warzonerat | eb508dd16e3181fcb87e35f363a62ac67c3851b414b20d7e83825733cf4dc56d

General

Target

5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe
Size

202KB
MD5

05ca94d88d462bef2458ec93ed42df23
SHA1

bc749bbfef60caac3ae0a3b6324767532c9e43dd
SHA256

5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260
SHA512

b88729322928ce573c93cfdee9979bea525902fa71c96c5f43ca2370ca3d841b4708e89b5205a4404dc9af36526e5ca8b719d08c1bfc663358b799e492efa923
SSDEEP

3072:2fY/TU9fE9PEtu9brXRHwio/QbIFBo93nmpeBTJ1N+Mmc/8CWbqQZU8hbpUVS:gYa6TrFH3kE92pe9Jx/ZWbqunhKVS

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

macking.duckdns.org:1104

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1404-143-0x0000000000250000-0x000000000026D000-memory.dmp	warzonerat
behavioral2/memory/1404-151-0x0000000000250000-0x000000000026D000-memory.dmp	warzonerat
behavioral2/memory/1404-156-0x0000000000250000-0x000000000026D000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

qihkwiwr.exeqihkwiwr.exe

pid process

4916 qihkwiwr.exe
1404 qihkwiwr.exe

pid	process
4916	qihkwiwr.exe
1404	qihkwiwr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

qihkwiwr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bktp = "C:\\Users\\Admin\\AppData\\Roaming\\rbwgplueyie\\nwsclhqmvf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\qihkwiwr.exe\" C:\\Users\\Admin\\AppData\\"	qihkwiwr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

qihkwiwr.exe

description pid process target process

PID 4916 set thread context of 1404 4916 qihkwiwr.exe qihkwiwr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4416 1404 WerFault.exe qihkwiwr.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

qihkwiwr.exe

pid process

4916 qihkwiwr.exe
4916 qihkwiwr.exe

description	pid	process	target process
PID 4916 set thread context of 1404	4916	qihkwiwr.exe	qihkwiwr.exe

pid	pid_target	process	target process
4416	1404	WerFault.exe	qihkwiwr.exe

pid	process
4916	qihkwiwr.exe
4916	qihkwiwr.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exeqihkwiwr.exe

description	pid	process	target process
PID 4172 wrote to memory of 4916	4172	5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe	qihkwiwr.exe
PID 4172 wrote to memory of 4916	4172	5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe	qihkwiwr.exe
PID 4172 wrote to memory of 4916	4172	5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe	qihkwiwr.exe
PID 4916 wrote to memory of 1404	4916	qihkwiwr.exe	qihkwiwr.exe
PID 4916 wrote to memory of 1404	4916	qihkwiwr.exe	qihkwiwr.exe
PID 4916 wrote to memory of 1404	4916	qihkwiwr.exe	qihkwiwr.exe
PID 4916 wrote to memory of 1404	4916	qihkwiwr.exe	qihkwiwr.exe

C:\Users\Admin\AppData\Local\Temp\5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe
"C:\Users\Admin\AppData\Local\Temp\5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Local\Temp\qihkwiwr.exe
"C:\Users\Admin\AppData\Local\Temp\qihkwiwr.exe" C:\Users\Admin\AppData\Local\Temp\pypxmwx.nj
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\qihkwiwr.exe
"C:\Users\Admin\AppData\Local\Temp\qihkwiwr.exe"
3⤵
- Executes dropped EXE
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 496
4⤵
- Program crash
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1404 -ip 1404
1⤵
PID:220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\imobflh.hg
Filesize
118KB

MD5
2c38407796b326498911dfb187a41121

SHA1
1c1bbfb16a688c0d9211960cbfe529f6326c352d

SHA256
c780fc83c6d4b02b3e4e7bb5617af863c8eb69d50dc87fe10fdd639454c769fe

SHA512
144c47b0017533487af1f2ce90c3580bbcbc362764433e871ba3e407bd886e4dae84e9ec49c426cf53effe229109ff1759c26197ecc650bf764f2860f8d9b214

Download Submit
C:\Users\Admin\AppData\Local\Temp\pypxmwx.nj
Filesize
7KB

MD5
4755e9383156f864c2ed47088aab7cea

SHA1
24eee9dce490d458e09a2717cec64ad1d44f0356

SHA256
925a9b069a5135aa53016c9c1092f08bfa2af799474535ac444125b8f4e6423b

SHA512
7ec0b8980f8f671eff4196a10cb95264c013f5364d9d7974d790d5d47bdc50a9d9627219342f5dd81e9f05ecc883d167477deb9d31f18d88f220fb96d3b2dda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qihkwiwr.exe
Filesize
58KB

MD5
5630e3b1e7ea50e4ed9028dd55fcc113

SHA1
316c09e692b7ec6c594f2ae2f51ecac454efa88d

SHA256
46f74e2f7a05caf7368dfdda25f5199e4c1a14b9e800c8f9e7b54594c009438d

SHA512
92f43a1405a2559ccb58b0d089277a3e93d5312143785d11f02f395546cfb005b439ba479d6cd938b33d4560248bcb18f682027bf436d4aba7a701b01a71c8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\qihkwiwr.exe
Filesize
58KB

MD5
5630e3b1e7ea50e4ed9028dd55fcc113

SHA1
316c09e692b7ec6c594f2ae2f51ecac454efa88d

SHA256
46f74e2f7a05caf7368dfdda25f5199e4c1a14b9e800c8f9e7b54594c009438d

SHA512
92f43a1405a2559ccb58b0d089277a3e93d5312143785d11f02f395546cfb005b439ba479d6cd938b33d4560248bcb18f682027bf436d4aba7a701b01a71c8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\qihkwiwr.exe
Filesize
58KB

MD5
5630e3b1e7ea50e4ed9028dd55fcc113

SHA1
316c09e692b7ec6c594f2ae2f51ecac454efa88d

SHA256
46f74e2f7a05caf7368dfdda25f5199e4c1a14b9e800c8f9e7b54594c009438d

SHA512
92f43a1405a2559ccb58b0d089277a3e93d5312143785d11f02f395546cfb005b439ba479d6cd938b33d4560248bcb18f682027bf436d4aba7a701b01a71c8ae

Download Submit
memory/1404-143-0x0000000000250000-0x000000000026D000-memory.dmp

Filesize
116KB

Download
memory/1404-151-0x0000000000250000-0x000000000026D000-memory.dmp

Filesize
116KB

Download
memory/1404-156-0x0000000000250000-0x000000000026D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads