warzonerat | decca35b90665b5cab7953d654aa934b485899c4df797fe3257f5f914198076f

General

Target

8f56eda04533b9b130e28f031cba40f5.exe
Size

236KB
MD5

8f56eda04533b9b130e28f031cba40f5
SHA1

4d07eec4700275447f6e8269247b130f49d74ea8
SHA256

decca35b90665b5cab7953d654aa934b485899c4df797fe3257f5f914198076f
SHA512

832d6958b7c02261d8f309a6ef40044b70b926824ce96f76e43c42794e4f25f90610252895173c3b42a2c3f9f7b52f0c9433862519b2f923c60c18cd313bccd2
SSDEEP

3072:FWUYAlmXkJr4Dul8kZyLA93qlUD2mvwV6bFcHSRoodGv8Z36CxVYwwBJ785v7W80:psBi17NCFYp3rtHmqbK65G

Score

10^/10

warzonerat evasion infostealer rat rezer0 trojan

Malware Config

Extracted

Family

warzonerat

C2

185.140.53.41:2104

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

8f56eda04533b9b130e28f031cba40f5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	8f56eda04533b9b130e28f031cba40f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	8f56eda04533b9b130e28f031cba40f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	8f56eda04533b9b130e28f031cba40f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	8f56eda04533b9b130e28f031cba40f5.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ReZer0 packer 2 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1852-5-0x0000000000C20000-0x0000000000C48000-memory.dmp	rezer0
behavioral1/memory/1960-9-0x0000000002C40000-0x0000000002C80000-memory.dmp	rezer0

Warzone RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2256-19-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral1/memory/2256-21-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral1/memory/2256-22-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral1/memory/2256-23-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral1/memory/2256-27-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral1/memory/2256-30-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral1/memory/2256-29-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral1/memory/2256-47-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

8f56eda04533b9b130e28f031cba40f5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	8f56eda04533b9b130e28f031cba40f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	8f56eda04533b9b130e28f031cba40f5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8f56eda04533b9b130e28f031cba40f5.exe

description pid process target process

PID 1852 set thread context of 2256 1852 8f56eda04533b9b130e28f031cba40f5.exe 8f56eda04533b9b130e28f031cba40f5.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe8f56eda04533b9b130e28f031cba40f5.exepowershell.exe

pid process

1960 powershell.exe
1852 8f56eda04533b9b130e28f031cba40f5.exe
2584 powershell.exe

description	pid	process	target process
PID 1852 set thread context of 2256	1852	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe

pid	process
1960	powershell.exe
1852	8f56eda04533b9b130e28f031cba40f5.exe
2584	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exe8f56eda04533b9b130e28f031cba40f5.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1852	8f56eda04533b9b130e28f031cba40f5.exe
Token: SeDebugPrivilege	2584	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

8f56eda04533b9b130e28f031cba40f5.exe8f56eda04533b9b130e28f031cba40f5.exe

description	pid	process	target process
PID 1852 wrote to memory of 1960	1852	8f56eda04533b9b130e28f031cba40f5.exe	powershell.exe
PID 1852 wrote to memory of 1960	1852	8f56eda04533b9b130e28f031cba40f5.exe	powershell.exe
PID 1852 wrote to memory of 1960	1852	8f56eda04533b9b130e28f031cba40f5.exe	powershell.exe
PID 1852 wrote to memory of 1960	1852	8f56eda04533b9b130e28f031cba40f5.exe	powershell.exe
PID 1852 wrote to memory of 2256	1852	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 1852 wrote to memory of 2256	1852	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 1852 wrote to memory of 2256	1852	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 1852 wrote to memory of 2256	1852	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 1852 wrote to memory of 2256	1852	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 1852 wrote to memory of 2256	1852	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 1852 wrote to memory of 2256	1852	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 1852 wrote to memory of 2256	1852	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 1852 wrote to memory of 2256	1852	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 1852 wrote to memory of 2256	1852	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 1852 wrote to memory of 2256	1852	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 1852 wrote to memory of 2256	1852	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 2256 wrote to memory of 2584	2256	8f56eda04533b9b130e28f031cba40f5.exe	powershell.exe
PID 2256 wrote to memory of 2584	2256	8f56eda04533b9b130e28f031cba40f5.exe	powershell.exe
PID 2256 wrote to memory of 2584	2256	8f56eda04533b9b130e28f031cba40f5.exe	powershell.exe
PID 2256 wrote to memory of 2584	2256	8f56eda04533b9b130e28f031cba40f5.exe	powershell.exe
PID 2256 wrote to memory of 2712	2256	8f56eda04533b9b130e28f031cba40f5.exe	cmd.exe
PID 2256 wrote to memory of 2712	2256	8f56eda04533b9b130e28f031cba40f5.exe	cmd.exe
PID 2256 wrote to memory of 2712	2256	8f56eda04533b9b130e28f031cba40f5.exe	cmd.exe
PID 2256 wrote to memory of 2712	2256	8f56eda04533b9b130e28f031cba40f5.exe	cmd.exe
PID 2256 wrote to memory of 2712	2256	8f56eda04533b9b130e28f031cba40f5.exe	cmd.exe
PID 2256 wrote to memory of 2712	2256	8f56eda04533b9b130e28f031cba40f5.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8f56eda04533b9b130e28f031cba40f5.exe
"C:\Users\Admin\AppData\Local\Temp\8f56eda04533b9b130e28f031cba40f5.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Users\Admin\AppData\Local\Temp\8f56eda04533b9b130e28f031cba40f5.exe
"C:\Users\Admin\AppData\Local\Temp\8f56eda04533b9b130e28f031cba40f5.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

2

T1562

Disable or Modify Tools

2

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6QQJHQ3O1OKTOHFY6ZBF.temp
Filesize
7KB

MD5
687c6b2d1a750df8c3589258e4311997

SHA1
34dc81cbb97f70ea9d62d97d3f8e6a6b4d3a5706

SHA256
c3d9ef941b9708a1d3ea66519535d2ba95dda15a8c69869321f3723804f30a20

SHA512
588cc895b43a09120fbb9520330b0ead056d33e82af60baf715fe8158eaa957bc411af94afa6cc1c82bb3eb63ffa341e9162cb5b15dfe679d6b822c7affc14d0

Download Submit
memory/1852-1-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/1852-2-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/1852-3-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/1852-4-0x00000000004F0000-0x0000000000532000-memory.dmp

Filesize
264KB

Download
memory/1852-5-0x0000000000C20000-0x0000000000C48000-memory.dmp

Filesize
160KB

Download
memory/1852-0-0x00000000012D0000-0x0000000001312000-memory.dmp

Filesize
264KB

Download
memory/1852-31-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/1960-10-0x0000000002C40000-0x0000000002C80000-memory.dmp

Filesize
256KB

Download
memory/1960-8-0x000000006F760000-0x000000006FD0B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-9-0x0000000002C40000-0x0000000002C80000-memory.dmp

Filesize
256KB

Download
memory/1960-12-0x000000006F760000-0x000000006FD0B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-11-0x000000006F760000-0x000000006FD0B000-memory.dmp

Filesize
5.7MB

Download
memory/2256-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2256-19-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2256-27-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2256-22-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2256-21-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2256-30-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2256-29-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2256-17-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2256-15-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2256-23-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2256-13-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2256-47-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2584-41-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2584-42-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/2584-40-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2584-39-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/2584-38-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2584-37-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/2712-44-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2712-43-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads