warzonerat | 7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab

General

Target

7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
Size

552KB
MD5

fd49a17b3d4bfe10a79a8f6c25f72f50
SHA1

a25885590c16d80d46846d75f1f7646bfc26c005
SHA256

7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab
SHA512

3049f06b75f8ec88ffb75cdd97ac68c63f0ef4cf9d53791a6bdda0886f9021fea1b470f2b8a137ef9d4d3dac15773562878b11657f11ce041b4cfa3416d1a762
SSDEEP

12288:GPqfpmguB1C6MgG4WymunsifuHqDoCu9l9jq:IqfpmguvC6zG46u+HqDoL9j

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2168-146-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/2168-148-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/2168-149-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/2168-156-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

internetexploer.exe

pid process

2668 internetexploer.exe

pid	process
2668	internetexploer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\internetexploer.exe = "C:\\Users\\Admin\\Documents\\internetexploer.exe"	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe

description	pid	process	target process
PID 4320 set thread context of 2168	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4092 schtasks.exe

pid	process
4092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exepowershell.exe

pid	process
4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
4440	powershell.exe
4440	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
Token: SeDebugPrivilege	4440	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe

C:\Users\Admin\AppData\Local\Temp\7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
"C:\Users\Admin\AppData\Local\Temp\7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oyGqcapvIL.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oyGqcapvIL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB55.tmp"
2⤵
- Creates scheduled task(s)
PID:4092

C:\Users\Admin\AppData\Local\Temp\7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
"C:\Users\Admin\AppData\Local\Temp\7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe"
2⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
"C:\Users\Admin\AppData\Local\Temp\7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe"
2⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
"C:\Users\Admin\AppData\Local\Temp\7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\Documents\internetexploer.exe
"C:\Users\Admin\Documents\internetexploer.exe"
3⤵
- Executes dropped EXE
PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB55.tmp
Filesize
1KB

MD5
4595eae2c4396e50daae6f4c0d7db055

SHA1
a09259b6354ee125baf324e61bd09f348434e235

SHA256
d7b81906b71ae9ee9fc770d16e23a11889c6c23f8f35c0736b9de2442989a2c0

SHA512
5d3c5bff4dc785ee8cd6c7ff145c4dcfd8c96a5137e482ef003f977ac60c3043eb73ef0e7ae7f6f56cbfe3268b52d7cb9a8bcbf009164aca2c95a41a339fab07

Download Submit
C:\Users\Admin\Documents\internetexploer.exe
Filesize
552KB

MD5
fd49a17b3d4bfe10a79a8f6c25f72f50

SHA1
a25885590c16d80d46846d75f1f7646bfc26c005

SHA256
7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab

SHA512
3049f06b75f8ec88ffb75cdd97ac68c63f0ef4cf9d53791a6bdda0886f9021fea1b470f2b8a137ef9d4d3dac15773562878b11657f11ce041b4cfa3416d1a762

Download Submit
C:\Users\Admin\Documents\internetexploer.exe
Filesize
552KB

MD5
fd49a17b3d4bfe10a79a8f6c25f72f50

SHA1
a25885590c16d80d46846d75f1f7646bfc26c005

SHA256
7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab

SHA512
3049f06b75f8ec88ffb75cdd97ac68c63f0ef4cf9d53791a6bdda0886f9021fea1b470f2b8a137ef9d4d3dac15773562878b11657f11ce041b4cfa3416d1a762

Download Submit
memory/1996-143-0x0000000000000000-mapping.dmp

Download
memory/2168-149-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2168-148-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2168-146-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2168-145-0x0000000000000000-mapping.dmp

Download
memory/2168-156-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2668-153-0x0000000000000000-mapping.dmp

Download
memory/3436-144-0x0000000000000000-mapping.dmp

Download
memory/4092-139-0x0000000000000000-mapping.dmp

Download
memory/4320-132-0x0000000000E80000-0x0000000000F0A000-memory.dmp

Filesize
552KB

Download
memory/4320-137-0x0000000001830000-0x00000000018CC000-memory.dmp

Filesize
624KB

Download
memory/4320-136-0x0000000005970000-0x000000000597A000-memory.dmp

Filesize
40KB

Download
memory/4320-135-0x0000000005C00000-0x0000000005DA6000-memory.dmp

Filesize
1.6MB

Download
memory/4320-134-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/4320-133-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/4440-138-0x0000000000000000-mapping.dmp

Download
memory/4440-152-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/4440-151-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/4440-150-0x0000000004F70000-0x0000000004F92000-memory.dmp

Filesize
136KB

Download
memory/4440-142-0x0000000004FF0000-0x0000000005618000-memory.dmp

Filesize
6.2MB

Download
memory/4440-140-0x0000000002510000-0x0000000002546000-memory.dmp

Filesize
216KB

Download
memory/4440-157-0x0000000005E10000-0x0000000005E2E000-memory.dmp

Filesize
120KB

Download

description	pid	process	target process
PID 4320 wrote to memory of 4440	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	powershell.exe
PID 4320 wrote to memory of 4440	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	powershell.exe
PID 4320 wrote to memory of 4440	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	powershell.exe
PID 4320 wrote to memory of 4092	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	schtasks.exe
PID 4320 wrote to memory of 4092	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	schtasks.exe
PID 4320 wrote to memory of 4092	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	schtasks.exe
PID 4320 wrote to memory of 1996	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 1996	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 1996	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 3436	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 3436	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 3436	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 2168	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 2168	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 2168	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 2168	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 2168	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 2168	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 2168	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 2168	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 2168	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 2168	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 4320 wrote to memory of 2168	4320	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe
PID 2168 wrote to memory of 2668	2168	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	internetexploer.exe
PID 2168 wrote to memory of 2668	2168	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	internetexploer.exe
PID 2168 wrote to memory of 2668	2168	7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab.exe	internetexploer.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads