warzonerat | 066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40

Analysis

max time kernel
117s
max time network
115s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe
Size

718KB
MD5

32bbe58d2336cd18c22d221a3836bd50
SHA1

7b559b7160fa1f0de211afd3dcb81a41a2a7fd89
SHA256

066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
SHA512

66e3dd18d4beaffd40845f5b255b8c95c02bc1d72ec4a0fb831f1b6f48067599e89f8e9abdfa8579e443f6960e8e90225c22ba0995a17c56c8282204f47017a4
SSDEEP

12288:9qbjoMfzukYwBZ+DPWeGHutARp7ubVoSYOKe5KkohFISCX/B:sos2+HutANuprIiroJCP

Score

10^/10

warzonerat defense_evasion discovery evasion execution infostealer persistence privilege_escalation rat upx

Malware Config

Extracted

Family

warzonerat

wznne1.duckdns.org:63196

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 10 IoCs

rat

resource	yara_rule
behavioral1/memory/2964-32-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2964-34-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2964-35-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2964-29-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2964-27-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2964-25-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2964-37-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2964-38-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2964-51-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2964-55-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2664	powershell.exe
2568	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1704	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	22.exe

Loads dropped DLL 2 IoCs

pid	Process
2964	vbc.exe
2156	Process not Found

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	vbc.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\dxgGG.v = "0"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1268 set thread context of 2964	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	37

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000193c4-42.dat	upx
behavioral1/memory/2964-44-0x00000000057D0000-0x00000000057FD000-memory.dmp	upx
behavioral1/memory/2992-52-0x0000000001150000-0x000000000117D000-memory.dmp	upx
behavioral1/memory/2992-53-0x0000000001150000-0x000000000117D000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	vbc.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe
1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe
1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe
1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe
1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe
2568	powershell.exe
2664	powershell.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
2156	Process not Found
2156	Process not Found
2156	Process not Found
2156	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2964	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2964	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2664	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	31
PID 1268 wrote to memory of 2664	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	31
PID 1268 wrote to memory of 2664	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	31
PID 1268 wrote to memory of 2664	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	31
PID 1268 wrote to memory of 2568	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	33
PID 1268 wrote to memory of 2568	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	33
PID 1268 wrote to memory of 2568	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	33
PID 1268 wrote to memory of 2568	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	33
PID 1268 wrote to memory of 2104	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	34
PID 1268 wrote to memory of 2104	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	34
PID 1268 wrote to memory of 2104	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	34
PID 1268 wrote to memory of 2104	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	34
PID 1268 wrote to memory of 2964	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	37
PID 1268 wrote to memory of 2964	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	37
PID 1268 wrote to memory of 2964	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	37
PID 1268 wrote to memory of 2964	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	37
PID 1268 wrote to memory of 2964	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	37
PID 1268 wrote to memory of 2964	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	37
PID 1268 wrote to memory of 2964	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	37
PID 1268 wrote to memory of 2964	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	37
PID 1268 wrote to memory of 2964	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	37
PID 1268 wrote to memory of 2964	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	37
PID 1268 wrote to memory of 2964	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	37
PID 1268 wrote to memory of 2964	1268	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe	37
PID 2964 wrote to memory of 2992	2964	vbc.exe	39
PID 2964 wrote to memory of 2992	2964	vbc.exe	39
PID 2964 wrote to memory of 2992	2964	vbc.exe	39
PID 2964 wrote to memory of 2992	2964	vbc.exe	39
PID 2992 wrote to memory of 1704	2992	22.exe	40
PID 2992 wrote to memory of 1704	2992	22.exe	40
PID 2992 wrote to memory of 1704	2992	22.exe	40
PID 2992 wrote to memory of 1704	2992	22.exe	40

C:\Users\Admin\AppData\Local\Temp\066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe
"C:\Users\Admin\AppData\Local\Temp\066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40N.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rRQnnfB.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp252.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Loads dropped DLL
  - Drops file in System32 directory
  - Hide Artifacts: Hidden Users
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\22.exe
    "C:\Users\Admin\AppData\Local\Temp\22.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp252.tmp

Filesize
1KB

MD5
ed8402c446fd6ee7c19fa6a339085a78

SHA1
32d803893585d27da0523e84861607c33b08e47a

SHA256
e481acfb5a80c383808ad1f4b10f2c08fbf69d0abe896079f1050f3ab35c115e

SHA512
3b1e7df57e4353189e0bf2a9eaf61a4c10e59955a31e0e59f89fa5e225a9efb22f463a6e4d2a0a98842e2c3b2d53d4518aba1e39adcedc5bd04a04ee94328298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
75990576e3b34bfbe7146ab974859e60

SHA1
64e5716a1588137675ee996844c96a91bfe4afd6

SHA256
17e1cf597f7ffc322fd55f0d953f82c8a6a7bba38f9e35ffd0ff88791d773f73

SHA512
df6abf828088e1bc09e4811e71c409223849c6dc4296fe2019cde605176a6ef8faa34bc191f0597700ae48012d5db0b21be879fbdaa4f36eaceab776d538f9cb

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\AppData\Local\Temp\22.exe

Filesize
70KB

MD5
ca96229390a0e6a53e8f2125f2c01114

SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

Download Submit
memory/1268-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/1268-1-0x0000000001090000-0x000000000114A000-memory.dmp

Filesize
744KB

Download
memory/1268-2-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/1268-3-0x0000000000580000-0x000000000059E000-memory.dmp

Filesize
120KB

Download
memory/1268-4-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/1268-5-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/1268-6-0x0000000000450000-0x00000000004BA000-memory.dmp

Filesize
424KB

Download
memory/1268-36-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/2964-27-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2964-38-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2964-33-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2964-25-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2964-23-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2964-19-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2964-21-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2964-35-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2964-37-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2964-29-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2964-34-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2964-44-0x00000000057D0000-0x00000000057FD000-memory.dmp

Filesize
180KB

Download
memory/2964-32-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2964-51-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2964-55-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2992-53-0x0000000001150000-0x000000000117D000-memory.dmp

Filesize
180KB

Download
memory/2992-52-0x0000000001150000-0x000000000117D000-memory.dmp

Filesize
180KB

Download