warzonerat | c9f708d196905d6b42dda2b45f3a3965517d5cdc885f7b3b8824aaed33da5fff

General

Target

d02e7036dcce34d85849df93ec36c62f.exe
Size

236KB
MD5

d02e7036dcce34d85849df93ec36c62f
SHA1

211c57f2f2e2f3cf11ce59f6848d8c7cce41fd18
SHA256

c9f708d196905d6b42dda2b45f3a3965517d5cdc885f7b3b8824aaed33da5fff
SHA512

8807912b873d950e37504a845e0c198e468fd4eb454d97ed877ed648ac8bb80c9c41b0bc3ae95100ecc210c2473cdd1d07d86a75acfce440e79c7c95c48ba12f
SSDEEP

3072:ASWUYAlmXkJr4Dul8kZyLA93qlUD2mvwV6bFcHSRoodGv8Z36CxVYwwBJ785v7Wt:AEsBi17NCFYp3rtHmqbK65o

Score

10^/10

warzonerat evasion infostealer rat rezer0 trojan

Malware Config

Extracted

Family

warzonerat

C2

185.140.53.41:2104

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

d02e7036dcce34d85849df93ec36c62f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	d02e7036dcce34d85849df93ec36c62f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	d02e7036dcce34d85849df93ec36c62f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	d02e7036dcce34d85849df93ec36c62f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	d02e7036dcce34d85849df93ec36c62f.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/4624-9-0x0000000005930000-0x0000000005958000-memory.dmp	rezer0

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2848-57-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral2/memory/2848-60-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral2/memory/2848-61-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat
behavioral2/memory/2848-97-0x0000000000400000-0x0000000000551000-memory.dmp	warzonerat

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

d02e7036dcce34d85849df93ec36c62f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	d02e7036dcce34d85849df93ec36c62f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	d02e7036dcce34d85849df93ec36c62f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d02e7036dcce34d85849df93ec36c62f.exe

description pid process target process

PID 4624 set thread context of 2848 4624 d02e7036dcce34d85849df93ec36c62f.exe d02e7036dcce34d85849df93ec36c62f.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exed02e7036dcce34d85849df93ec36c62f.exepowershell.exe

pid process

3668 powershell.exe
3668 powershell.exe
4624 d02e7036dcce34d85849df93ec36c62f.exe
2884 powershell.exe
2884 powershell.exe
2884 powershell.exe

description	pid	process	target process
PID 4624 set thread context of 2848	4624	d02e7036dcce34d85849df93ec36c62f.exe	d02e7036dcce34d85849df93ec36c62f.exe

pid	process
3668	powershell.exe
3668	powershell.exe
4624	d02e7036dcce34d85849df93ec36c62f.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exed02e7036dcce34d85849df93ec36c62f.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	4624	d02e7036dcce34d85849df93ec36c62f.exe
Token: SeDebugPrivilege	2884	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

d02e7036dcce34d85849df93ec36c62f.exed02e7036dcce34d85849df93ec36c62f.exe

description	pid	process	target process
PID 4624 wrote to memory of 3668	4624	d02e7036dcce34d85849df93ec36c62f.exe	powershell.exe
PID 4624 wrote to memory of 3668	4624	d02e7036dcce34d85849df93ec36c62f.exe	powershell.exe
PID 4624 wrote to memory of 3668	4624	d02e7036dcce34d85849df93ec36c62f.exe	powershell.exe
PID 4624 wrote to memory of 2848	4624	d02e7036dcce34d85849df93ec36c62f.exe	d02e7036dcce34d85849df93ec36c62f.exe
PID 4624 wrote to memory of 2848	4624	d02e7036dcce34d85849df93ec36c62f.exe	d02e7036dcce34d85849df93ec36c62f.exe
PID 4624 wrote to memory of 2848	4624	d02e7036dcce34d85849df93ec36c62f.exe	d02e7036dcce34d85849df93ec36c62f.exe
PID 4624 wrote to memory of 2848	4624	d02e7036dcce34d85849df93ec36c62f.exe	d02e7036dcce34d85849df93ec36c62f.exe
PID 4624 wrote to memory of 2848	4624	d02e7036dcce34d85849df93ec36c62f.exe	d02e7036dcce34d85849df93ec36c62f.exe
PID 4624 wrote to memory of 2848	4624	d02e7036dcce34d85849df93ec36c62f.exe	d02e7036dcce34d85849df93ec36c62f.exe
PID 4624 wrote to memory of 2848	4624	d02e7036dcce34d85849df93ec36c62f.exe	d02e7036dcce34d85849df93ec36c62f.exe
PID 4624 wrote to memory of 2848	4624	d02e7036dcce34d85849df93ec36c62f.exe	d02e7036dcce34d85849df93ec36c62f.exe
PID 4624 wrote to memory of 2848	4624	d02e7036dcce34d85849df93ec36c62f.exe	d02e7036dcce34d85849df93ec36c62f.exe
PID 4624 wrote to memory of 2848	4624	d02e7036dcce34d85849df93ec36c62f.exe	d02e7036dcce34d85849df93ec36c62f.exe
PID 4624 wrote to memory of 2848	4624	d02e7036dcce34d85849df93ec36c62f.exe	d02e7036dcce34d85849df93ec36c62f.exe
PID 2848 wrote to memory of 2884	2848	d02e7036dcce34d85849df93ec36c62f.exe	powershell.exe
PID 2848 wrote to memory of 2884	2848	d02e7036dcce34d85849df93ec36c62f.exe	powershell.exe
PID 2848 wrote to memory of 2884	2848	d02e7036dcce34d85849df93ec36c62f.exe	powershell.exe
PID 2848 wrote to memory of 4684	2848	d02e7036dcce34d85849df93ec36c62f.exe	cmd.exe
PID 2848 wrote to memory of 4684	2848	d02e7036dcce34d85849df93ec36c62f.exe	cmd.exe
PID 2848 wrote to memory of 4684	2848	d02e7036dcce34d85849df93ec36c62f.exe	cmd.exe
PID 2848 wrote to memory of 4684	2848	d02e7036dcce34d85849df93ec36c62f.exe	cmd.exe
PID 2848 wrote to memory of 4684	2848	d02e7036dcce34d85849df93ec36c62f.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d02e7036dcce34d85849df93ec36c62f.exe
"C:\Users\Admin\AppData\Local\Temp\d02e7036dcce34d85849df93ec36c62f.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Users\Admin\AppData\Local\Temp\d02e7036dcce34d85849df93ec36c62f.exe
"C:\Users\Admin\AppData\Local\Temp\d02e7036dcce34d85849df93ec36c62f.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

2

T1562

Disable or Modify Tools

2

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
ceebfe7a5e2128126a35677c119c055e

SHA1
ca684a439df90261e9d24a1ec9f1d20671c80dc3

SHA256
b365c90271c4656e1046522bfe0dec0d1d7bc55f009ae68e090cc79f8b0a8051

SHA512
ec6544bd3f572854813d4950835cfddf7459f731937f819603f50a59446f51cb5b3d7a35edb6f8c2054b9e6b9aed5e565ebbfcc3d0f7e956fb370538d17f7404

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kxfxzlgt.xjs.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2848-97-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2848-57-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2848-60-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2848-61-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2884-78-0x0000000006280000-0x00000000062CC000-memory.dmp

Filesize
304KB

Download
memory/2884-81-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2884-82-0x0000000073540000-0x000000007358C000-memory.dmp

Filesize
304KB

Download
memory/2884-76-0x00000000058D0000-0x0000000005C24000-memory.dmp

Filesize
3.3MB

Download
memory/2884-66-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2884-65-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2884-64-0x0000000074330000-0x0000000074AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2884-92-0x0000000006FE0000-0x0000000007083000-memory.dmp

Filesize
652KB

Download
memory/2884-93-0x0000000007280000-0x0000000007291000-memory.dmp

Filesize
68KB

Download
memory/2884-94-0x00000000072B0000-0x00000000072C4000-memory.dmp

Filesize
80KB

Download
memory/2884-96-0x0000000074330000-0x0000000074AE0000-memory.dmp

Filesize
7.7MB

Download
memory/3668-13-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/3668-56-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3668-28-0x0000000006890000-0x00000000068AE000-memory.dmp

Filesize
120KB

Download
memory/3668-29-0x0000000006940000-0x000000000698C000-memory.dmp

Filesize
304KB

Download
memory/3668-30-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/3668-31-0x000000007EFD0000-0x000000007EFE0000-memory.dmp

Filesize
64KB

Download
memory/3668-32-0x0000000006E60000-0x0000000006E92000-memory.dmp

Filesize
200KB

Download
memory/3668-33-0x00000000703C0000-0x000000007040C000-memory.dmp

Filesize
304KB

Download
memory/3668-43-0x0000000006E40000-0x0000000006E5E000-memory.dmp

Filesize
120KB

Download
memory/3668-44-0x0000000007A60000-0x0000000007B03000-memory.dmp

Filesize
652KB

Download
memory/3668-45-0x00000000081E0000-0x000000000885A000-memory.dmp

Filesize
6.5MB

Download
memory/3668-46-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

Filesize
104KB

Download
memory/3668-47-0x0000000007C10000-0x0000000007C1A000-memory.dmp

Filesize
40KB

Download
memory/3668-48-0x0000000007E20000-0x0000000007EB6000-memory.dmp

Filesize
600KB

Download
memory/3668-49-0x0000000007DA0000-0x0000000007DB1000-memory.dmp

Filesize
68KB

Download
memory/3668-50-0x0000000007DD0000-0x0000000007DDE000-memory.dmp

Filesize
56KB

Download
memory/3668-51-0x0000000007DE0000-0x0000000007DF4000-memory.dmp

Filesize
80KB

Download
memory/3668-52-0x0000000007EE0000-0x0000000007EFA000-memory.dmp

Filesize
104KB

Download
memory/3668-53-0x0000000007EC0000-0x0000000007EC8000-memory.dmp

Filesize
32KB

Download
memory/3668-27-0x0000000006370000-0x00000000066C4000-memory.dmp

Filesize
3.3MB

Download
memory/3668-22-0x0000000006200000-0x0000000006266000-memory.dmp

Filesize
408KB

Download
memory/3668-16-0x0000000006190000-0x00000000061F6000-memory.dmp

Filesize
408KB

Download
memory/3668-15-0x00000000060F0000-0x0000000006112000-memory.dmp

Filesize
136KB

Download
memory/3668-10-0x00000000052D0000-0x0000000005306000-memory.dmp

Filesize
216KB

Download
memory/3668-11-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3668-14-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/3668-12-0x0000000005950000-0x0000000005F78000-memory.dmp

Filesize
6.2MB

Download
memory/4624-0-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/4624-62-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/4624-9-0x0000000005930000-0x0000000005958000-memory.dmp

Filesize
160KB

Download
memory/4624-8-0x0000000005460000-0x00000000054A2000-memory.dmp

Filesize
264KB

Download
memory/4624-7-0x0000000005430000-0x0000000005438000-memory.dmp

Filesize
32KB

Download
memory/4624-6-0x0000000005420000-0x000000000542A000-memory.dmp

Filesize
40KB

Download
memory/4624-5-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/4624-4-0x00000000054F0000-0x000000000558C000-memory.dmp

Filesize
624KB

Download
memory/4624-3-0x0000000005350000-0x00000000053E2000-memory.dmp

Filesize
584KB

Download
memory/4624-2-0x0000000005A00000-0x0000000005FA4000-memory.dmp

Filesize
5.6MB

Download
memory/4624-1-0x0000000000930000-0x0000000000972000-memory.dmp

Filesize
264KB

Download
memory/4684-79-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads