Malware Analysis Report

2025-03-15 06:29

Sample ID 240128-1cp2macafl
Target 7e0d687a05b42eb2cad9b5b032c64236
SHA256 b29677743d023f9cf580329bb23e35f57f030e27f5562e8ffa902cbd83373f09
Tags
warzonerat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b29677743d023f9cf580329bb23e35f57f030e27f5562e8ffa902cbd83373f09

Threat Level: Known bad

The file 7e0d687a05b42eb2cad9b5b032c64236 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat

WarzoneRat, AveMaria

Warzone RAT payload

CustAttr .NET packer

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-28 21:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-28 21:30

Reported

2024-01-28 21:33

Platform

win7-20231215-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

CustAttr .NET packer

Description Indicator Process Target
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3036 set thread context of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3036 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3036 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3036 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3036 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3036 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3036 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3036 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3036 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3036 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3036 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3036 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 2004 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Windows\SysWOW64\WerFault.exe
PID 2004 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Windows\SysWOW64\WerFault.exe
PID 2004 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Windows\SysWOW64\WerFault.exe
PID 2004 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe

"C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuqFzPGj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBF49.tmp"

C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe

"C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 200

Network

N/A

Files

memory/3036-1-0x0000000074B50000-0x000000007523E000-memory.dmp

memory/3036-0-0x0000000000A90000-0x0000000000B60000-memory.dmp

memory/3036-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

memory/3036-3-0x0000000000270000-0x0000000000282000-memory.dmp

memory/3036-4-0x0000000074B50000-0x000000007523E000-memory.dmp

memory/3036-5-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

memory/3036-6-0x0000000007E30000-0x0000000007EA0000-memory.dmp

memory/3036-7-0x0000000000700000-0x0000000000728000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBF49.tmp

MD5 588354d9996266704a22785f3051dd27
SHA1 9d61f9939c25b79933ef4ceb45ec30b7a76052c3
SHA256 c6dbc1ab7061562b7e0073dae9962a5cdb43f88e455100209ca259e64b895744
SHA512 955b1513e8dd28769eee23223b65728c7494cfef7cca7f7bea068cb1de641395fb47b2ab6603de65e45d7b6beeb4c1f3e07a651bf3ebc66b9cc4800fafb68a15

memory/2004-13-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2004-14-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2004-15-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2004-16-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2004-17-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2004-19-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2004-20-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2004-23-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2004-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3036-25-0x0000000074B50000-0x000000007523E000-memory.dmp

memory/2004-26-0x0000000000400000-0x0000000000554000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-28 21:30

Reported

2024-01-28 21:33

Platform

win10v2004-20231215-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

CustAttr .NET packer

Description Indicator Process Target
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3612 set thread context of 4620 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3612 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Windows\SysWOW64\schtasks.exe
PID 3612 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Windows\SysWOW64\schtasks.exe
PID 3612 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Windows\SysWOW64\schtasks.exe
PID 3612 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3612 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3612 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3612 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3612 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3612 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3612 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3612 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3612 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3612 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3612 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3612 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3612 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe
PID 3612 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe

"C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuqFzPGj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7EDF.tmp"

C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe

"C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe"

C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe

"C:\Users\Admin\AppData\Local\Temp\7e0d687a05b42eb2cad9b5b032c64236.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
GB 5.226.138.94:6621 tcp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
GB 5.226.138.94:6621 tcp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
GB 5.226.138.94:6621 tcp
GB 5.226.138.94:6621 tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/3612-0-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/3612-1-0x00000000007E0000-0x00000000008B0000-memory.dmp

memory/3612-2-0x0000000005780000-0x0000000005D24000-memory.dmp

memory/3612-3-0x00000000052B0000-0x0000000005342000-memory.dmp

memory/3612-4-0x00000000053F0000-0x000000000548C000-memory.dmp

memory/3612-5-0x0000000005290000-0x00000000052A0000-memory.dmp

memory/3612-6-0x0000000005360000-0x000000000536A000-memory.dmp

memory/3612-7-0x0000000002B50000-0x0000000002B62000-memory.dmp

memory/3612-8-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/3612-9-0x0000000005290000-0x00000000052A0000-memory.dmp

memory/3612-10-0x00000000085C0000-0x0000000008630000-memory.dmp

memory/3612-11-0x0000000008630000-0x0000000008658000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7EDF.tmp

MD5 253f49529d9583532d579e128c04b4c7
SHA1 b58bbf88385fa7a2286a0c30d9122e83cc21051c
SHA256 498112c02efb6571ef1579db2a84000bce2a789e5840180c152dd379cc6968ab
SHA512 a52de2953408fc15550d1adddea08340a6f170dffed41da5c1356f6f77a53bddb59399fde0a3de19bfe93ac770a1cf23be2621de2ba73c21b02cfacc8b6bbf2a

memory/4620-17-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4620-20-0x0000000000400000-0x0000000000554000-memory.dmp

memory/3612-21-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/4620-22-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4620-23-0x0000000000400000-0x0000000000554000-memory.dmp