warzonerat | e569298451bd12f37a4c93fb610b254f6237ae89eb3f573427ace46daedd1402

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Estado_de_cuenta.xls
Size

198KB
MD5

98136ffd902b60b1107c02cb94fc90e2
SHA1

ae410c8c5d57fa37b74ff283768bd68c48dd46ae
SHA256

e569298451bd12f37a4c93fb610b254f6237ae89eb3f573427ace46daedd1402
SHA512

0ec2eb997c474c19d4ddedbae60552d2b71ce1b1c5780f35e6bafa089bf6a75e8fd1e8bf936ed65f21426274cffad36ce7ffba21ed6dda15b585b20b4e69f650
SSDEEP

6144:IxEtjPOtioVjDGUU1qfDlavx+W2QnAo+Ly9ckwDwPq5XlsqbwxNNip:/+VkGUqLsqIi

Score

10^/10

warzonerat discovery infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

dns.stipamana.com:5219

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/2616-96-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/644-101-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1988-114-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
1976	DCNXKNLRS.exe
3156	DCNXKNLRS.exe
2616	DCNXKNLRS.exe
644	DCNXKNLRS.exe
4028	images.exe
1984	images.exe
1756	images.exe
1988	images.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	DCNXKNLRS.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 3156	1976	DCNXKNLRS.exe	89
PID 1976 set thread context of 2616	1976	DCNXKNLRS.exe	90
PID 1976 set thread context of 644	1976	DCNXKNLRS.exe	92
PID 4028 set thread context of 1984	4028	images.exe	96
PID 4028 set thread context of 1756	4028	images.exe	97
PID 4028 set thread context of 1988	4028	images.exe	99

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4088	3156	WerFault.exe	89
5032	1984	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	images.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	images.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	images.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCNXKNLRS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCNXKNLRS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCNXKNLRS.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4324	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	DCNXKNLRS.exe
Token: SeDebugPrivilege	4028	images.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 1976	4324	EXCEL.EXE	87
PID 4324 wrote to memory of 1976	4324	EXCEL.EXE	87
PID 4324 wrote to memory of 1976	4324	EXCEL.EXE	87
PID 1976 wrote to memory of 3156	1976	DCNXKNLRS.exe	89
PID 1976 wrote to memory of 3156	1976	DCNXKNLRS.exe	89
PID 1976 wrote to memory of 3156	1976	DCNXKNLRS.exe	89
PID 1976 wrote to memory of 3156	1976	DCNXKNLRS.exe	89
PID 1976 wrote to memory of 3156	1976	DCNXKNLRS.exe	89
PID 1976 wrote to memory of 3156	1976	DCNXKNLRS.exe	89
PID 1976 wrote to memory of 3156	1976	DCNXKNLRS.exe	89
PID 1976 wrote to memory of 3156	1976	DCNXKNLRS.exe	89
PID 1976 wrote to memory of 3156	1976	DCNXKNLRS.exe	89
PID 1976 wrote to memory of 3156	1976	DCNXKNLRS.exe	89
PID 1976 wrote to memory of 3156	1976	DCNXKNLRS.exe	89
PID 1976 wrote to memory of 2616	1976	DCNXKNLRS.exe	90
PID 1976 wrote to memory of 2616	1976	DCNXKNLRS.exe	90
PID 1976 wrote to memory of 2616	1976	DCNXKNLRS.exe	90
PID 1976 wrote to memory of 2616	1976	DCNXKNLRS.exe	90
PID 1976 wrote to memory of 2616	1976	DCNXKNLRS.exe	90
PID 1976 wrote to memory of 2616	1976	DCNXKNLRS.exe	90
PID 1976 wrote to memory of 2616	1976	DCNXKNLRS.exe	90
PID 1976 wrote to memory of 2616	1976	DCNXKNLRS.exe	90
PID 1976 wrote to memory of 2616	1976	DCNXKNLRS.exe	90
PID 1976 wrote to memory of 2616	1976	DCNXKNLRS.exe	90
PID 1976 wrote to memory of 2616	1976	DCNXKNLRS.exe	90
PID 1976 wrote to memory of 644	1976	DCNXKNLRS.exe	92
PID 1976 wrote to memory of 644	1976	DCNXKNLRS.exe	92
PID 1976 wrote to memory of 644	1976	DCNXKNLRS.exe	92
PID 1976 wrote to memory of 644	1976	DCNXKNLRS.exe	92
PID 1976 wrote to memory of 644	1976	DCNXKNLRS.exe	92
PID 1976 wrote to memory of 644	1976	DCNXKNLRS.exe	92
PID 1976 wrote to memory of 644	1976	DCNXKNLRS.exe	92
PID 1976 wrote to memory of 644	1976	DCNXKNLRS.exe	92
PID 1976 wrote to memory of 644	1976	DCNXKNLRS.exe	92
PID 1976 wrote to memory of 644	1976	DCNXKNLRS.exe	92
PID 1976 wrote to memory of 644	1976	DCNXKNLRS.exe	92
PID 644 wrote to memory of 4028	644	DCNXKNLRS.exe	95
PID 644 wrote to memory of 4028	644	DCNXKNLRS.exe	95
PID 644 wrote to memory of 4028	644	DCNXKNLRS.exe	95
PID 4028 wrote to memory of 1984	4028	images.exe	96
PID 4028 wrote to memory of 1984	4028	images.exe	96
PID 4028 wrote to memory of 1984	4028	images.exe	96
PID 4028 wrote to memory of 1984	4028	images.exe	96
PID 4028 wrote to memory of 1984	4028	images.exe	96
PID 4028 wrote to memory of 1984	4028	images.exe	96
PID 4028 wrote to memory of 1984	4028	images.exe	96
PID 4028 wrote to memory of 1984	4028	images.exe	96
PID 4028 wrote to memory of 1984	4028	images.exe	96
PID 4028 wrote to memory of 1984	4028	images.exe	96
PID 4028 wrote to memory of 1984	4028	images.exe	96
PID 4028 wrote to memory of 1756	4028	images.exe	97
PID 4028 wrote to memory of 1756	4028	images.exe	97
PID 4028 wrote to memory of 1756	4028	images.exe	97
PID 4028 wrote to memory of 1756	4028	images.exe	97
PID 4028 wrote to memory of 1756	4028	images.exe	97
PID 4028 wrote to memory of 1756	4028	images.exe	97
PID 4028 wrote to memory of 1756	4028	images.exe	97
PID 4028 wrote to memory of 1756	4028	images.exe	97
PID 4028 wrote to memory of 1756	4028	images.exe	97
PID 4028 wrote to memory of 1756	4028	images.exe	97
PID 4028 wrote to memory of 1756	4028	images.exe	97
PID 4028 wrote to memory of 1988	4028	images.exe	99
PID 4028 wrote to memory of 1988	4028	images.exe	99
PID 4028 wrote to memory of 1988	4028	images.exe	99

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Estado_de_cuenta.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DCNXKNLRS.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DCNXKNLRS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DCNXKNLRS.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DCNXKNLRS.exe
    3⤵
    - Executes dropped EXE
    PID:3156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 80
      4⤵
      Program crash
      PID:4088
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DCNXKNLRS.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DCNXKNLRS.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2616
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DCNXKNLRS.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DCNXKNLRS.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4028
    - - C:\ProgramData\images.exe
        
        C:\ProgramData\images.exe
        5⤵
        Executes dropped EXE
        
        PID:1984
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 80
        6⤵
        Program crash
        
        PID:5032
    - - C:\ProgramData\images.exe
        
        C:\ProgramData\images.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1756
    - - C:\ProgramData\images.exe
        
        C:\ProgramData\images.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3156 -ip 3156
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1984 -ip 1984
1⤵
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
e0172ed7f74bfb7361364c6e208ed133

SHA1
d8e4fb93eee95f6aad96d4b8250dd4da65b8f596

SHA256
2331349deab3b5bc44299433aee115de8fcb8382cdbea16a80b321b73cdb464a

SHA512
8b0ca175bc7e2dde88777456d6bd4a255743b784412b4be99d4455d67b5913f96b2bd12b86a7009a1f1ab2554606df060ae6f575e8fd17afd6b66c140f931d5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DCNXKNLRS.exe

Filesize
319KB

MD5
cad3404a925d02d351239edaa03af840

SHA1
82bd5b6987906034ab58e988a5f615680e6faf3b

SHA256
f6ee358f1e50caebcdd8b92517d562009ac2a64e63118ddff33bd31d07d2f4c8

SHA512
b15b2e7dbbb73272d17208764179b75782471c1a8ef16dad649a24c5e56173a298c58cfae909544629be782cc67067693e32a3c1cf961052799209b22175bda3

Download Submit
memory/644-101-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1976-94-0x0000000004720000-0x0000000004726000-memory.dmp

Filesize
24KB

Download
memory/1976-93-0x000000000D660000-0x000000000D6F2000-memory.dmp

Filesize
584KB

Download
memory/1976-92-0x000000000DD50000-0x000000000E2F4000-memory.dmp

Filesize
5.6MB

Download
memory/1976-91-0x000000000D700000-0x000000000D79C000-memory.dmp

Filesize
624KB

Download
memory/1976-90-0x000000000D600000-0x000000000D660000-memory.dmp

Filesize
384KB

Download
memory/1976-89-0x00000000025B0000-0x00000000025B6000-memory.dmp

Filesize
24KB

Download
memory/1976-88-0x00000000002B0000-0x0000000000306000-memory.dmp

Filesize
344KB

Download
memory/1988-114-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2616-96-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4324-16-0x00007FFED6A80000-0x00007FFED6A90000-memory.dmp

Filesize
64KB

Download
memory/4324-14-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-18-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-11-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-9-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-8-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-7-0x00007FFED9230000-0x00007FFED9240000-memory.dmp

Filesize
64KB

Download
memory/4324-4-0x00007FFED9230000-0x00007FFED9240000-memory.dmp

Filesize
64KB

Download
memory/4324-35-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-46-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-17-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-13-0x00007FFED6A80000-0x00007FFED6A90000-memory.dmp

Filesize
64KB

Download
memory/4324-1-0x00007FFF1924D000-0x00007FFF1924E000-memory.dmp

Filesize
4KB

Download
memory/4324-19-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-15-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-12-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-10-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-6-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-5-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-0-0x00007FFED9230000-0x00007FFED9240000-memory.dmp

Filesize
64KB

Download
memory/4324-2-0x00007FFED9230000-0x00007FFED9240000-memory.dmp

Filesize
64KB

Download
memory/4324-115-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-116-0x00007FFF1924D000-0x00007FFF1924E000-memory.dmp

Filesize
4KB

Download
memory/4324-117-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-118-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-122-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-123-0x00007FFF191B0000-0x00007FFF193A5000-memory.dmp

Filesize
2.0MB

Download
memory/4324-3-0x00007FFED9230000-0x00007FFED9240000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads