warzonerat | e8b24f1b5c30ecbce61d6f9ae17c3f84b45a14cb2f97399b581656d5a63cdc93

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
20-09-2023 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GN9RraXeXEBgOFw.exe
Size

502KB
MD5

a1e4735b4aaecb5d1e7b2b14c9f10b9f
SHA1

3345d8e116ddef9ca6ae902d427902299b54cce3
SHA256

e829d7199bc4b9903390779d67bc19fd7ecf51f5f9d449903e5baad0109e59a8
SHA512

ea04af1c3fdf7caf771384e9f5f710e850f0c1e8d5e00c03ec4fd8fee3c56f03d784c0db0ca9ca702a2650d6bba1b45971b6fd3a524dc7ec72db4625a05ad091
SSDEEP

12288:TBi0blTWLxWzw2LRYYDLieFAh+Zf5tT0/:ljlTWLxU7HieFECh+

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

191.101.130.113:8907

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 7 IoCs

rat

resource	yara_rule
behavioral1/memory/2508-24-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2508-25-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2508-27-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2508-29-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2508-37-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2508-40-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2632-42-0x0000000002950000-0x0000000002990000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2420 set thread context of 2508	2420	GN9RraXeXEBgOFw.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1204	2508	WerFault.exe	36

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2420	GN9RraXeXEBgOFw.exe
2420	GN9RraXeXEBgOFw.exe
2420	GN9RraXeXEBgOFw.exe
2788	powershell.exe
2632	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	GN9RraXeXEBgOFw.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2632	2420	GN9RraXeXEBgOFw.exe	30
PID 2420 wrote to memory of 2632	2420	GN9RraXeXEBgOFw.exe	30
PID 2420 wrote to memory of 2632	2420	GN9RraXeXEBgOFw.exe	30
PID 2420 wrote to memory of 2632	2420	GN9RraXeXEBgOFw.exe	30
PID 2420 wrote to memory of 2788	2420	GN9RraXeXEBgOFw.exe	32
PID 2420 wrote to memory of 2788	2420	GN9RraXeXEBgOFw.exe	32
PID 2420 wrote to memory of 2788	2420	GN9RraXeXEBgOFw.exe	32
PID 2420 wrote to memory of 2788	2420	GN9RraXeXEBgOFw.exe	32
PID 2420 wrote to memory of 2344	2420	GN9RraXeXEBgOFw.exe	34
PID 2420 wrote to memory of 2344	2420	GN9RraXeXEBgOFw.exe	34
PID 2420 wrote to memory of 2344	2420	GN9RraXeXEBgOFw.exe	34
PID 2420 wrote to memory of 2344	2420	GN9RraXeXEBgOFw.exe	34
PID 2420 wrote to memory of 2508	2420	GN9RraXeXEBgOFw.exe	36
PID 2420 wrote to memory of 2508	2420	GN9RraXeXEBgOFw.exe	36
PID 2420 wrote to memory of 2508	2420	GN9RraXeXEBgOFw.exe	36
PID 2420 wrote to memory of 2508	2420	GN9RraXeXEBgOFw.exe	36
PID 2420 wrote to memory of 2508	2420	GN9RraXeXEBgOFw.exe	36
PID 2420 wrote to memory of 2508	2420	GN9RraXeXEBgOFw.exe	36
PID 2420 wrote to memory of 2508	2420	GN9RraXeXEBgOFw.exe	36
PID 2420 wrote to memory of 2508	2420	GN9RraXeXEBgOFw.exe	36
PID 2420 wrote to memory of 2508	2420	GN9RraXeXEBgOFw.exe	36
PID 2420 wrote to memory of 2508	2420	GN9RraXeXEBgOFw.exe	36
PID 2420 wrote to memory of 2508	2420	GN9RraXeXEBgOFw.exe	36
PID 2420 wrote to memory of 2508	2420	GN9RraXeXEBgOFw.exe	36
PID 2508 wrote to memory of 1204	2508	GN9RraXeXEBgOFw.exe	37
PID 2508 wrote to memory of 1204	2508	GN9RraXeXEBgOFw.exe	37
PID 2508 wrote to memory of 1204	2508	GN9RraXeXEBgOFw.exe	37
PID 2508 wrote to memory of 1204	2508	GN9RraXeXEBgOFw.exe	37

C:\Users\Admin\AppData\Local\Temp\GN9RraXeXEBgOFw.exe
"C:\Users\Admin\AppData\Local\Temp\GN9RraXeXEBgOFw.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\GN9RraXeXEBgOFw.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ByIPbbiqK.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ByIPbbiqK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE743.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\GN9RraXeXEBgOFw.exe
  "C:\Users\Admin\AppData\Local\Temp\GN9RraXeXEBgOFw.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 200
    3⤵
    - Program crash
    PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE743.tmp

Filesize
1KB

MD5
5ccc5da82e3a86f9ab8ecf87f6c68e9b

SHA1
aed9643b2480351e50f3e9e63d51ab9cb234726b

SHA256
fbeb9344dbb17d4906efa44b93439df82294860cd2a7b7d41ebc2f3559b82c6f

SHA512
bc6b159a82103df391d07371a669846cf221aef6d57af50acf11db43e98aa34fdc04bfe294cb36d019b7479a41b42b05b473494b67b4a2ba7c6f89409ade6c4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IFM2AO3EFF1N9BJ1PJVA.temp

Filesize
7KB

MD5
f48f5e90103bc43de58ce03a97005096

SHA1
97d180e4cad34a6965b726967fc29113d22d98c2

SHA256
a1c125035dabffa0e15fdcdbe86c1dddc424621694f17afe5c1a050bb139dcf1

SHA512
19a2780d75924b17bb24c053f64d90b2cfb7303502b7140493bd3e641caafcd8268d2dc78c7756b6fd38637fbfcddfa61827b44009674d41fbe3279e0da07beb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f48f5e90103bc43de58ce03a97005096

SHA1
97d180e4cad34a6965b726967fc29113d22d98c2

SHA256
a1c125035dabffa0e15fdcdbe86c1dddc424621694f17afe5c1a050bb139dcf1

SHA512
19a2780d75924b17bb24c053f64d90b2cfb7303502b7140493bd3e641caafcd8268d2dc78c7756b6fd38637fbfcddfa61827b44009674d41fbe3279e0da07beb

Download Submit
memory/2420-3-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2420-4-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2420-5-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/2420-6-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/2420-7-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2420-8-0x0000000004C50000-0x0000000004CAC000-memory.dmp

Filesize
368KB

Download
memory/2420-0-0x0000000000D00000-0x0000000000D82000-memory.dmp

Filesize
520KB

Download
memory/2420-2-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/2420-1-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2420-41-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2508-24-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2508-40-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2508-25-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2508-21-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2508-27-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2508-22-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2508-23-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2508-37-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2508-29-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2508-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2632-34-0x0000000002950000-0x0000000002990000-memory.dmp

Filesize
256KB

Download
memory/2632-32-0x000000006DFD0000-0x000000006E57B000-memory.dmp

Filesize
5.7MB

Download
memory/2632-42-0x0000000002950000-0x0000000002990000-memory.dmp

Filesize
256KB

Download
memory/2632-44-0x000000006DFD0000-0x000000006E57B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-36-0x000000006DFD0000-0x000000006E57B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-38-0x00000000029D0000-0x0000000002A10000-memory.dmp

Filesize
256KB

Download
memory/2788-30-0x000000006DFD0000-0x000000006E57B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-43-0x000000006DFD0000-0x000000006E57B000-memory.dmp

Filesize
5.7MB

Download