Malware Analysis Report

2025-01-22 14:19

Sample ID 240214-faf1qahc5v
Target 9ac604ab0f70a0d75f107b8f52d97000
SHA256 46dff1fda981f377a8ae116f14a7a4352e373787186606d2c5a91ae0c6c25609
Tags
warzonerat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46dff1fda981f377a8ae116f14a7a4352e373787186606d2c5a91ae0c6c25609

Threat Level: Known bad

The file 9ac604ab0f70a0d75f107b8f52d97000 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat

WarzoneRat, AveMaria

Warzone RAT payload

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-14 04:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-14 04:39

Reported

2024-02-14 04:42

Platform

win7-20231215-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"

Signatures

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Windows\SysWOW64\schtasks.exe
PID 1672 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Windows\SysWOW64\schtasks.exe
PID 1672 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Windows\SysWOW64\schtasks.exe
PID 1672 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Windows\SysWOW64\schtasks.exe
PID 1672 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 1672 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe

"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oUZjHsjH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp84A.tmp"

C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe

"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"

C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe

"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"

C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe

"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"

C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe

"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"

C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe

"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"

Network

N/A

Files

memory/1672-0-0x00000000000B0000-0x0000000000214000-memory.dmp

memory/1672-1-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/1672-2-0x0000000002060000-0x00000000020A0000-memory.dmp

memory/1672-3-0x0000000000380000-0x000000000039E000-memory.dmp

memory/1672-4-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/1672-5-0x0000000002060000-0x00000000020A0000-memory.dmp

memory/1672-6-0x00000000052F0000-0x0000000005380000-memory.dmp

memory/1672-7-0x00000000004A0000-0x00000000004C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp84A.tmp

MD5 e55f0acf3e0be1f1a0806b9418e08ec3
SHA1 7899eb54b9123a75d1801b5a5a9554aa45e7e471
SHA256 fca50829734289b08b83cdaa4d41c211b14bbc4f35eb41e99289fec166c9f720
SHA512 011ab686a12022050f659ae9fd34af231471878a4bc30ab0428d8255b8c2cd810fa7da7aa032b92a771fdbf2dfbd5ef1a50dfd1fce770c1c6392a00360c550c8

memory/1672-13-0x0000000074C70000-0x000000007535E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-14 04:39

Reported

2024-02-14 04:42

Platform

win10v2004-20231215-en

Max time kernel

126s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 368 set thread context of 3728 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 368 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Windows\SysWOW64\schtasks.exe
PID 368 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Windows\SysWOW64\schtasks.exe
PID 368 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Windows\SysWOW64\schtasks.exe
PID 368 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 368 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 368 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 368 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 368 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 368 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 368 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 368 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 368 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 368 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe
PID 368 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe

"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oUZjHsjH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF55C.tmp"

C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe

"C:\Users\Admin\AppData\Local\Temp\9ac604ab0f70a0d75f107b8f52d97000.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
NL 185.222.57.73:4557 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 185.222.57.73:4557 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 185.222.57.73:4557 tcp
NL 185.222.57.73:4557 tcp

Files

memory/368-0-0x0000000000FE0000-0x0000000001144000-memory.dmp

memory/368-1-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/368-2-0x0000000005B20000-0x0000000005BBC000-memory.dmp

memory/368-3-0x0000000006220000-0x00000000067C4000-memory.dmp

memory/368-4-0x0000000005C70000-0x0000000005D02000-memory.dmp

memory/368-5-0x0000000005E90000-0x0000000005EA0000-memory.dmp

memory/368-6-0x0000000005BD0000-0x0000000005BDA000-memory.dmp

memory/368-7-0x0000000005D10000-0x0000000005D66000-memory.dmp

memory/368-8-0x0000000005C10000-0x0000000005C2E000-memory.dmp

memory/368-9-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/368-10-0x0000000005E90000-0x0000000005EA0000-memory.dmp

memory/368-11-0x0000000006BD0000-0x0000000006C60000-memory.dmp

memory/368-12-0x00000000068A0000-0x00000000068C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF55C.tmp

MD5 51b8e5ba2921294201821908afb13d9c
SHA1 f8e3be854ac33a7877cf9997c8126f295dedc7da
SHA256 8934577514c6870ec3d301fd69c20157efaf554296274e2f2c96252c4922d383
SHA512 89cb9a316e866084ee8cc72fa10328b9aa4a07b32b37b78c44464424c1d5c251c0bccf8d7baa3f12a1497c37111178c40c021b5c3312581b453cf31fe4077a16

memory/3728-18-0x0000000000400000-0x0000000000554000-memory.dmp

memory/3728-21-0x0000000000400000-0x0000000000554000-memory.dmp

memory/368-23-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/3728-22-0x0000000000400000-0x0000000000554000-memory.dmp

memory/3728-24-0x0000000000400000-0x0000000000554000-memory.dmp