warzonerat | decca35b90665b5cab7953d654aa934b485899c4df797fe3257f5f914198076f

General

Target

8f56eda04533b9b130e28f031cba40f5.exe
Size

236KB
MD5

8f56eda04533b9b130e28f031cba40f5
SHA1

4d07eec4700275447f6e8269247b130f49d74ea8
SHA256

decca35b90665b5cab7953d654aa934b485899c4df797fe3257f5f914198076f
SHA512

832d6958b7c02261d8f309a6ef40044b70b926824ce96f76e43c42794e4f25f90610252895173c3b42a2c3f9f7b52f0c9433862519b2f923c60c18cd313bccd2
SSDEEP

3072:FWUYAlmXkJr4Dul8kZyLA93qlUD2mvwV6bFcHSRoodGv8Z36CxVYwwBJ785v7W80:psBi17NCFYp3rtHmqbK65G

Score

10^/10

warzonerat evasion infostealer rat rezer0 trojan

Malware Config

Extracted

Family

warzonerat

C2

185.140.53.41:2104

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

8f56eda04533b9b130e28f031cba40f5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	8f56eda04533b9b130e28f031cba40f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	8f56eda04533b9b130e28f031cba40f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	8f56eda04533b9b130e28f031cba40f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	8f56eda04533b9b130e28f031cba40f5.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/3248-9-0x0000000005890000-0x00000000058B8000-memory.dmp	rezer0

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/208-61-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral2/memory/208-62-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral2/memory/208-58-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral2/memory/208-99-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

8f56eda04533b9b130e28f031cba40f5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	8f56eda04533b9b130e28f031cba40f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	8f56eda04533b9b130e28f031cba40f5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8f56eda04533b9b130e28f031cba40f5.exe

description pid process target process

PID 3248 set thread context of 208 3248 8f56eda04533b9b130e28f031cba40f5.exe 8f56eda04533b9b130e28f031cba40f5.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe8f56eda04533b9b130e28f031cba40f5.exepowershell.exe

pid process

1644 powershell.exe
1644 powershell.exe
3248 8f56eda04533b9b130e28f031cba40f5.exe
696 powershell.exe
696 powershell.exe

description	pid	process	target process
PID 3248 set thread context of 208	3248	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe

pid	process
1644	powershell.exe
1644	powershell.exe
3248	8f56eda04533b9b130e28f031cba40f5.exe
696	powershell.exe
696	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exe8f56eda04533b9b130e28f031cba40f5.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	3248	8f56eda04533b9b130e28f031cba40f5.exe
Token: SeDebugPrivilege	696	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

8f56eda04533b9b130e28f031cba40f5.exe8f56eda04533b9b130e28f031cba40f5.exe

description	pid	process	target process
PID 3248 wrote to memory of 1644	3248	8f56eda04533b9b130e28f031cba40f5.exe	powershell.exe
PID 3248 wrote to memory of 1644	3248	8f56eda04533b9b130e28f031cba40f5.exe	powershell.exe
PID 3248 wrote to memory of 1644	3248	8f56eda04533b9b130e28f031cba40f5.exe	powershell.exe
PID 3248 wrote to memory of 208	3248	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 3248 wrote to memory of 208	3248	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 3248 wrote to memory of 208	3248	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 3248 wrote to memory of 208	3248	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 3248 wrote to memory of 208	3248	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 3248 wrote to memory of 208	3248	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 3248 wrote to memory of 208	3248	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 3248 wrote to memory of 208	3248	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 3248 wrote to memory of 208	3248	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 3248 wrote to memory of 208	3248	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 3248 wrote to memory of 208	3248	8f56eda04533b9b130e28f031cba40f5.exe	8f56eda04533b9b130e28f031cba40f5.exe
PID 208 wrote to memory of 696	208	8f56eda04533b9b130e28f031cba40f5.exe	powershell.exe
PID 208 wrote to memory of 696	208	8f56eda04533b9b130e28f031cba40f5.exe	powershell.exe
PID 208 wrote to memory of 696	208	8f56eda04533b9b130e28f031cba40f5.exe	powershell.exe
PID 208 wrote to memory of 1208	208	8f56eda04533b9b130e28f031cba40f5.exe	cmd.exe
PID 208 wrote to memory of 1208	208	8f56eda04533b9b130e28f031cba40f5.exe	cmd.exe
PID 208 wrote to memory of 1208	208	8f56eda04533b9b130e28f031cba40f5.exe	cmd.exe
PID 208 wrote to memory of 1208	208	8f56eda04533b9b130e28f031cba40f5.exe	cmd.exe
PID 208 wrote to memory of 1208	208	8f56eda04533b9b130e28f031cba40f5.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8f56eda04533b9b130e28f031cba40f5.exe
"C:\Users\Admin\AppData\Local\Temp\8f56eda04533b9b130e28f031cba40f5.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Users\Admin\AppData\Local\Temp\8f56eda04533b9b130e28f031cba40f5.exe
"C:\Users\Admin\AppData\Local\Temp\8f56eda04533b9b130e28f031cba40f5.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

2

T1562

Disable or Modify Tools

2

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
12KB

MD5
02a797824c301ffcf5e4430b29b05515

SHA1
7f001f9ec5ff22e9bda10f4bce614a190dc9954b

SHA256
1a6e236e38feb3d51d7f891b28199c1f86956e2ed10c39dfb0dc16a97efcaf6b

SHA512
0f3187c7bdfa6c43254368ef764d9011f4f4f0451e336176b149b4fe176f7bb048b8fb0b8133cca354849c6a45c174970e23780b38132ef2b360b7079745c66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xan33hgp.mmt.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/208-61-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/208-99-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/208-62-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/208-58-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/696-79-0x0000000006AB0000-0x0000000006AFC000-memory.dmp

Filesize
304KB

Download
memory/696-92-0x0000000007C70000-0x0000000007D13000-memory.dmp

Filesize
652KB

Download
memory/696-80-0x0000000070A20000-0x0000000070A6C000-memory.dmp

Filesize
304KB

Download
memory/696-91-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/696-65-0x0000000073EB0000-0x0000000074660000-memory.dmp

Filesize
7.7MB

Download
memory/696-66-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/696-90-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/696-77-0x0000000006480000-0x00000000067D4000-memory.dmp

Filesize
3.3MB

Download
memory/696-67-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/696-93-0x0000000007F10000-0x0000000007F21000-memory.dmp

Filesize
68KB

Download
memory/696-96-0x0000000007F60000-0x0000000007F74000-memory.dmp

Filesize
80KB

Download
memory/696-98-0x0000000073EB0000-0x0000000074660000-memory.dmp

Filesize
7.7MB

Download
memory/1208-94-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/1644-14-0x0000000005480000-0x0000000005AA8000-memory.dmp

Filesize
6.2MB

Download
memory/1644-12-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1644-32-0x000000006FEB0000-0x000000006FEFC000-memory.dmp

Filesize
304KB

Download
memory/1644-45-0x0000000007490000-0x0000000007533000-memory.dmp

Filesize
652KB

Download
memory/1644-44-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1644-43-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1644-47-0x00000000075D0000-0x00000000075EA000-memory.dmp

Filesize
104KB

Download
memory/1644-46-0x0000000007C10000-0x000000000828A000-memory.dmp

Filesize
6.5MB

Download
memory/1644-48-0x0000000007640000-0x000000000764A000-memory.dmp

Filesize
40KB

Download
memory/1644-42-0x0000000007220000-0x000000000723E000-memory.dmp

Filesize
120KB

Download
memory/1644-31-0x0000000007240000-0x0000000007272000-memory.dmp

Filesize
200KB

Download
memory/1644-30-0x000000007FC20000-0x000000007FC30000-memory.dmp

Filesize
64KB

Download
memory/1644-49-0x0000000007850000-0x00000000078E6000-memory.dmp

Filesize
600KB

Download
memory/1644-50-0x00000000077D0000-0x00000000077E1000-memory.dmp

Filesize
68KB

Download
memory/1644-51-0x0000000007800000-0x000000000780E000-memory.dmp

Filesize
56KB

Download
memory/1644-52-0x0000000007810000-0x0000000007824000-memory.dmp

Filesize
80KB

Download
memory/1644-53-0x0000000007910000-0x000000000792A000-memory.dmp

Filesize
104KB

Download
memory/1644-54-0x00000000078F0000-0x00000000078F8000-memory.dmp

Filesize
32KB

Download
memory/1644-28-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/1644-13-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1644-27-0x0000000005E30000-0x0000000006184000-memory.dmp

Filesize
3.3MB

Download
memory/1644-16-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/1644-57-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/1644-22-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/1644-15-0x0000000005310000-0x0000000005332000-memory.dmp

Filesize
136KB

Download
memory/1644-29-0x00000000062E0000-0x000000000632C000-memory.dmp

Filesize
304KB

Download
memory/1644-10-0x0000000004CD0000-0x0000000004D06000-memory.dmp

Filesize
216KB

Download
memory/1644-11-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/3248-1-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/3248-63-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/3248-9-0x0000000005890000-0x00000000058B8000-memory.dmp

Filesize
160KB

Download
memory/3248-6-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download
memory/3248-7-0x00000000052F0000-0x00000000052F8000-memory.dmp

Filesize
32KB

Download
memory/3248-8-0x0000000005690000-0x00000000056D2000-memory.dmp

Filesize
264KB

Download
memory/3248-5-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/3248-4-0x00000000053E0000-0x000000000547C000-memory.dmp

Filesize
624KB

Download
memory/3248-3-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/3248-2-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/3248-0-0x0000000000890000-0x00000000008D2000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads