warzonerat | 77fd2a168f59408b5aabc59034fd351ba387c8af02d68c25b64157101457159c

General

Target

92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe
Size

203KB
MD5

8c8ee58eacb110d5598f723ecd7e948c
SHA1

b9be417a07aa65a317001ba2976cdd80fb267174
SHA256

92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182
SHA512

d474c65d401f18fc2343fd086ed1581df4adf1edbf087f1a0a72e97e7c4fc17bb804e7739eb27b5715614ea9071078cc385e3351375d9a89228865f3a072a4a7
SSDEEP

3072:WfY/TU9fE9PEtuNb246i/iIasUc9dWaYU2WfDRuTDP3KlORQ8TsN543G+RWuWCBg:AYa6724zLasU+6UZfDon/8h8e6WqFY

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

omerlan.duckdns.org:6548

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4796-143-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/4796-146-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/4796-148-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

nttjjyrr.exenttjjyrr.exe

pid process

1832 nttjjyrr.exe
4796 nttjjyrr.exe

pid	process
1832	nttjjyrr.exe
4796	nttjjyrr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

nttjjyrr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxtdmirbwg = "C:\\Users\\Admin\\AppData\\Roaming\\wgpktdyienwsc\\lhqmvfbkt.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nttjjyrr.exe\" C:\\Users\\Admin\\AppData"	nttjjyrr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

nttjjyrr.exe

description pid process target process

PID 1832 set thread context of 4796 1832 nttjjyrr.exe nttjjyrr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

nttjjyrr.exe

pid process

1832 nttjjyrr.exe

description	pid	process	target process
PID 1832 set thread context of 4796	1832	nttjjyrr.exe	nttjjyrr.exe

pid	process
1832	nttjjyrr.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exenttjjyrr.exe

description	pid	process	target process
PID 3340 wrote to memory of 1832	3340	92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe	nttjjyrr.exe
PID 3340 wrote to memory of 1832	3340	92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe	nttjjyrr.exe
PID 3340 wrote to memory of 1832	3340	92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe	nttjjyrr.exe
PID 1832 wrote to memory of 4796	1832	nttjjyrr.exe	nttjjyrr.exe
PID 1832 wrote to memory of 4796	1832	nttjjyrr.exe	nttjjyrr.exe
PID 1832 wrote to memory of 4796	1832	nttjjyrr.exe	nttjjyrr.exe
PID 1832 wrote to memory of 4796	1832	nttjjyrr.exe	nttjjyrr.exe

C:\Users\Admin\AppData\Local\Temp\92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe
"C:\Users\Admin\AppData\Local\Temp\92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Users\Admin\AppData\Local\Temp\nttjjyrr.exe
"C:\Users\Admin\AppData\Local\Temp\nttjjyrr.exe" C:\Users\Admin\AppData\Local\Temp\kdcmehojesw.kx
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\nttjjyrr.exe
"C:\Users\Admin\AppData\Local\Temp\nttjjyrr.exe"
3⤵
- Executes dropped EXE
PID:4796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kdcmehojesw.kx
Filesize
7KB

MD5
3df01ccac0d4f8bedf06f9bbe8d0b1d0

SHA1
56dfc98100beefff888f9bd3f6a1b412a4ef0a19

SHA256
6e84b4ac8c91dcf78556eec5eb4ca7065135f817adb16ebc31909515d061efc0

SHA512
184cf89292435517071bb03ab944ae660beab9189589c5485c508cb994c5171a078bc2a5d8a2245fa48709935850adcd28b1628eeeab60ab17336d8be3d1b4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nttjjyrr.exe
Filesize
58KB

MD5
805914c8a9239aeb17b432791a3dca07

SHA1
314aa922b74b564b02830f9cb80c3e093bfc71f0

SHA256
afdccf27e41d093f9f0b197d600a8b720ddd0faa6f68161a068f2fce30d12cb4

SHA512
e10d0f7eef36277c537bf2fb7984f36e32b62dc03be2702b520cfc3b6bfee0c124f3b263560fe8140dd7832c6d993ddc730eedd2366f542dc417d48a46154d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\nttjjyrr.exe
Filesize
58KB

MD5
805914c8a9239aeb17b432791a3dca07

SHA1
314aa922b74b564b02830f9cb80c3e093bfc71f0

SHA256
afdccf27e41d093f9f0b197d600a8b720ddd0faa6f68161a068f2fce30d12cb4

SHA512
e10d0f7eef36277c537bf2fb7984f36e32b62dc03be2702b520cfc3b6bfee0c124f3b263560fe8140dd7832c6d993ddc730eedd2366f542dc417d48a46154d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\nttjjyrr.exe
Filesize
58KB

MD5
805914c8a9239aeb17b432791a3dca07

SHA1
314aa922b74b564b02830f9cb80c3e093bfc71f0

SHA256
afdccf27e41d093f9f0b197d600a8b720ddd0faa6f68161a068f2fce30d12cb4

SHA512
e10d0f7eef36277c537bf2fb7984f36e32b62dc03be2702b520cfc3b6bfee0c124f3b263560fe8140dd7832c6d993ddc730eedd2366f542dc417d48a46154d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtxkeah.iwn
Filesize
118KB

MD5
7bdd3e797de8b4d3c96563011d41ae3d

SHA1
c9786401dbeb13b7d09e05399aedb20cf7b74083

SHA256
a827f35604a2c8b581bb84668798d9eb26b4bc1d0a959eddc081ede0d094ea5b

SHA512
b2a8cd0a30df32bde1d2faeeebcdc99067ad5da1880113c3bfe5d7ff2e8396d7124237686779cb19cf71814d52ab08f626dc8be9aa553e3521b0a16a73a4020a

Download Submit
memory/4796-143-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4796-146-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4796-148-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads