Malware Analysis Report

2025-01-22 14:18

Sample ID 240226-l1wrraag57
Target a6123e1e92c6ea08908865bb63fbf249
SHA256 7cec042f22812fade5b8fbfe213a8e70626dc8faf1eee7d40d51213882d9b779
Tags
warzonerat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cec042f22812fade5b8fbfe213a8e70626dc8faf1eee7d40d51213882d9b779

Threat Level: Known bad

The file a6123e1e92c6ea08908865bb63fbf249 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat

WarzoneRat, AveMaria

Warzone RAT payload

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-26 10:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-26 10:00

Reported

2024-02-26 10:03

Platform

win7-20240221-en

Max time kernel

126s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2928 set thread context of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 2928 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 2928 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 2928 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 2928 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 2928 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 2928 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 2928 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 2928 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 2928 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 2928 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 2928 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 2928 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 2928 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 2928 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 2928 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe

"C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sgzmBy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFC0B.tmp"

C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe

"C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe"

C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe

"C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe"

Network

Country Destination Domain Proto
NL 178.170.138.163:4554 tcp
NL 178.170.138.163:4554 tcp
NL 178.170.138.163:4554 tcp
NL 178.170.138.163:4554 tcp

Files

memory/2928-0-0x0000000074AE0000-0x00000000751CE000-memory.dmp

memory/2928-1-0x0000000000F50000-0x0000000001060000-memory.dmp

memory/2928-2-0x0000000004BF0000-0x0000000004C30000-memory.dmp

memory/2928-3-0x0000000000920000-0x000000000093E000-memory.dmp

memory/2928-4-0x0000000074AE0000-0x00000000751CE000-memory.dmp

memory/2928-5-0x0000000004BF0000-0x0000000004C30000-memory.dmp

memory/2928-6-0x00000000058F0000-0x0000000005982000-memory.dmp

memory/2928-7-0x00000000009E0000-0x0000000000A02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFC0B.tmp

MD5 578b5b5db47be3837420084be31833af
SHA1 6be737f9f8267ca80201942719ea17f09df9a3ae
SHA256 642b3ec48ded97fd187c5eac5549962c39ffae8e1c3c5ce49e9260a049d20e1f
SHA512 5c52068e2ddc786d0412832b3c0d09d14de2ecd4d01faeef8425b0085ba7228a5669628b9459cbb4592c2cb6fedd0686946b42f37c1f2a4e11090a18d32ca44c

memory/2900-13-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2900-15-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2900-17-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2900-19-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2900-21-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2900-22-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2900-24-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2900-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2900-27-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2928-30-0x0000000074AE0000-0x00000000751CE000-memory.dmp

memory/2900-29-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2900-31-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2900-32-0x0000000000400000-0x0000000000554000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-26 10:00

Reported

2024-02-26 10:03

Platform

win10v2004-20240221-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 492 set thread context of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 492 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 492 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 492 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 492 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 492 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 492 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 492 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 492 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 492 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 492 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe
PID 492 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe

"C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sgzmBy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1940.tmp"

C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe

"C:\Users\Admin\AppData\Local\Temp\a6123e1e92c6ea08908865bb63fbf249.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
NL 178.170.138.163:4554 tcp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
NL 178.170.138.163:4554 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 178.170.138.163:4554 tcp
NL 178.170.138.163:4554 tcp

Files

memory/492-0-0x0000000000690000-0x00000000007A0000-memory.dmp

memory/492-1-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/492-2-0x0000000005180000-0x000000000521C000-memory.dmp

memory/492-3-0x00000000057D0000-0x0000000005D74000-memory.dmp

memory/492-4-0x00000000052C0000-0x0000000005352000-memory.dmp

memory/492-5-0x0000000005500000-0x0000000005510000-memory.dmp

memory/492-6-0x0000000005230000-0x000000000523A000-memory.dmp

memory/492-7-0x0000000005450000-0x00000000054A6000-memory.dmp

memory/492-8-0x0000000005580000-0x000000000559E000-memory.dmp

memory/492-9-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/492-10-0x0000000005500000-0x0000000005510000-memory.dmp

memory/492-11-0x0000000007D80000-0x0000000007E12000-memory.dmp

memory/492-12-0x000000000A0C0000-0x000000000A0E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1940.tmp

MD5 f901e8edeaa1ea0047ec99e5f23f8cab
SHA1 a1131e83cc3587a08caa6e4fadda05053215a26c
SHA256 b1d8341bce828fabafaf05605b366a6d0146f698cfebff71ecd282b77b73facb
SHA512 97f20a53614441a03a42468a574e22c662e26fc34b122b7a36a404143dd90afb254e3ec922307b2c8956c2505947d33e08bc243f673100e2466688cfc2197f2d

memory/4300-18-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4300-21-0x0000000000400000-0x0000000000554000-memory.dmp

memory/492-22-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/4300-23-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4300-24-0x0000000000400000-0x0000000000554000-memory.dmp