warzonerat | c8007f5d3d8770320aa06642b4363f60d8caa0056507a6e1bf94dfb38b786f97

General

Target

Quotation 202311025_PDF.scr
Size

24KB
MD5

f1ed9f09ea489162b2a5ef0c4d285503
SHA1

5e1b5599aef58f90e4ad3efa43661a1d7cc4ed6c
SHA256

c8007f5d3d8770320aa06642b4363f60d8caa0056507a6e1bf94dfb38b786f97
SHA512

4dfa6ad16b68bcc15362a93ef970bde290a654f67df507d8a3e8976ae45d38a4603184ad79fb7099de5fdaed637b8291022c3af3a374435428cc99512403252a
SSDEEP

384:iJg3aSz4PT02opvtOvt6Y4BwEapWNJR+:iW3Dl2oZU1ZdWNJR

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

37.120.155.179:52920

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Quotation 202311025_PDF.scr

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qreoiutud = "\"C:\\Users\\Admin\\AppData\\Roaming\\Nqzrmbza\\Qreoiutud.exe\""	Quotation 202311025_PDF.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 1808	2728	Quotation 202311025_PDF.scr	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4408	ipconfig.exe
4016	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4784	powershell.exe
4784	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	Quotation 202311025_PDF.scr
Token: SeDebugPrivilege	4784	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 1280	2728	Quotation 202311025_PDF.scr	82
PID 2728 wrote to memory of 1280	2728	Quotation 202311025_PDF.scr	82
PID 2728 wrote to memory of 1280	2728	Quotation 202311025_PDF.scr	82
PID 1280 wrote to memory of 4408	1280	cmd.exe	84
PID 1280 wrote to memory of 4408	1280	cmd.exe	84
PID 1280 wrote to memory of 4408	1280	cmd.exe	84
PID 2728 wrote to memory of 4784	2728	Quotation 202311025_PDF.scr	85
PID 2728 wrote to memory of 4784	2728	Quotation 202311025_PDF.scr	85
PID 2728 wrote to memory of 4784	2728	Quotation 202311025_PDF.scr	85
PID 2728 wrote to memory of 4264	2728	Quotation 202311025_PDF.scr	87
PID 2728 wrote to memory of 4264	2728	Quotation 202311025_PDF.scr	87
PID 2728 wrote to memory of 4264	2728	Quotation 202311025_PDF.scr	87
PID 4264 wrote to memory of 4016	4264	cmd.exe	89
PID 4264 wrote to memory of 4016	4264	cmd.exe	89
PID 4264 wrote to memory of 4016	4264	cmd.exe	89
PID 2728 wrote to memory of 1808	2728	Quotation 202311025_PDF.scr	90
PID 2728 wrote to memory of 1808	2728	Quotation 202311025_PDF.scr	90
PID 2728 wrote to memory of 1808	2728	Quotation 202311025_PDF.scr	90
PID 2728 wrote to memory of 1808	2728	Quotation 202311025_PDF.scr	90
PID 2728 wrote to memory of 1808	2728	Quotation 202311025_PDF.scr	90
PID 2728 wrote to memory of 1808	2728	Quotation 202311025_PDF.scr	90
PID 2728 wrote to memory of 1808	2728	Quotation 202311025_PDF.scr	90
PID 2728 wrote to memory of 1808	2728	Quotation 202311025_PDF.scr	90
PID 2728 wrote to memory of 1808	2728	Quotation 202311025_PDF.scr	90
PID 2728 wrote to memory of 1808	2728	Quotation 202311025_PDF.scr	90

C:\Users\Admin\AppData\Local\Temp\Quotation 202311025_PDF.scr
"C:\Users\Admin\AppData\Local\Temp\Quotation 202311025_PDF.scr" /S
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:4408
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:4016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1808-152-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1808-151-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1808-149-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1808-147-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2728-133-0x0000000006570000-0x0000000006592000-memory.dmp

Filesize
136KB

Download
memory/2728-132-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/4784-143-0x0000000006520000-0x000000000653A000-memory.dmp

Filesize
104KB

Download
memory/4784-142-0x0000000007690000-0x0000000007D0A000-memory.dmp

Filesize
6.5MB

Download
memory/4784-141-0x0000000006000000-0x000000000601E000-memory.dmp

Filesize
120KB

Download
memory/4784-140-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/4784-139-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/4784-138-0x0000000005170000-0x0000000005798000-memory.dmp

Filesize
6.2MB

Download
memory/4784-137-0x0000000002A20000-0x0000000002A56000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads