warzonerat | a4b2dec4383a82865eacf6a167af50a2c53159cd1a51bd63d199504491fe67e0

Analysis

max time kernel
139s
max time network
49s
platform
windows7_x64
resource
win7-20220812-it
resource tags

arch:x64arch:x86image:win7-20220812-itlocale:it-itos:windows7-x64systemwindows
submitted
01-12-2022 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

invite.exe
Size

638KB
MD5

08a704579ad1ed0cc3a868441622e942
SHA1

191a0e1e417e8925b7ba7a1e5e81581e8d148176
SHA256

a4b2dec4383a82865eacf6a167af50a2c53159cd1a51bd63d199504491fe67e0
SHA512

5bae0cd2b26ffd3ab9f074e28f406751121f6ef01dba049920cc619f541c7f24db984fbb0c4b9edafccdd16773f591c033122d43eb68acde395365b2214e67d2
SSDEEP

6144:1qSOtJpWGKb625XomJ30RL7IEBJntJdwlFEJxVMRL3osLTpa2B9I+y/uB5RQZ6JB:1tcJpbKbfmL7dglKSo4FHIRKReK+

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 12 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/948-68-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/948-67-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/948-70-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/948-72-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/948-74-0x000000000040B556-mapping.dmp	warzonerat
behavioral1/memory/948-73-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/948-77-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/948-78-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/948-92-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/920-113-0x000000000040B556-mapping.dmp	warzonerat
behavioral1/memory/920-117-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral1/memory/920-119-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat

Executes dropped EXE 6 IoCs

Processes:

Adobe51990.exeAdobe51990.exeAdobe51990.exeAdobe51990.exeAdobe51990.exeAdobe51990.exe

pid process

976 Adobe51990.exe
1056 Adobe51990.exe
1836 Adobe51990.exe
1536 Adobe51990.exe
1060 Adobe51990.exe
920 Adobe51990.exe
Loads dropped DLL 2 IoCs

Processes:

invite.exe

pid process

948 invite.exe
948 invite.exe

pid	process
976	Adobe51990.exe
1056	Adobe51990.exe
1836	Adobe51990.exe
1536	Adobe51990.exe
1060	Adobe51990.exe
920	Adobe51990.exe

pid	process
948	invite.exe
948	invite.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

invite.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe51990 = "C:\\Users\\Admin\\Documents\\Adobe51990.exe"	invite.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

invite.exeAdobe51990.exe

description	pid	process	target process
PID 872 set thread context of 948	872	invite.exe	invite.exe
PID 976 set thread context of 920	976	Adobe51990.exe	Adobe51990.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

invite.exepowershell.exepowershell.exeAdobe51990.exepowershell.exe

pid	process
872	invite.exe
872	invite.exe
1664	powershell.exe
1676	powershell.exe
976	Adobe51990.exe
976	Adobe51990.exe
976	Adobe51990.exe
976	Adobe51990.exe
976	Adobe51990.exe
756	powershell.exe
976	Adobe51990.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

invite.exepowershell.exepowershell.exeAdobe51990.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	872	invite.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	976	Adobe51990.exe
Token: SeDebugPrivilege	756	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

invite.exeinvite.exeAdobe51990.exe

description	pid	process	target process
PID 872 wrote to memory of 1664	872	invite.exe	powershell.exe
PID 872 wrote to memory of 1664	872	invite.exe	powershell.exe
PID 872 wrote to memory of 1664	872	invite.exe	powershell.exe
PID 872 wrote to memory of 1664	872	invite.exe	powershell.exe
PID 872 wrote to memory of 948	872	invite.exe	invite.exe
PID 872 wrote to memory of 948	872	invite.exe	invite.exe
PID 872 wrote to memory of 948	872	invite.exe	invite.exe
PID 872 wrote to memory of 948	872	invite.exe	invite.exe
PID 872 wrote to memory of 948	872	invite.exe	invite.exe
PID 872 wrote to memory of 948	872	invite.exe	invite.exe
PID 872 wrote to memory of 948	872	invite.exe	invite.exe
PID 872 wrote to memory of 948	872	invite.exe	invite.exe
PID 872 wrote to memory of 948	872	invite.exe	invite.exe
PID 872 wrote to memory of 948	872	invite.exe	invite.exe
PID 872 wrote to memory of 948	872	invite.exe	invite.exe
PID 872 wrote to memory of 948	872	invite.exe	invite.exe
PID 948 wrote to memory of 1676	948	invite.exe	powershell.exe
PID 948 wrote to memory of 1676	948	invite.exe	powershell.exe
PID 948 wrote to memory of 1676	948	invite.exe	powershell.exe
PID 948 wrote to memory of 1676	948	invite.exe	powershell.exe
PID 948 wrote to memory of 976	948	invite.exe	Adobe51990.exe
PID 948 wrote to memory of 976	948	invite.exe	Adobe51990.exe
PID 948 wrote to memory of 976	948	invite.exe	Adobe51990.exe
PID 948 wrote to memory of 976	948	invite.exe	Adobe51990.exe
PID 976 wrote to memory of 756	976	Adobe51990.exe	powershell.exe
PID 976 wrote to memory of 756	976	Adobe51990.exe	powershell.exe
PID 976 wrote to memory of 756	976	Adobe51990.exe	powershell.exe
PID 976 wrote to memory of 756	976	Adobe51990.exe	powershell.exe
PID 976 wrote to memory of 1836	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 1836	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 1836	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 1836	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 1056	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 1056	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 1056	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 1056	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 1536	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 1536	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 1536	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 1536	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 1060	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 1060	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 1060	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 1060	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 920	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 920	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 920	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 920	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 920	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 920	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 920	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 920	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 920	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 920	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 920	976	Adobe51990.exe	Adobe51990.exe
PID 976 wrote to memory of 920	976	Adobe51990.exe	Adobe51990.exe

C:\Users\Admin\AppData\Local\Temp\invite.exe
"C:\Users\Admin\AppData\Local\Temp\invite.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\invite.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Users\Admin\AppData\Local\Temp\invite.exe
"C:\Users\Admin\AppData\Local\Temp\invite.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Users\Admin\Documents\Adobe51990.exe
"C:\Users\Admin\Documents\Adobe51990.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\Adobe51990.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Users\Admin\Documents\Adobe51990.exe
"C:\Users\Admin\Documents\Adobe51990.exe"
4⤵
- Executes dropped EXE
PID:1836

C:\Users\Admin\Documents\Adobe51990.exe
"C:\Users\Admin\Documents\Adobe51990.exe"
4⤵
- Executes dropped EXE
PID:1056

C:\Users\Admin\Documents\Adobe51990.exe
"C:\Users\Admin\Documents\Adobe51990.exe"
4⤵
- Executes dropped EXE
PID:1060

C:\Users\Admin\Documents\Adobe51990.exe
"C:\Users\Admin\Documents\Adobe51990.exe"
4⤵
- Executes dropped EXE
PID:1536

C:\Users\Admin\Documents\Adobe51990.exe
"C:\Users\Admin\Documents\Adobe51990.exe"
4⤵
- Executes dropped EXE
PID:920

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
ef101304976dbe2d714768047ab6a40b

SHA1
0d14b07fac557a37deb6bacc8173801deaeab4c8

SHA256
4e499dfd00e76925ac61986b95e50369fbb1e4f859b23367b2667f5cc62225d3

SHA512
d50071022e18a7157b0d31388de424f428d8cfa0c8aff2455b8028af4d2b674c4a7a80d7f6f5616515892a78c1469e13a1b7755c6dfa7de279729083fe42ff87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
ef101304976dbe2d714768047ab6a40b

SHA1
0d14b07fac557a37deb6bacc8173801deaeab4c8

SHA256
4e499dfd00e76925ac61986b95e50369fbb1e4f859b23367b2667f5cc62225d3

SHA512
d50071022e18a7157b0d31388de424f428d8cfa0c8aff2455b8028af4d2b674c4a7a80d7f6f5616515892a78c1469e13a1b7755c6dfa7de279729083fe42ff87

Download Submit
C:\Users\Admin\Documents\Adobe51990.exe
Filesize
638KB

MD5
08a704579ad1ed0cc3a868441622e942

SHA1
191a0e1e417e8925b7ba7a1e5e81581e8d148176

SHA256
a4b2dec4383a82865eacf6a167af50a2c53159cd1a51bd63d199504491fe67e0

SHA512
5bae0cd2b26ffd3ab9f074e28f406751121f6ef01dba049920cc619f541c7f24db984fbb0c4b9edafccdd16773f591c033122d43eb68acde395365b2214e67d2

Download Submit
C:\Users\Admin\Documents\Adobe51990.exe
Filesize
638KB

MD5
08a704579ad1ed0cc3a868441622e942

SHA1
191a0e1e417e8925b7ba7a1e5e81581e8d148176

SHA256
a4b2dec4383a82865eacf6a167af50a2c53159cd1a51bd63d199504491fe67e0

SHA512
5bae0cd2b26ffd3ab9f074e28f406751121f6ef01dba049920cc619f541c7f24db984fbb0c4b9edafccdd16773f591c033122d43eb68acde395365b2214e67d2

Download Submit
C:\Users\Admin\Documents\Adobe51990.exe
Filesize
638KB

MD5
08a704579ad1ed0cc3a868441622e942

SHA1
191a0e1e417e8925b7ba7a1e5e81581e8d148176

SHA256
a4b2dec4383a82865eacf6a167af50a2c53159cd1a51bd63d199504491fe67e0

SHA512
5bae0cd2b26ffd3ab9f074e28f406751121f6ef01dba049920cc619f541c7f24db984fbb0c4b9edafccdd16773f591c033122d43eb68acde395365b2214e67d2

Download Submit
C:\Users\Admin\Documents\Adobe51990.exe
Filesize
638KB

MD5
08a704579ad1ed0cc3a868441622e942

SHA1
191a0e1e417e8925b7ba7a1e5e81581e8d148176

SHA256
a4b2dec4383a82865eacf6a167af50a2c53159cd1a51bd63d199504491fe67e0

SHA512
5bae0cd2b26ffd3ab9f074e28f406751121f6ef01dba049920cc619f541c7f24db984fbb0c4b9edafccdd16773f591c033122d43eb68acde395365b2214e67d2

Download Submit
C:\Users\Admin\Documents\Adobe51990.exe
Filesize
638KB

MD5
08a704579ad1ed0cc3a868441622e942

SHA1
191a0e1e417e8925b7ba7a1e5e81581e8d148176

SHA256
a4b2dec4383a82865eacf6a167af50a2c53159cd1a51bd63d199504491fe67e0

SHA512
5bae0cd2b26ffd3ab9f074e28f406751121f6ef01dba049920cc619f541c7f24db984fbb0c4b9edafccdd16773f591c033122d43eb68acde395365b2214e67d2

Download Submit
C:\Users\Admin\Documents\Adobe51990.exe
Filesize
638KB

MD5
08a704579ad1ed0cc3a868441622e942

SHA1
191a0e1e417e8925b7ba7a1e5e81581e8d148176

SHA256
a4b2dec4383a82865eacf6a167af50a2c53159cd1a51bd63d199504491fe67e0

SHA512
5bae0cd2b26ffd3ab9f074e28f406751121f6ef01dba049920cc619f541c7f24db984fbb0c4b9edafccdd16773f591c033122d43eb68acde395365b2214e67d2

Download Submit
C:\Users\Admin\Documents\Adobe51990.exe
Filesize
638KB

MD5
08a704579ad1ed0cc3a868441622e942

SHA1
191a0e1e417e8925b7ba7a1e5e81581e8d148176

SHA256
a4b2dec4383a82865eacf6a167af50a2c53159cd1a51bd63d199504491fe67e0

SHA512
5bae0cd2b26ffd3ab9f074e28f406751121f6ef01dba049920cc619f541c7f24db984fbb0c4b9edafccdd16773f591c033122d43eb68acde395365b2214e67d2

Download Submit
\Users\Admin\Documents\Adobe51990.exe
Filesize
638KB

MD5
08a704579ad1ed0cc3a868441622e942

SHA1
191a0e1e417e8925b7ba7a1e5e81581e8d148176

SHA256
a4b2dec4383a82865eacf6a167af50a2c53159cd1a51bd63d199504491fe67e0

SHA512
5bae0cd2b26ffd3ab9f074e28f406751121f6ef01dba049920cc619f541c7f24db984fbb0c4b9edafccdd16773f591c033122d43eb68acde395365b2214e67d2

Download Submit
\Users\Admin\Documents\Adobe51990.exe
Filesize
638KB

MD5
08a704579ad1ed0cc3a868441622e942

SHA1
191a0e1e417e8925b7ba7a1e5e81581e8d148176

SHA256
a4b2dec4383a82865eacf6a167af50a2c53159cd1a51bd63d199504491fe67e0

SHA512
5bae0cd2b26ffd3ab9f074e28f406751121f6ef01dba049920cc619f541c7f24db984fbb0c4b9edafccdd16773f591c033122d43eb68acde395365b2214e67d2

Download Submit
memory/756-93-0x0000000000000000-mapping.dmp

Download
memory/756-118-0x000000006F1D0000-0x000000006F77B000-memory.dmp

Filesize
5.7MB

Download
memory/756-104-0x000000006F1D0000-0x000000006F77B000-memory.dmp

Filesize
5.7MB

Download
memory/872-54-0x0000000000990000-0x0000000000A36000-memory.dmp

Filesize
664KB

Download
memory/872-60-0x00000000048B0000-0x00000000048E6000-memory.dmp

Filesize
216KB

Download
memory/872-58-0x0000000005390000-0x00000000053FE000-memory.dmp

Filesize
440KB

Download
memory/872-57-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/872-56-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/872-55-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/920-113-0x000000000040B556-mapping.dmp

Download
memory/920-117-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/920-119-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/948-68-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/948-70-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/948-62-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/948-63-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/948-65-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/948-67-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/948-92-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/948-72-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/948-78-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/948-77-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/948-73-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/948-74-0x000000000040B556-mapping.dmp

Download
memory/976-90-0x0000000000200000-0x00000000002A6000-memory.dmp

Filesize
664KB

Download
memory/976-87-0x0000000000000000-mapping.dmp

Download
memory/1664-79-0x000000006F3F0000-0x000000006F99B000-memory.dmp

Filesize
5.7MB

Download
memory/1664-80-0x000000006F3F0000-0x000000006F99B000-memory.dmp

Filesize
5.7MB

Download
memory/1664-59-0x0000000000000000-mapping.dmp

Download
memory/1676-84-0x0000000073380000-0x000000007392B000-memory.dmp

Filesize
5.7MB

Download
memory/1676-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads