warzonerat | 5637b93f97175b41e6e6d33c21b3ba1e4852f5fc6c188ba454188ef711edcc85

Analysis

max time kernel
146s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOCUMENTS.exe
Size

440KB
MD5

5e87783b71d535bcaf402e2278c91048
SHA1

7e7faec34ecbe87ec3d18a402ff2e71fe3dcb533
SHA256

7c226fda60b190a13b95e0e5e992506ec7214ef9789e2117b4ee11981dad3158
SHA512

f1851e0d8fdcaeb22c3405b2bd23d9397e92fa367bc6576b8f0f200458b33c1356cdb57b1dac3a5ec5eb157a9eec5c933a2b0b2035f4033393db8badac60f4d9
SSDEEP

6144:TE9eMLIjdWdvwXXuqmDxIA3wkAyxHZUYCjUrpcrFiLDcUfqxwz74Gk96kAD:TpaJZMeqmDXXA6CjUrqiLOxwz7Y

Score

10^/10

warzonerat discovery infostealer rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	DOCUMENTS.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	DOCUMENTS.exe

Executes dropped EXE 2 IoCs

pid	Process
10980	win32.exe
2628	win32.exe

Loads dropped DLL 2 IoCs

pid	Process
10868	DOCUMENTS.exe
10980	win32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 10868	2700	DOCUMENTS.exe	36
PID 10980 set thread context of 2628	10980	win32.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCUMENTS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCUMENTS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\ProgramData:ApplicationData	DOCUMENTS.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1912	powershell.exe
2748	powershell.exe
2700	DOCUMENTS.exe
2700	DOCUMENTS.exe
11076	powershell.exe
11232	powershell.exe
10980	win32.exe
10980	win32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeIncreaseQuotaPrivilege	1912	powershell.exe
Token: SeSecurityPrivilege	1912	powershell.exe
Token: SeTakeOwnershipPrivilege	1912	powershell.exe
Token: SeLoadDriverPrivilege	1912	powershell.exe
Token: SeSystemProfilePrivilege	1912	powershell.exe
Token: SeSystemtimePrivilege	1912	powershell.exe
Token: SeProfSingleProcessPrivilege	1912	powershell.exe
Token: SeIncBasePriorityPrivilege	1912	powershell.exe
Token: SeCreatePagefilePrivilege	1912	powershell.exe
Token: SeBackupPrivilege	1912	powershell.exe
Token: SeRestorePrivilege	1912	powershell.exe
Token: SeShutdownPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeSystemEnvironmentPrivilege	1912	powershell.exe
Token: SeRemoteShutdownPrivilege	1912	powershell.exe
Token: SeUndockPrivilege	1912	powershell.exe
Token: SeManageVolumePrivilege	1912	powershell.exe
Token: 33	1912	powershell.exe
Token: 34	1912	powershell.exe
Token: 35	1912	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeIncreaseQuotaPrivilege	2748	powershell.exe
Token: SeSecurityPrivilege	2748	powershell.exe
Token: SeTakeOwnershipPrivilege	2748	powershell.exe
Token: SeLoadDriverPrivilege	2748	powershell.exe
Token: SeSystemProfilePrivilege	2748	powershell.exe
Token: SeSystemtimePrivilege	2748	powershell.exe
Token: SeProfSingleProcessPrivilege	2748	powershell.exe
Token: SeIncBasePriorityPrivilege	2748	powershell.exe
Token: SeCreatePagefilePrivilege	2748	powershell.exe
Token: SeBackupPrivilege	2748	powershell.exe
Token: SeRestorePrivilege	2748	powershell.exe
Token: SeShutdownPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeSystemEnvironmentPrivilege	2748	powershell.exe
Token: SeRemoteShutdownPrivilege	2748	powershell.exe
Token: SeUndockPrivilege	2748	powershell.exe
Token: SeManageVolumePrivilege	2748	powershell.exe
Token: 33	2748	powershell.exe
Token: 34	2748	powershell.exe
Token: 35	2748	powershell.exe
Token: SeDebugPrivilege	2700	DOCUMENTS.exe
Token: SeDebugPrivilege	11076	powershell.exe
Token: SeIncreaseQuotaPrivilege	11076	powershell.exe
Token: SeSecurityPrivilege	11076	powershell.exe
Token: SeTakeOwnershipPrivilege	11076	powershell.exe
Token: SeLoadDriverPrivilege	11076	powershell.exe
Token: SeSystemProfilePrivilege	11076	powershell.exe
Token: SeSystemtimePrivilege	11076	powershell.exe
Token: SeProfSingleProcessPrivilege	11076	powershell.exe
Token: SeIncBasePriorityPrivilege	11076	powershell.exe
Token: SeCreatePagefilePrivilege	11076	powershell.exe
Token: SeBackupPrivilege	11076	powershell.exe
Token: SeRestorePrivilege	11076	powershell.exe
Token: SeShutdownPrivilege	11076	powershell.exe
Token: SeDebugPrivilege	11076	powershell.exe
Token: SeSystemEnvironmentPrivilege	11076	powershell.exe
Token: SeRemoteShutdownPrivilege	11076	powershell.exe
Token: SeUndockPrivilege	11076	powershell.exe
Token: SeManageVolumePrivilege	11076	powershell.exe
Token: 33	11076	powershell.exe
Token: 34	11076	powershell.exe
Token: 35	11076	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1912	2700	DOCUMENTS.exe	30
PID 2700 wrote to memory of 1912	2700	DOCUMENTS.exe	30
PID 2700 wrote to memory of 1912	2700	DOCUMENTS.exe	30
PID 2700 wrote to memory of 1912	2700	DOCUMENTS.exe	30
PID 2700 wrote to memory of 2748	2700	DOCUMENTS.exe	33
PID 2700 wrote to memory of 2748	2700	DOCUMENTS.exe	33
PID 2700 wrote to memory of 2748	2700	DOCUMENTS.exe	33
PID 2700 wrote to memory of 2748	2700	DOCUMENTS.exe	33
PID 2700 wrote to memory of 10868	2700	DOCUMENTS.exe	36
PID 2700 wrote to memory of 10868	2700	DOCUMENTS.exe	36
PID 2700 wrote to memory of 10868	2700	DOCUMENTS.exe	36
PID 2700 wrote to memory of 10868	2700	DOCUMENTS.exe	36
PID 2700 wrote to memory of 10868	2700	DOCUMENTS.exe	36
PID 2700 wrote to memory of 10868	2700	DOCUMENTS.exe	36
PID 2700 wrote to memory of 10868	2700	DOCUMENTS.exe	36
PID 2700 wrote to memory of 10868	2700	DOCUMENTS.exe	36
PID 2700 wrote to memory of 10868	2700	DOCUMENTS.exe	36
PID 2700 wrote to memory of 10868	2700	DOCUMENTS.exe	36
PID 2700 wrote to memory of 10868	2700	DOCUMENTS.exe	36
PID 2700 wrote to memory of 10868	2700	DOCUMENTS.exe	36
PID 2700 wrote to memory of 10868	2700	DOCUMENTS.exe	36
PID 2700 wrote to memory of 10868	2700	DOCUMENTS.exe	36
PID 10868 wrote to memory of 10972	10868	DOCUMENTS.exe	37
PID 10868 wrote to memory of 10972	10868	DOCUMENTS.exe	37
PID 10868 wrote to memory of 10972	10868	DOCUMENTS.exe	37
PID 10868 wrote to memory of 10972	10868	DOCUMENTS.exe	37
PID 10868 wrote to memory of 10980	10868	DOCUMENTS.exe	38
PID 10868 wrote to memory of 10980	10868	DOCUMENTS.exe	38
PID 10868 wrote to memory of 10980	10868	DOCUMENTS.exe	38
PID 10868 wrote to memory of 10980	10868	DOCUMENTS.exe	38
PID 10868 wrote to memory of 10980	10868	DOCUMENTS.exe	38
PID 10868 wrote to memory of 10980	10868	DOCUMENTS.exe	38
PID 10868 wrote to memory of 10980	10868	DOCUMENTS.exe	38
PID 10972 wrote to memory of 11036	10972	cmd.exe	40
PID 10972 wrote to memory of 11036	10972	cmd.exe	40
PID 10972 wrote to memory of 11036	10972	cmd.exe	40
PID 10972 wrote to memory of 11036	10972	cmd.exe	40
PID 10980 wrote to memory of 11076	10980	win32.exe	41
PID 10980 wrote to memory of 11076	10980	win32.exe	41
PID 10980 wrote to memory of 11076	10980	win32.exe	41
PID 10980 wrote to memory of 11076	10980	win32.exe	41
PID 10980 wrote to memory of 11232	10980	win32.exe	43
PID 10980 wrote to memory of 11232	10980	win32.exe	43
PID 10980 wrote to memory of 11232	10980	win32.exe	43
PID 10980 wrote to memory of 11232	10980	win32.exe	43
PID 10980 wrote to memory of 2628	10980	win32.exe	45
PID 10980 wrote to memory of 2628	10980	win32.exe	45
PID 10980 wrote to memory of 2628	10980	win32.exe	45
PID 10980 wrote to memory of 2628	10980	win32.exe	45
PID 10980 wrote to memory of 2628	10980	win32.exe	45
PID 10980 wrote to memory of 2628	10980	win32.exe	45
PID 10980 wrote to memory of 2628	10980	win32.exe	45
PID 10980 wrote to memory of 2628	10980	win32.exe	45
PID 10980 wrote to memory of 2628	10980	win32.exe	45
PID 10980 wrote to memory of 2628	10980	win32.exe	45
PID 10980 wrote to memory of 2628	10980	win32.exe	45
PID 10980 wrote to memory of 2628	10980	win32.exe	45
PID 10980 wrote to memory of 2628	10980	win32.exe	45
PID 10980 wrote to memory of 2628	10980	win32.exe	45
PID 2628 wrote to memory of 3096	2628	win32.exe	46
PID 2628 wrote to memory of 3096	2628	win32.exe	46
PID 2628 wrote to memory of 3096	2628	win32.exe	46
PID 2628 wrote to memory of 3096	2628	win32.exe	46
PID 2628 wrote to memory of 3096	2628	win32.exe	46

C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
  C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:10868
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\win32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:10972
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\win32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:11036
- - C:\ProgramData\win32.exe
    "C:\ProgramData\win32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:10980
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:11076
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:11232
  - - C:\Users\Admin\AppData\Local\Temp\win32.exe
      C:\Users\Admin\AppData\Local\Temp\win32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7d31c21ca9c21d2606d6aca627ece3c7

SHA1
50228eb0a51fb63e4da5178c291fc80cb5286c65

SHA256
0fbd8fcb254a6cbce2511df3bf3cbcbfd870f322d73d6b50e0e105f5fcb93ec6

SHA512
b6662d6a8afd9ec52b96650c0b2caf8ecd0d6dcd6f9e92a7fe262c3494eb854f888adb6fac2a7769705c44ddcaf6e28f5e0c125da05abdc51b3f1ad01d3c14c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
420fa148c9a7f202d4bafd1a4901b986

SHA1
5ad20b15c78c89d126a1661c8de6566b7a5e4443

SHA256
f2fa9e17f87a920cf1790c7404b7c0a0f31402482e871318b33afe61dc15db42

SHA512
7b9410e5ee0f4fc344ef996296c280e16722daff748ffd8b74d3fb930dd2a1047447610696cbf11e709c81ebf52f0a290209cda058284ff15a20dff7313fe16c

Download Submit
\ProgramData\win32.exe

Filesize
440KB

MD5
5e87783b71d535bcaf402e2278c91048

SHA1
7e7faec34ecbe87ec3d18a402ff2e71fe3dcb533

SHA256
7c226fda60b190a13b95e0e5e992506ec7214ef9789e2117b4ee11981dad3158

SHA512
f1851e0d8fdcaeb22c3405b2bd23d9397e92fa367bc6576b8f0f200458b33c1356cdb57b1dac3a5ec5eb157a9eec5c933a2b0b2035f4033393db8badac60f4d9

Download Submit
memory/1912-5-0x00000000028D0000-0x0000000002910000-memory.dmp

Filesize
256KB

Download
memory/2700-66-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-56-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-13-0x0000000004340000-0x000000000439C000-memory.dmp

Filesize
368KB

Download
memory/2700-14-0x0000000004D80000-0x0000000004E00000-memory.dmp

Filesize
512KB

Download
memory/2700-15-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-16-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-29-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-48-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-62-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-78-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-18-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-20-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-76-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-74-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-72-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-70-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-68-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-0-0x0000000073F7E000-0x0000000073F7F000-memory.dmp

Filesize
4KB

Download
memory/2700-64-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-60-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-58-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-7-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-54-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-52-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-50-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-46-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-44-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-42-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-40-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-38-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-36-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-34-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-32-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-30-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-26-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-24-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-22-0x0000000004D80000-0x0000000004DFA000-memory.dmp

Filesize
488KB

Download
memory/2700-2508-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-6-0x0000000073F7E000-0x0000000073F7F000-memory.dmp

Filesize
4KB

Download
memory/2700-2-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-1-0x0000000000DE0000-0x0000000000E54000-memory.dmp

Filesize
464KB

Download
memory/10980-2522-0x0000000001070000-0x00000000010E4000-memory.dmp

Filesize
464KB

Download