warzonerat | 55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361

General

Target

55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe
Size

2.2MB
MD5

a3a5585495a363a370682c1cdcac975a
SHA1

ba053ec257b1b3602e7957af16848fb69d6cedd3
SHA256

55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361
SHA512

56c54b6e83f185640eaf0fc9ee19bc8472d53455b34c9c8b3c056e8e602b75db32e5f2485ee9da538041a592f534c1202d582ee196871023a134fd8418a4c076
SSDEEP

12288:axYXuBiUvOTi2TJlDrnDrnDrnDrnJrlxtGfaIJ2Lk1VwtVr06Mv+vsBwSjfwD90o:WYG2TJljIJzozJzdbanoqKBXPf

Score

10^/10

warzonerat discovery execution infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

win64pooldrv.ddns.net:9010

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/2904-2-0x0000000000540000-0x0000000000640000-memory.dmp	warzonerat
behavioral1/memory/2904-4-0x00000000020A0000-0x00000000021F4000-memory.dmp	warzonerat
behavioral1/memory/2904-22-0x00000000020A0000-0x00000000021F4000-memory.dmp	warzonerat
behavioral1/memory/2844-41-0x0000000000400000-0x0000000000500000-memory.dmp	warzonerat
behavioral1/memory/2844-33-0x0000000002170000-0x00000000022C4000-memory.dmp	warzonerat
behavioral1/memory/2844-54-0x0000000000400000-0x0000000000500000-memory.dmp	warzonerat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2992	powershell.exe
2572	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	images.exe

Loads dropped DLL 1 IoCs

pid	Process
2904	55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	images.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\ProgramData:ApplicationData	55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2992	powershell.exe
2572	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2992	2904	55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe	29
PID 2904 wrote to memory of 2992	2904	55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe	29
PID 2904 wrote to memory of 2992	2904	55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe	29
PID 2904 wrote to memory of 2992	2904	55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe	29
PID 2904 wrote to memory of 2844	2904	55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe	31
PID 2904 wrote to memory of 2844	2904	55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe	31
PID 2904 wrote to memory of 2844	2904	55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe	31
PID 2904 wrote to memory of 2844	2904	55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe	31
PID 2844 wrote to memory of 2572	2844	images.exe	32
PID 2844 wrote to memory of 2572	2844	images.exe	32
PID 2844 wrote to memory of 2572	2844	images.exe	32
PID 2844 wrote to memory of 2572	2844	images.exe	32
PID 2844 wrote to memory of 2560	2844	images.exe	33
PID 2844 wrote to memory of 2560	2844	images.exe	33
PID 2844 wrote to memory of 2560	2844	images.exe	33
PID 2844 wrote to memory of 2560	2844	images.exe	33
PID 2844 wrote to memory of 2560	2844	images.exe	33
PID 2844 wrote to memory of 2560	2844	images.exe	33

C:\Users\Admin\AppData\Local\Temp\55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe
"C:\Users\Admin\AppData\Local\Temp\55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath C:\
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\ProgramData\images.exe
  "C:\ProgramData\images.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
33f2dc9c3954c5c03e921a2fb7f1dbee

SHA1
6fe84cecd70b19461fd06a7518bf7e4e65c8de81

SHA256
a944f8a3e758c17e86d8ea80fd3b4b73c849b89e4bf6becb6f873482972dcbfb

SHA512
71b59778fe9032fc36e89b9383a00731ce345397717036d79a832f2a0fe642ce99af8df9fef9918d3ea21ab2a9292f8a89427a860f18a0d59af77bcc34368219

Download Submit
\ProgramData\images.exe

Filesize
2.2MB

MD5
a3a5585495a363a370682c1cdcac975a

SHA1
ba053ec257b1b3602e7957af16848fb69d6cedd3

SHA256
55ee4ec7ef356d27f1de8b0a0dcaa1d0ec82657ed560d205b7685f0463347361

SHA512
56c54b6e83f185640eaf0fc9ee19bc8472d53455b34c9c8b3c056e8e602b75db32e5f2485ee9da538041a592f534c1202d582ee196871023a134fd8418a4c076

Download Submit
memory/2560-48-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2560-50-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2844-33-0x0000000002170000-0x00000000022C4000-memory.dmp

Filesize
1.3MB

Download
memory/2844-54-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2844-41-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2904-22-0x00000000020A0000-0x00000000021F4000-memory.dmp

Filesize
1.3MB

Download
memory/2904-4-0x00000000020A0000-0x00000000021F4000-memory.dmp

Filesize
1.3MB

Download
memory/2904-2-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2992-30-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-26-0x0000000073F81000-0x0000000073F82000-memory.dmp

Filesize
4KB

Download
memory/2992-28-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-27-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-53-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-29-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads