190923ce9e52e2dcabd16b1013c

SHA1
ef30532bbf3febe50ac6b3e4951bb63329973783

SHA256
706aa86ddc203faf329cf68725df7e7e861419943fc34ff4ed2095971b71521e

SHA512
a368e637754c1ab0ad886a76ced8e3f7bc84f817d13afacddd7c9c31c22d4c6612859404f5917690a610577c3f37830b4e604f99fb4e1b08addd7df78e0f5d09

Download Submit
C:\Users\Admin\Documents\Adobe51990.exe

Filesize
592KB

MD5
51f738511b4f0c749304b39bc68aaf36

SHA1
72a3cb0cc1ebf50b0325f53dcebe92b440b28f6c

SHA256
13221e70924c7c7eed105646282d0ace162ad1abc1e613219046fe131feb7818

SHA512
b64e325859f447f65f168546ccddbaf55fcac9fdc84bae0f8dc88037706ba0390ce072ea9b7159f4dbd932bfd008c8bc11db26b771624e7ee6063af8b68cf601

Download Submit
C:\Users\Admin\Documents\Adobe51990.exe

Filesize
592KB

MD5
51f738511b4f0c749304b39bc68aaf36

SHA1
72a3cb0cc1ebf50b0325f53dcebe92b440b28f6c

SHA256
13221e70924c7c7eed105646282d0ace162ad1abc1e613219046fe131feb7818

SHA512
b64e325859f447f65f168546ccddbaf55fcac9fdc84bae0f8dc88037706ba0390ce072ea9b7159f4dbd932bfd008c8bc11db26b771624e7ee6063af8b68cf601

Download Submit
C:\Users\Admin\Documents\Adobe51990.exe

Filesize
592KB

MD5
51f738511b4f0c749304b39bc68aaf36

SHA1
72a3cb0cc1ebf50b0325f53dcebe92b440b28f6c

SHA256
13221e70924c7c7eed105646282d0ace162ad1abc1e613219046fe131feb7818

SHA512
b64e325859f447f65f168546ccddbaf55fcac9fdc84bae0f8dc88037706ba0390ce072ea9b7159f4dbd932bfd008c8bc11db26b771624e7ee6063af8b68cf601

Download Submit
memory/1880-164-0x0000000007AE0000-0x0000000007AE8000-memory.dmp

Filesize
32KB

Download
memory/1880-149-0x0000000000000000-mapping.dmp

Download
memory/1880-155-0x0000000071360000-0x00000000713AC000-memory.dmp

Filesize
304KB

Download
memory/2532-132-0x0000000000DA0000-0x0000000000E3A000-memory.dmp

Filesize
616KB

Download
memory/2532-136-0x00000000094E0000-0x000000000957C000-memory.dmp

Filesize
624KB

Download
memory/2532-135-0x0000000005870000-0x000000000587A000-memory.dmp

Filesize
40KB

Download
memory/2532-134-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/2532-133-0x0000000005E40000-0x00000000063E4000-memory.dmp

Filesize
5.6MB

Download
memory/2716-144-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2716-141-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2716-139-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2716-138-0x0000000000000000-mapping.dmp

Download
memory/2716-161-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2980-175-0x0000000000000000-mapping.dmp

Download
memory/2980-176-0x00000000714E0000-0x000000007152C000-memory.dmp

Filesize
304KB

Download
memory/3956-166-0x0000000000000000-mapping.dmp

Download
memory/3956-181-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/3956-180-0x000000000B480000-0x000000000B620000-memory.dmp

Filesize
1.6MB

Download
memory/3956-173-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/3956-171-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/4192-165-0x0000000000000000-mapping.dmp

Download
memory/4192-174-0x00000000714E0000-0x000000007152C000-memory.dmp

Filesize
304KB

Download
memory/4852-147-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/4852-145-0x0000000005A60000-0x0000000005A82000-memory.dmp

Filesize
136KB

Download
memory/4852-163-0x0000000007910000-0x000000000792A000-memory.dmp

Filesize
104KB

Download
memory/4852-150-0x00000000068B0000-0x00000000068E2000-memory.dmp

Filesize
200KB

Download
memory/4852-151-0x0000000071360000-0x00000000713AC000-memory.dmp

Filesize
304KB

Download
memory/4852-148-0x00000000062C0000-0x00000000062DE000-memory.dmp

Filesize
120KB

Download
memory/4852-154-0x00000000075D0000-0x00000000075EA000-memory.dmp

Filesize
104KB

Download
memory/4852-146-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/4852-152-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/4852-162-0x0000000007800000-0x000000000780E000-memory.dmp

Filesize
56KB

Download
memory/4852-153-0x0000000007C10000-0x000000000828A000-memory.dmp

Filesize
6.5MB

Download
memory/4852-156-0x0000000007640000-0x000000000764A000-memory.dmp

Filesize
40KB

Download
memory/4852-143-0x0000000005400000-0x0000000005A28000-memory.dmp

Filesize
6.2MB

Download
memory/4852-142-0x00000000029A0000-0x00000000029D6000-memory.dmp

Filesize
216KB

Download
memory/4852-157-0x0000000007850000-0x00000000078E6000-memory.dmp

Filesize
600KB

Download
memory/4852-137-0x0000000000000000-mapping.dmp

Download
memory/4900-179-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/4900-177-0x0000000000000000-mapping.dmp

Download
memory/5068-158-0x0000000000000000-mapping.dmp

Download