warzonerat | 18fcb8604dc88c010d786be917f618a461876f5db6f80f1f8a64bc3b8fe48a98

Resubmissions

24-07-2023 06:32

230724-haylwaag65 10

16-07-2023 18:15

230716-wwbacshb7z 10

Analysis

max time kernel
146s
max time network
221s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2023 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe
Size

643KB
MD5

e61dffb557266167a4b9c244c8c8a699
SHA1

7e0b819ba7163f7837a5fedb9d4f0cf28050a02b
SHA256

20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145
SHA512

4bc7d31c2b701eb6350c8eb14f9b7c9e9671482d487962474f8ea061b8bd7bac27165321e4837880ff7a103e9c32ae2c74f135daf43847f9e5748969c7b0a1f6
SSDEEP

12288:Cu3dK1q9I6/kldSCcSplYstzDyaod+ik4g8y3SoD:CuNKO/SvDzW2rEloD

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

158.69.115.206:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral20/memory/1956-146-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral20/memory/1956-149-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral20/memory/1956-151-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral20/memory/1956-152-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe

description	pid	process	target process
PID 2164 set thread context of 1956	2164	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2660 schtasks.exe

pid	process
2660	schtasks.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe

description	pid	process	target process
PID 2164 wrote to memory of 2660	2164	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe	schtasks.exe
PID 2164 wrote to memory of 2660	2164	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe	schtasks.exe
PID 2164 wrote to memory of 2660	2164	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe	schtasks.exe
PID 2164 wrote to memory of 1956	2164	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe
PID 2164 wrote to memory of 1956	2164	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe
PID 2164 wrote to memory of 1956	2164	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe
PID 2164 wrote to memory of 1956	2164	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe
PID 2164 wrote to memory of 1956	2164	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe
PID 2164 wrote to memory of 1956	2164	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe
PID 2164 wrote to memory of 1956	2164	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe
PID 2164 wrote to memory of 1956	2164	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe
PID 2164 wrote to memory of 1956	2164	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe
PID 2164 wrote to memory of 1956	2164	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe
PID 2164 wrote to memory of 1956	2164	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe	20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe

C:\Users\Admin\AppData\Local\Temp\20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe
"C:\Users\Admin\AppData\Local\Temp\20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\claEBJylszqC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF16B.tmp"
2⤵
- Creates scheduled task(s)
PID:2660

C:\Users\Admin\AppData\Local\Temp\20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145.exe
"{path}"
2⤵
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF16B.tmp
Filesize
1KB

MD5
1c1c60a0ead385ecd4a3ddb592bdc40f

SHA1
d9c5b653f53fe3d02e020045481ab5dca551c0b6

SHA256
73de408063a54ee44a840f4f80262251986e9b7b5e89ed306cfe7b9a164aa985

SHA512
819946ede86870ff7b285b9e4d49466c016c6775a07179e11c91a5b96680047aa3fd04604bb73bafd09c6eee2abf3fed747728339de2f97fb6db274cbb76da48

Download Submit
memory/1956-152-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1956-151-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1956-149-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1956-146-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2164-142-0x00000000062D0000-0x0000000006874000-memory.dmp

Filesize
5.6MB

Download
memory/2164-136-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/2164-141-0x0000000005790000-0x00000000057A0000-memory.dmp

Filesize
64KB

Download
memory/2164-140-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/2164-150-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/2164-139-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/2164-138-0x00000000054C0000-0x000000000555C000-memory.dmp

Filesize
624KB

Download
memory/2164-137-0x0000000000A80000-0x0000000000B28000-memory.dmp

Filesize
672KB

Download