warzonerat | 61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

General

Target

600e0dbaefc03f7bf50abb0def3fb465.exe
Size

321KB
MD5

600e0dbaefc03f7bf50abb0def3fb465
SHA1

1b5f0ac48e06edc4ed8243be61d71077f770f2b4
SHA256

61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2
SHA512

151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9
SSDEEP

6144:62GhN2db088fTdUuNU0we+HPps1zcJLVPzGKfwQ7PHC3NJTyhtPB1m:62iNG088fTWsU0wJBsGJPf4Q7PHC3NJ8

Score

10^/10

warzonerat infostealer rat rezer0

Malware Config

Extracted

Family

warzonerat

C2

168.61.222.215:5400

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/1812-7-0x0000000005220000-0x0000000005248000-memory.dmp	rezer0

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4920-13-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/4920-16-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/4920-17-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral2/memory/4920-19-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

600e0dbaefc03f7bf50abb0def3fb465.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	600e0dbaefc03f7bf50abb0def3fb465.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

600e0dbaefc03f7bf50abb0def3fb465.exe

description pid process target process

PID 1812 set thread context of 4920 1812 600e0dbaefc03f7bf50abb0def3fb465.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4312 schtasks.exe

description	pid	process	target process
PID 1812 set thread context of 4920	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	MSBuild.exe

pid	process
4312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

600e0dbaefc03f7bf50abb0def3fb465.exe

pid	process
1812	600e0dbaefc03f7bf50abb0def3fb465.exe
1812	600e0dbaefc03f7bf50abb0def3fb465.exe
1812	600e0dbaefc03f7bf50abb0def3fb465.exe
1812	600e0dbaefc03f7bf50abb0def3fb465.exe
1812	600e0dbaefc03f7bf50abb0def3fb465.exe
1812	600e0dbaefc03f7bf50abb0def3fb465.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

600e0dbaefc03f7bf50abb0def3fb465.exe

description pid process

Token: SeDebugPrivilege 1812 600e0dbaefc03f7bf50abb0def3fb465.exe

description	pid	process
Token: SeDebugPrivilege	1812	600e0dbaefc03f7bf50abb0def3fb465.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

600e0dbaefc03f7bf50abb0def3fb465.exe

description	pid	process	target process
PID 1812 wrote to memory of 4312	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	schtasks.exe
PID 1812 wrote to memory of 4312	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	schtasks.exe
PID 1812 wrote to memory of 4312	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	schtasks.exe
PID 1812 wrote to memory of 2760	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	MSBuild.exe
PID 1812 wrote to memory of 2760	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	MSBuild.exe
PID 1812 wrote to memory of 2760	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	MSBuild.exe
PID 1812 wrote to memory of 4920	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	MSBuild.exe
PID 1812 wrote to memory of 4920	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	MSBuild.exe
PID 1812 wrote to memory of 4920	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	MSBuild.exe
PID 1812 wrote to memory of 4920	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	MSBuild.exe
PID 1812 wrote to memory of 4920	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	MSBuild.exe
PID 1812 wrote to memory of 4920	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	MSBuild.exe
PID 1812 wrote to memory of 4920	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	MSBuild.exe
PID 1812 wrote to memory of 4920	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	MSBuild.exe
PID 1812 wrote to memory of 4920	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	MSBuild.exe
PID 1812 wrote to memory of 4920	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	MSBuild.exe
PID 1812 wrote to memory of 4920	1812	600e0dbaefc03f7bf50abb0def3fb465.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\600e0dbaefc03f7bf50abb0def3fb465.exe
"C:\Users\Admin\AppData\Local\Temp\600e0dbaefc03f7bf50abb0def3fb465.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp16CF.tmp"
2⤵
- Creates scheduled task(s)
PID:4312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3872 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp16CF.tmp
Filesize
1KB

MD5
0363e097717dafc465e10b2c2e851e4a

SHA1
ab618e2d91ae609cdc2193d167e70c794d9b9118

SHA256
d4f7b92cfe95411c7b8a817b8f8f75db2b04e40351edbc3bf1d644f872ac562c

SHA512
6018594ccc73d7bf5a59a5172119878e2c0ad5b0ec053c2388c1321ca185f0468ed14c1caa5a9679e519d1f9013735b143bea2187e0c0a92d67241cfd51dee1e

Download Submit
memory/1812-6-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/1812-2-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/1812-3-0x0000000005610000-0x0000000005BB4000-memory.dmp

Filesize
5.6MB

Download
memory/1812-4-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/1812-5-0x0000000004E00000-0x0000000004E08000-memory.dmp

Filesize
32KB

Download
memory/1812-0-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/1812-7-0x0000000005220000-0x0000000005248000-memory.dmp

Filesize
160KB

Download
memory/1812-1-0x00000000002B0000-0x0000000000306000-memory.dmp

Filesize
344KB

Download
memory/1812-18-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/4920-13-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4920-16-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4920-17-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4920-19-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads