warzonerat | 0c64978cf7ffc6b2ceaa4992de7ae4a05575babd79bcfecb57cc74ac3848ddde

General

Target

c67c1797ac06edcba5d78083ba87b357.exe
Size

236KB
MD5

c67c1797ac06edcba5d78083ba87b357
SHA1

a37cd82dd4def1b73dc06c3a9f8210b884f64d46
SHA256

0c64978cf7ffc6b2ceaa4992de7ae4a05575babd79bcfecb57cc74ac3848ddde
SHA512

7d89c10193ea753e6a4206b0df15d0897b57a56ae53137d715efec724d754a38dd68eeb0ff11d9b9fd12afa54c51425252a541f5bd97a129304491ff33db5fd9
SSDEEP

3072:rWUYAlmXkJr4Dul8kZyLA93qlUD2mvwV6bFcHSRoodGv8Z36CxVYwwBJ785v7W8+:zsBi17NCFYp3rtHmqbK65Y

Score

10^/10

warzonerat evasion infostealer rat rezer0 trojan

Malware Config

Extracted

Family

warzonerat

C2

185.140.53.41:2104

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

c67c1797ac06edcba5d78083ba87b357.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	c67c1797ac06edcba5d78083ba87b357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c67c1797ac06edcba5d78083ba87b357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c67c1797ac06edcba5d78083ba87b357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c67c1797ac06edcba5d78083ba87b357.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ReZer0 packer 2 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/2932-5-0x0000000000730000-0x0000000000758000-memory.dmp	rezer0
behavioral1/memory/2856-9-0x0000000002D00000-0x0000000002D40000-memory.dmp	rezer0

Warzone RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2652-17-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral1/memory/2652-18-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral1/memory/2652-19-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral1/memory/2652-20-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral1/memory/2652-24-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral1/memory/2652-26-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

c67c1797ac06edcba5d78083ba87b357.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	c67c1797ac06edcba5d78083ba87b357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	c67c1797ac06edcba5d78083ba87b357.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c67c1797ac06edcba5d78083ba87b357.exe

description pid process target process

PID 2932 set thread context of 2652 2932 c67c1797ac06edcba5d78083ba87b357.exe c67c1797ac06edcba5d78083ba87b357.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2616 2652 WerFault.exe c67c1797ac06edcba5d78083ba87b357.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exec67c1797ac06edcba5d78083ba87b357.exe

pid process

2856 powershell.exe
2932 c67c1797ac06edcba5d78083ba87b357.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exec67c1797ac06edcba5d78083ba87b357.exe

description pid process

Token: SeDebugPrivilege 2856 powershell.exe
Token: SeDebugPrivilege 2932 c67c1797ac06edcba5d78083ba87b357.exe

description	pid	process	target process
PID 2932 set thread context of 2652	2932	c67c1797ac06edcba5d78083ba87b357.exe	c67c1797ac06edcba5d78083ba87b357.exe

pid	pid_target	process	target process
2616	2652	WerFault.exe	c67c1797ac06edcba5d78083ba87b357.exe

pid	process
2856	powershell.exe
2932	c67c1797ac06edcba5d78083ba87b357.exe

description	pid	process
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2932	c67c1797ac06edcba5d78083ba87b357.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

c67c1797ac06edcba5d78083ba87b357.exec67c1797ac06edcba5d78083ba87b357.exe

C:\Users\Admin\AppData\Local\Temp\c67c1797ac06edcba5d78083ba87b357.exe
"C:\Users\Admin\AppData\Local\Temp\c67c1797ac06edcba5d78083ba87b357.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Users\Admin\AppData\Local\Temp\c67c1797ac06edcba5d78083ba87b357.exe
"C:\Users\Admin\AppData\Local\Temp\c67c1797ac06edcba5d78083ba87b357.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 184
3⤵
- Program crash
PID:2616

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

2

T1562

Disable or Modify Tools

2

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2652-13-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2652-26-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2652-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2652-24-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2652-20-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2652-19-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2652-18-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2652-15-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2652-17-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2652-16-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2856-12-0x000000006F9B0000-0x000000006FF5B000-memory.dmp

Filesize
5.7MB

Download
memory/2856-10-0x000000006F9B0000-0x000000006FF5B000-memory.dmp

Filesize
5.7MB

Download
memory/2856-11-0x0000000002D00000-0x0000000002D40000-memory.dmp

Filesize
256KB

Download
memory/2856-9-0x0000000002D00000-0x0000000002D40000-memory.dmp

Filesize
256KB

Download
memory/2856-8-0x000000006F9B0000-0x000000006FF5B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-0-0x0000000001050000-0x0000000001092000-memory.dmp

Filesize
264KB

Download
memory/2932-5-0x0000000000730000-0x0000000000758000-memory.dmp

Filesize
160KB

Download
memory/2932-4-0x0000000000510000-0x0000000000552000-memory.dmp

Filesize
264KB

Download
memory/2932-3-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2932-2-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/2932-1-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-27-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 2932 wrote to memory of 2856	2932	c67c1797ac06edcba5d78083ba87b357.exe	powershell.exe
PID 2932 wrote to memory of 2856	2932	c67c1797ac06edcba5d78083ba87b357.exe	powershell.exe
PID 2932 wrote to memory of 2856	2932	c67c1797ac06edcba5d78083ba87b357.exe	powershell.exe
PID 2932 wrote to memory of 2856	2932	c67c1797ac06edcba5d78083ba87b357.exe	powershell.exe
PID 2932 wrote to memory of 2652	2932	c67c1797ac06edcba5d78083ba87b357.exe	c67c1797ac06edcba5d78083ba87b357.exe
PID 2932 wrote to memory of 2652	2932	c67c1797ac06edcba5d78083ba87b357.exe	c67c1797ac06edcba5d78083ba87b357.exe
PID 2932 wrote to memory of 2652	2932	c67c1797ac06edcba5d78083ba87b357.exe	c67c1797ac06edcba5d78083ba87b357.exe
PID 2932 wrote to memory of 2652	2932	c67c1797ac06edcba5d78083ba87b357.exe	c67c1797ac06edcba5d78083ba87b357.exe
PID 2932 wrote to memory of 2652	2932	c67c1797ac06edcba5d78083ba87b357.exe	c67c1797ac06edcba5d78083ba87b357.exe
PID 2932 wrote to memory of 2652	2932	c67c1797ac06edcba5d78083ba87b357.exe	c67c1797ac06edcba5d78083ba87b357.exe
PID 2932 wrote to memory of 2652	2932	c67c1797ac06edcba5d78083ba87b357.exe	c67c1797ac06edcba5d78083ba87b357.exe
PID 2932 wrote to memory of 2652	2932	c67c1797ac06edcba5d78083ba87b357.exe	c67c1797ac06edcba5d78083ba87b357.exe
PID 2932 wrote to memory of 2652	2932	c67c1797ac06edcba5d78083ba87b357.exe	c67c1797ac06edcba5d78083ba87b357.exe
PID 2932 wrote to memory of 2652	2932	c67c1797ac06edcba5d78083ba87b357.exe	c67c1797ac06edcba5d78083ba87b357.exe
PID 2932 wrote to memory of 2652	2932	c67c1797ac06edcba5d78083ba87b357.exe	c67c1797ac06edcba5d78083ba87b357.exe
PID 2932 wrote to memory of 2652	2932	c67c1797ac06edcba5d78083ba87b357.exe	c67c1797ac06edcba5d78083ba87b357.exe
PID 2652 wrote to memory of 2616	2652	c67c1797ac06edcba5d78083ba87b357.exe	WerFault.exe
PID 2652 wrote to memory of 2616	2652	c67c1797ac06edcba5d78083ba87b357.exe	WerFault.exe
PID 2652 wrote to memory of 2616	2652	c67c1797ac06edcba5d78083ba87b357.exe	WerFault.exe
PID 2652 wrote to memory of 2616	2652	c67c1797ac06edcba5d78083ba87b357.exe	WerFault.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads