warzonerat | 80c700fdbbd9ef5c814248f7c2518a6969eb9c3631823523646666d2b194ddb7

Analysis

max time kernel
142s
max time network
147s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80c700fdbbd9ef5c814248f7c2518a6969eb9c3631823523646666d2b194ddb7.exe
Size

781KB
MD5

ad3eeee344dc635cf361e473b6bed785
SHA1

512ffc124dbc4b67ece76ab0775690a2487fd530
SHA256

80c700fdbbd9ef5c814248f7c2518a6969eb9c3631823523646666d2b194ddb7
SHA512

c0dc95ed59408386f2e23018213c7fbe9ab341693d42a88d06ef7446cf9ec06f40392e40097a2a0958cd06866e6dae6820771bc44831a879b8ee682048e60b16
SSDEEP

12288:ECQjgAtAHM+vetZxF5EWry8AJGy0ATEAmDF4IRZkB8OJuJeCEKZmny9eiBbpSZ5F:E5ZWs+OZVEWry8AFLTE4w5Je2Zmy9pbK

Score

10^/10

warzonerat discovery infostealer link pdf rat

Malware Config

Extracted

Family

warzonerat

papacy.line.pm:4004

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001a000000016dc9-29.dat	warzonerat

Executes dropped EXE 4 IoCs

pid	Process
2260	Payload.exe
2932	0.dll
2084	akin war stub.exe
2744	dwn.exe

Loads dropped DLL 3 IoCs

pid	Process
2260	Payload.exe
2084	akin war stub.exe
2084	akin war stub.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x00060000000186cc-32.dat	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	akin war stub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2652	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2260	Payload.exe
2652	AcroRd32.exe
2652	AcroRd32.exe
2652	AcroRd32.exe
2652	AcroRd32.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2260	1148	80c700fdbbd9ef5c814248f7c2518a6969eb9c3631823523646666d2b194ddb7.exe	28
PID 1148 wrote to memory of 2260	1148	80c700fdbbd9ef5c814248f7c2518a6969eb9c3631823523646666d2b194ddb7.exe	28
PID 1148 wrote to memory of 2260	1148	80c700fdbbd9ef5c814248f7c2518a6969eb9c3631823523646666d2b194ddb7.exe	28
PID 1148 wrote to memory of 2260	1148	80c700fdbbd9ef5c814248f7c2518a6969eb9c3631823523646666d2b194ddb7.exe	28
PID 2260 wrote to memory of 2932	2260	Payload.exe	29
PID 2260 wrote to memory of 2932	2260	Payload.exe	29
PID 2260 wrote to memory of 2932	2260	Payload.exe	29
PID 2260 wrote to memory of 2932	2260	Payload.exe	29
PID 2932 wrote to memory of 2084	2932	0.dll	30
PID 2932 wrote to memory of 2084	2932	0.dll	30
PID 2932 wrote to memory of 2084	2932	0.dll	30
PID 2932 wrote to memory of 2084	2932	0.dll	30
PID 2932 wrote to memory of 2652	2932	0.dll	31
PID 2932 wrote to memory of 2652	2932	0.dll	31
PID 2932 wrote to memory of 2652	2932	0.dll	31
PID 2932 wrote to memory of 2652	2932	0.dll	31
PID 2084 wrote to memory of 2688	2084	akin war stub.exe	32
PID 2084 wrote to memory of 2688	2084	akin war stub.exe	32
PID 2084 wrote to memory of 2688	2084	akin war stub.exe	32
PID 2084 wrote to memory of 2688	2084	akin war stub.exe	32
PID 2084 wrote to memory of 2744	2084	akin war stub.exe	33
PID 2084 wrote to memory of 2744	2084	akin war stub.exe	33
PID 2084 wrote to memory of 2744	2084	akin war stub.exe	33
PID 2084 wrote to memory of 2744	2084	akin war stub.exe	33
PID 2688 wrote to memory of 2552	2688	cmd.exe	35
PID 2688 wrote to memory of 2552	2688	cmd.exe	35
PID 2688 wrote to memory of 2552	2688	cmd.exe	35
PID 2688 wrote to memory of 2552	2688	cmd.exe	35
PID 2744 wrote to memory of 2672	2744	dwn.exe	36
PID 2744 wrote to memory of 2672	2744	dwn.exe	36
PID 2744 wrote to memory of 2672	2744	dwn.exe	36
PID 2744 wrote to memory of 2672	2744	dwn.exe	36
PID 2744 wrote to memory of 2672	2744	dwn.exe	36
PID 2744 wrote to memory of 2672	2744	dwn.exe	36

C:\Users\Admin\AppData\Local\Temp\80c700fdbbd9ef5c814248f7c2518a6969eb9c3631823523646666d2b194ddb7.exe
"C:\Users\Admin\AppData\Local\Temp\80c700fdbbd9ef5c814248f7c2518a6969eb9c3631823523646666d2b194ddb7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\simeo\OneDrive\Desktop\Domains\Payload.exe
  "C:\Users\simeo\OneDrive\Desktop\Domains\Payload.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\0.dll
    C:\Users\Admin\AppData\Local\Temp\0.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\akin war stub.exe
      "C:\Users\Admin\AppData\Local\Temp\akin war stub.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\dwn.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\dwn.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
    - - C:\ProgramData\dwn.exe
        
        "C:\ProgramData\dwn.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\QI-129876_SO-1632813_CI-2896000062 BT 1_CIM 1.pdf"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QI-129876_SO-1632813_CI-2896000062 BT 1_CIM 1.pdf

Filesize
315KB

MD5
40cbe2461a413f3007905b5a7b3f4a16

SHA1
64e6a7478a8bd6dc45c5c12982b93fd2b85ff441

SHA256
4f9b97e13d31a597cc05b298d09a2f8d6cb9a41b25b180b32cd5c1f10470ae24

SHA512
bbbef64af9419f960286e7be9bf3ced697b529711c2ab0b1f046d15a04255d005d9354c7dcdb868be920e9be22ffd8ba122fd68d929beacd471e67a5e1cef7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\akin war stub.exe

Filesize
152KB

MD5
76277ba90c4321572b1eb3a58ac25615

SHA1
d91edd8011a79fb111cee132a58d867b5eb2e2ae

SHA256
6d69f78693d3bceefc46e28b251e64806e606c8bd89b34e7701bbe83d7da016d

SHA512
a65dc1ccbc557e362937809fbf4b977ac37446f40dcf4592903e077fd40d119e69e67aff690117eddea7636b40a6c7a33a88fcaf204a2c1a9724210dd76bf2bb

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
45f172b8eaaf8a86e777f4096339349a

SHA1
39e0cda2fa71f0fa7aede3da3f002637c07ef156

SHA256
50a0c762d7ca69a083240a5c97c65a78ca5cafe5d035c3cf7a90334b9fbc281a

SHA512
f78046ee964ebaae6726a03dc617dc296969bacda9da96f5b44bd76f286b9333642100a40e45c3ce6f7b26064612f8ea6d072d04ac623661f13546451a9fddf4

Download Submit
C:\Users\simeo\OneDrive\Desktop\Domains\Payload.exe

Filesize
368KB

MD5
e06a8de6a8df7b3aa89fa1154c2453bc

SHA1
90514b75cb64da4c4542ac34797f958336cea2ee

SHA256
a6b61dae73ad039a18301330d0a2e1fd65b620087e71f101b84bbee1e0174cf0

SHA512
9ff99cc0f4f651ddcd8bc58d0ee3868e67eeadc4a6b625add4e4a56231f205d29e24806bb40779c0e44af2c71cad7236fd899a3bdd18b1bd9dd41c668d4145bd

Download Submit
\Users\Admin\AppData\Local\Temp\0.dll

Filesize
317KB

MD5
2091e5a9481a0021a3397f8cf960aa9d

SHA1
b8e36cf450927028331e9a57fbb890e55b5a3a6e

SHA256
ab3aa4d124e2c3939516d6cd58065f7264cc81f593b82d6007cc53696e0d324e

SHA512
2b867fad28a5c018a9f950004137febacc876d625d2593d5d7375ccf130c6682b17173ca1f8c3ac69d83bf9d99216389cff813f720819a8ae5b27e3f5cd3eb81

Download Submit
memory/2672-61-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2672-59-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2932-21-0x000007FEF64A3000-0x000007FEF64A4000-memory.dmp

Filesize
4KB

Download
memory/2932-22-0x00000000001A0000-0x00000000001F6000-memory.dmp

Filesize
344KB

Download
memory/2932-31-0x000007FEF64A0000-0x000007FEF6E8C000-memory.dmp

Filesize
9.9MB

Download