warzonerat | 066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40

General

Target

SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Size

718KB
MD5

32bbe58d2336cd18c22d221a3836bd50
SHA1

7b559b7160fa1f0de211afd3dcb81a41a2a7fd89
SHA256

066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
SHA512

66e3dd18d4beaffd40845f5b255b8c95c02bc1d72ec4a0fb831f1b6f48067599e89f8e9abdfa8579e443f6960e8e90225c22ba0995a17c56c8282204f47017a4
SSDEEP

12288:9qbjoMfzukYwBZ+DPWeGHutARp7ubVoSYOKe5KkohFISCX/B:sos2+HutANuprIiroJCP

Score

10^/10

warzonerat defense_evasion discovery evasion execution infostealer persistence privilege_escalation rat upx

Malware Config

Extracted

Family

warzonerat

C2

wznne1.duckdns.org:63196

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 11 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2880-35-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2880-34-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2880-31-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2880-30-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2880-27-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2880-26-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2880-37-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2880-38-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2880-45-0x0000000005370000-0x000000000539D000-memory.dmp	warzonerat
behavioral1/memory/2880-52-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2880-57-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2908 powershell.exe
2716 powershell.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2680 netsh.exe

pid	process
2908	powershell.exe
2716	powershell.exe

pid	process
2680	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	vbc.exe

Executes dropped EXE 1 IoCs

Processes:

49.exe

pid process

1912 49.exe
Loads dropped DLL 2 IoCs

Processes:

vbc.exe

pid process

2880 vbc.exe
1996
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Drops file in System32 directory 1 IoCs

Processes:

vbc.exe

description ioc process

File created C:\Windows\System32\rfxvmt.dll vbc.exe

pid	process
1912	49.exe

pid	process
2880	vbc.exe
1996

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	vbc.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

Processes:

vbc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\.ymxwdC = "0"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

description pid process target process

PID 2536 set thread context of 2880 2536 SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe vbc.exe

description	pid	process	target process
PID 2536 set thread context of 2880	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	vbc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\49.exe	upx
behavioral1/memory/1912-47-0x0000000000E60000-0x0000000000E8D000-memory.dmp	upx
behavioral1/memory/1912-54-0x0000000000E60000-0x0000000000E8D000-memory.dmp	upx
behavioral1/memory/1912-55-0x0000000000E60000-0x0000000000E8D000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

Processes:

vbc.exe

description ioc process

File created C:\Program Files\Microsoft DN1\sqlmap.dll vbc.exe
File created C:\Program Files\Microsoft DN1\rdpwrap.ini vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	vbc.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	vbc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc.exe49.exenetsh.exeSecuriteInfo.com.Win32.PWSX-gen.28365.916.exepowershell.exepowershell.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2760 schtasks.exe

pid	process
2760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.28365.916.exepowershell.exepowershell.exe

pid	process
2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
2908	powershell.exe
2716	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

1996
1996
1996
1996
1996

pid	process
1996
1996
1996
1996
1996

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.28365.916.exepowershell.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2880	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

2880 vbc.exe

pid	process
2880	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.28365.916.exevbc.exe49.exe

description	pid	process	target process
PID 2536 wrote to memory of 2908	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	powershell.exe
PID 2536 wrote to memory of 2908	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	powershell.exe
PID 2536 wrote to memory of 2908	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	powershell.exe
PID 2536 wrote to memory of 2908	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	powershell.exe
PID 2536 wrote to memory of 2716	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	powershell.exe
PID 2536 wrote to memory of 2716	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	powershell.exe
PID 2536 wrote to memory of 2716	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	powershell.exe
PID 2536 wrote to memory of 2716	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	powershell.exe
PID 2536 wrote to memory of 2760	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	schtasks.exe
PID 2536 wrote to memory of 2760	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	schtasks.exe
PID 2536 wrote to memory of 2760	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	schtasks.exe
PID 2536 wrote to memory of 2760	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	schtasks.exe
PID 2536 wrote to memory of 2880	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	vbc.exe
PID 2536 wrote to memory of 2880	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	vbc.exe
PID 2536 wrote to memory of 2880	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	vbc.exe
PID 2536 wrote to memory of 2880	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	vbc.exe
PID 2536 wrote to memory of 2880	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	vbc.exe
PID 2536 wrote to memory of 2880	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	vbc.exe
PID 2536 wrote to memory of 2880	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	vbc.exe
PID 2536 wrote to memory of 2880	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	vbc.exe
PID 2536 wrote to memory of 2880	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	vbc.exe
PID 2536 wrote to memory of 2880	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	vbc.exe
PID 2536 wrote to memory of 2880	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	vbc.exe
PID 2536 wrote to memory of 2880	2536	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	vbc.exe
PID 2880 wrote to memory of 1912	2880	vbc.exe	49.exe
PID 2880 wrote to memory of 1912	2880	vbc.exe	49.exe
PID 2880 wrote to memory of 1912	2880	vbc.exe	49.exe
PID 2880 wrote to memory of 1912	2880	vbc.exe	49.exe
PID 1912 wrote to memory of 2680	1912	49.exe	netsh.exe
PID 1912 wrote to memory of 2680	1912	49.exe	netsh.exe
PID 1912 wrote to memory of 2680	1912	49.exe	netsh.exe
PID 1912 wrote to memory of 2680	1912	49.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rRQnnfB.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBAB7.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Loads dropped DLL
  - Drops file in System32 directory
  - Hide Artifacts: Hidden Users
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\49.exe
    "C:\Users\Admin\AppData\Local\Temp\49.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

1

T1564

Hidden Users

1

T1564.002

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBAB7.tmp

Filesize
1KB

MD5
1a62f21ba302aa9601011159de4f75a9

SHA1
52f4314845a240cc8f1b50facac32f861bab3ed9

SHA256
e226875d1d98b42946b7e797bc12ca24b353788339f2afb348351b8bc53fa80c

SHA512
27a2a5ad12a28c8fec60f60b0c49bf7ce2161789427a1641277fbbd064c8598f2a6c2e4728b4045f52cd8b7992c284eaa65d70d5498ac7be7df39a88371b7aa6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3b604a9a40a5c3ddcc0012c4e94b7090

SHA1
23bdda24e5947a2a5645417aab556d246477862f

SHA256
6a70ee7af03dbc2b86ea10f39ebd99598eb7d5a0721d3e73d7b72552bea0de74

SHA512
ae588297833e7568b7109cb9c930c9d81ffada35aba9d11b036ff07e197fa366736c7597d99cf783cd7e83019bea5141f947680022b7d9b5e611b75fbf3cfa1f

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\AppData\Local\Temp\49.exe

Filesize
70KB

MD5
ca96229390a0e6a53e8f2125f2c01114

SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

Download Submit
memory/1912-47-0x0000000000E60000-0x0000000000E8D000-memory.dmp

Filesize
180KB

Download
memory/1912-54-0x0000000000E60000-0x0000000000E8D000-memory.dmp

Filesize
180KB

Download
memory/1912-55-0x0000000000E60000-0x0000000000E8D000-memory.dmp

Filesize
180KB

Download
memory/2536-3-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/2536-6-0x0000000000530000-0x000000000059A000-memory.dmp

Filesize
424KB

Download
memory/2536-5-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-4-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/2536-36-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-2-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-1-0x0000000001260000-0x000000000131A000-memory.dmp

Filesize
744KB

Download
memory/2536-0-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/2880-31-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2880-33-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2880-26-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2880-23-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2880-30-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2880-37-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2880-38-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2880-27-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2880-45-0x0000000005370000-0x000000000539D000-memory.dmp

Filesize
180KB

Download
memory/2880-34-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2880-35-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2880-52-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2880-53-0x0000000005370000-0x000000000539D000-memory.dmp

Filesize
180KB

Download
memory/2880-20-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2880-21-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2880-57-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads