Malware Analysis Report

2024-10-24 16:45

Sample ID 240421-rekegsch72
Target Server.exe
SHA256 6898a4a5134e3da33a28477ce504ef8385021d2200080573e85e5ea332724d0e
Tags
warzonerat collection infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6898a4a5134e3da33a28477ce504ef8385021d2200080573e85e5ea332724d0e

Threat Level: Known bad

The file Server.exe was found to be: Known bad.

Malicious Activity Summary

warzonerat collection infostealer persistence rat spyware stealer

Warzonerat family

Warzone RAT payload

WarzoneRat, AveMaria

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Accesses Microsoft Outlook profiles

Adds Run key to start application

Modifies WinLogon

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-21 14:06

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-21 14:06

Reported

2024-04-21 14:11

Platform

win10v2004-20240412-en

Max time kernel

299s

Max time network

303s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Antivirus = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Documents\Documents:ApplicationData C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File opened for modification C:\Users\Admin\Documents\Documents:ApplicationData C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 tonnersturma-31352.portmap.host udp
DE 193.161.193.99:31352 tonnersturma-31352.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 206.221.208.4.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 200.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tonnersturma-31352.portmap.host udp
DE 193.161.193.99:5541 tonnersturma-31352.portmap.host tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 133.250.112.20.in-addr.arpa udp
DE 193.161.193.99:5541 tonnersturma-31352.portmap.host tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 18.14.97.104.in-addr.arpa udp

Files

memory/60-0-0x0000000002C00000-0x0000000002C36000-memory.dmp

memory/60-1-0x0000000073B60000-0x0000000074310000-memory.dmp

memory/60-2-0x0000000002D40000-0x0000000002D50000-memory.dmp

memory/60-3-0x0000000002D40000-0x0000000002D50000-memory.dmp

memory/60-4-0x00000000057F0000-0x0000000005E18000-memory.dmp

memory/60-5-0x00000000056B0000-0x00000000056D2000-memory.dmp

memory/60-6-0x0000000005E90000-0x0000000005EF6000-memory.dmp

memory/60-7-0x0000000005F00000-0x0000000005F66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tcg1tj5s.sji.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/60-17-0x0000000006070000-0x00000000063C4000-memory.dmp

memory/60-18-0x0000000006520000-0x000000000653E000-memory.dmp

memory/60-19-0x0000000006570000-0x00000000065BC000-memory.dmp

memory/60-20-0x000000007F810000-0x000000007F820000-memory.dmp

memory/60-21-0x0000000006B00000-0x0000000006B32000-memory.dmp

memory/60-22-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/60-32-0x0000000002D40000-0x0000000002D50000-memory.dmp

memory/60-33-0x0000000006AE0000-0x0000000006AFE000-memory.dmp

memory/60-34-0x0000000006B50000-0x0000000006BF3000-memory.dmp

memory/60-35-0x0000000007EA0000-0x000000000851A000-memory.dmp

memory/60-36-0x0000000007860000-0x000000000787A000-memory.dmp

memory/60-37-0x00000000078D0000-0x00000000078DA000-memory.dmp

memory/60-38-0x0000000007AE0000-0x0000000007B76000-memory.dmp

memory/60-39-0x0000000007A60000-0x0000000007A71000-memory.dmp

memory/60-40-0x0000000007A90000-0x0000000007A9E000-memory.dmp

memory/60-41-0x0000000007AA0000-0x0000000007AB4000-memory.dmp

memory/60-42-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

memory/60-43-0x0000000007B80000-0x0000000007B88000-memory.dmp

memory/60-49-0x0000000073B60000-0x0000000074310000-memory.dmp

memory/4376-50-0x0000000000700000-0x0000000000701000-memory.dmp

memory/4692-55-0x0000000005AD0000-0x0000000005B54000-memory.dmp

memory/4692-64-0x0000000005AD0000-0x0000000005B54000-memory.dmp

memory/2864-65-0x0000017778670000-0x0000017778680000-memory.dmp

memory/2864-81-0x0000017778770000-0x0000017778780000-memory.dmp

memory/2864-97-0x000001777CAE0000-0x000001777CAE1000-memory.dmp

memory/2864-99-0x000001777CB10000-0x000001777CB11000-memory.dmp

memory/2864-100-0x000001777CB10000-0x000001777CB11000-memory.dmp

memory/2864-101-0x000001777CC20000-0x000001777CC21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

C:\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5 75f8cc548cabf0cc800c25047e4d3124
SHA1 602676768f9faecd35b48c38a0632781dfbde10c
SHA256 fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512 ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

C:\Users\Admin\AppData\Local\Temp\nss3.dll

MD5 d7858e8449004e21b01d468e9fd04b82
SHA1 9524352071ede21c167e7e4f106e9526dc23ef4e
SHA256 78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db
SHA512 1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

C:\Users\Admin\AppData\Local\Temp\softokn3.dll

MD5 471c983513694ac3002590345f2be0da
SHA1 6612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256 bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512 a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

C:\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5 ef12ab9d0b231b8f898067b2114b1bc0
SHA1 6d90f27b2105945f9bb77039e8b892070a5f9442
SHA256 2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA512 2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-21 14:06

Reported

2024-04-21 14:11

Platform

win11-20240412-en

Max time kernel

298s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Antivirus = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Documents\Documents:ApplicationData C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File opened for modification C:\Users\Admin\Documents\Documents:ApplicationData C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tonnersturma-31352.portmap.host udp
DE 193.161.193.99:31352 tonnersturma-31352.portmap.host tcp
DE 193.161.193.99:5542 tonnersturma-31352.portmap.host tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp

Files

memory/3672-0-0x00000000024D0000-0x0000000002506000-memory.dmp

memory/3672-1-0x0000000073E40000-0x00000000745F1000-memory.dmp

memory/3672-3-0x00000000024C0000-0x00000000024D0000-memory.dmp

memory/3672-2-0x00000000024C0000-0x00000000024D0000-memory.dmp

memory/3672-4-0x0000000004EA0000-0x00000000054CA000-memory.dmp

memory/3672-5-0x0000000004E00000-0x0000000004E22000-memory.dmp

memory/3672-6-0x0000000005700000-0x0000000005766000-memory.dmp

memory/3672-7-0x0000000005770000-0x00000000057D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qzsc3p3d.030.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3672-16-0x00000000058C0000-0x0000000005C17000-memory.dmp

memory/3672-17-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

memory/3672-18-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

memory/3672-19-0x000000007EE90000-0x000000007EEA0000-memory.dmp

memory/3672-20-0x0000000006270000-0x00000000062A4000-memory.dmp

memory/3672-21-0x0000000070800000-0x000000007084C000-memory.dmp

memory/3672-31-0x00000000024C0000-0x00000000024D0000-memory.dmp

memory/3672-32-0x00000000024C0000-0x00000000024D0000-memory.dmp

memory/3672-30-0x00000000062C0000-0x00000000062DE000-memory.dmp

memory/3672-33-0x0000000006CA0000-0x0000000006D44000-memory.dmp

memory/3672-34-0x0000000007610000-0x0000000007C8A000-memory.dmp

memory/3672-35-0x0000000006FD0000-0x0000000006FEA000-memory.dmp

memory/3672-36-0x0000000007050000-0x000000000705A000-memory.dmp

memory/3672-37-0x0000000007260000-0x00000000072F6000-memory.dmp

memory/3672-38-0x00000000071E0000-0x00000000071F1000-memory.dmp

memory/3672-39-0x0000000007210000-0x000000000721E000-memory.dmp

memory/3672-40-0x0000000007220000-0x0000000007235000-memory.dmp

memory/3672-41-0x0000000007320000-0x000000000733A000-memory.dmp

memory/3672-45-0x0000000007310000-0x0000000007318000-memory.dmp

memory/3672-48-0x0000000073E40000-0x00000000745F1000-memory.dmp

memory/4456-49-0x0000000001380000-0x0000000001381000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-21 14:06

Reported

2024-04-21 14:11

Platform

win7-20240220-en

Max time kernel

299s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WD Antivirus = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\AutsI.. = "0" C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\xjtkuGI = "0" C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Documents\Documents:ApplicationData C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\Documents\Documents:ApplicationData C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\System32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tonnersturma-31352.portmap.host udp
DE 193.161.193.99:31352 tonnersturma-31352.portmap.host tcp
US 8.8.8.8:53 tonnersturma-31352.portmap.host udp
DE 193.161.193.99:5541 tonnersturma-31352.portmap.host tcp
DE 193.161.193.99:5541 tonnersturma-31352.portmap.host tcp
DE 193.161.193.99:5541 tonnersturma-31352.portmap.host tcp
DE 193.161.193.99:5541 tonnersturma-31352.portmap.host tcp

Files

memory/2184-3-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/2184-2-0x0000000073310000-0x00000000738BB000-memory.dmp

memory/2184-5-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/2184-4-0x0000000073310000-0x00000000738BB000-memory.dmp

memory/2184-6-0x0000000073310000-0x00000000738BB000-memory.dmp

memory/2508-11-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2508-10-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2480-14-0x0000000005050000-0x0000000005054000-memory.dmp

memory/2248-15-0x00000000026A0000-0x00000000027A0000-memory.dmp

memory/2248-16-0x00000000026A0000-0x00000000027A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-21 14:06

Reported

2024-04-21 14:11

Platform

win10-20240404-en

Max time kernel

293s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Antivirus = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Documents\Documents:ApplicationData C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File opened for modification C:\Users\Admin\Documents\Documents:ApplicationData C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tonnersturma-31352.portmap.host udp
DE 193.161.193.99:31352 tonnersturma-31352.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 tonnersturma-31352.portmap.host udp
DE 193.161.193.99:5541 tonnersturma-31352.portmap.host tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 193.161.193.99:5541 tonnersturma-31352.portmap.host tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 133.250.112.20.in-addr.arpa udp

Files

memory/3516-3-0x0000000072D70000-0x000000007345E000-memory.dmp

memory/3516-2-0x0000000004F80000-0x0000000004FB6000-memory.dmp

memory/3516-4-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3516-5-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3516-6-0x0000000007B20000-0x0000000008148000-memory.dmp

memory/3516-7-0x00000000079A0000-0x00000000079C2000-memory.dmp

memory/3516-8-0x0000000008250000-0x00000000082B6000-memory.dmp

memory/3516-9-0x0000000007A40000-0x0000000007AA6000-memory.dmp

memory/3516-10-0x0000000008380000-0x00000000086D0000-memory.dmp

memory/3516-11-0x0000000008750000-0x000000000876C000-memory.dmp

memory/3516-12-0x0000000008C70000-0x0000000008CBB000-memory.dmp

memory/3516-13-0x0000000008AD0000-0x0000000008B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1wejxvqq.34j.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3516-30-0x000000007EC70000-0x000000007EC80000-memory.dmp

memory/3516-31-0x0000000009B30000-0x0000000009B63000-memory.dmp

memory/3516-32-0x000000006FA70000-0x000000006FABB000-memory.dmp

memory/3516-33-0x0000000009AF0000-0x0000000009B0E000-memory.dmp

memory/3516-38-0x0000000009C60000-0x0000000009D05000-memory.dmp

memory/3516-39-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3516-40-0x0000000009E20000-0x0000000009EB4000-memory.dmp

memory/3516-233-0x0000000009DD0000-0x0000000009DEA000-memory.dmp

memory/3516-238-0x0000000009DC0000-0x0000000009DC8000-memory.dmp

memory/3516-257-0x0000000072D70000-0x000000007345E000-memory.dmp

memory/3448-258-0x00000000023F0000-0x00000000023F1000-memory.dmp