warzonerat | 2a55348b41e5bc666de29f92002b206768a7f6b134e3901e48abe2ae7b4b6b47

Analysis

max time kernel
138s
max time network
146s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ 675766567456534534534534535434534564456453.scr
Size

580KB
MD5

6772fb0a8d636027e91b8fa238c4ab3c
SHA1

1c1a0b57de7fa94ffadaaf91f846f5a8bea8f019
SHA256

247bc285f9b882ff9318ecc7049c4209d43187c0657988dcce7fe5f0a6067be7
SHA512

1ae632ec6c00852d2e9ee6953cc15905fab3599eff4340ac0902d99aa5fc0aeb7f21d1a8dc0ced672ee323e54dae374216f19d1f7475d857df04c2fdf94d319f
SSDEEP

12288:ShjS4JRwD94pRZASB9+VUEJxcWEak/+s6uQxNlJcbq:StSqR2ipRZDgeEJxP3hb

Score

10^/10

warzonerat defense_evasion discovery execution infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

172.245.23.149:4020

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 10 IoCs

rat

resource	yara_rule
behavioral1/memory/2884-35-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/2884-32-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/2884-30-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/2884-28-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/2884-26-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/2884-36-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/2884-43-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/2884-45-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/2884-51-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/2884-52-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2120	powershell.exe
2080	powershell.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	RFQ 675766567456534534534534535434534564456453.scr

Loads dropped DLL 2 IoCs

pid	Process
2164	Process not Found
1776	Process not Found

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	RFQ 675766567456534534534534535434534564456453.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	RFQ 675766567456534534534534535434534564456453.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\lowJqAw = "0"	RFQ 675766567456534534534534535434534564456453.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\.voKgHI = "0"	RFQ 675766567456534534534534535434534564456453.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RFQ 675766567456534534534534535434534564456453.scr

Hide Artifacts: Hidden Users 1 TTPs 2 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\lowJqAw = "0"	RFQ 675766567456534534534534535434534564456453.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\.voKgHI = "0"	RFQ 675766567456534534534534535434534564456453.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 2884	1720	RFQ 675766567456534534534534535434534564456453.scr	38

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft DN1\sqlmap.dll	RFQ 675766567456534534534534535434534564456453.scr
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	RFQ 675766567456534534534534535434534564456453.scr
File opened for modification	C:\Program Files\Microsoft DN1\rdpwrap.ini	RFQ 675766567456534534534534535434534564456453.scr
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	RFQ 675766567456534534534534535434534564456453.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RFQ 675766567456534534534534535434534564456453.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RFQ 675766567456534534534534535434534564456453.scr

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1720	RFQ 675766567456534534534534535434534564456453.scr
1720	RFQ 675766567456534534534534535434534564456453.scr
2120	powershell.exe
2080	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1776	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	RFQ 675766567456534534534534535434534564456453.scr
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2884	RFQ 675766567456534534534534535434534564456453.scr
Token: SeDebugPrivilege	2884	RFQ 675766567456534534534534535434534564456453.scr

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2120	1720	RFQ 675766567456534534534534535434534564456453.scr	31
PID 1720 wrote to memory of 2120	1720	RFQ 675766567456534534534534535434534564456453.scr	31
PID 1720 wrote to memory of 2120	1720	RFQ 675766567456534534534534535434534564456453.scr	31
PID 1720 wrote to memory of 2120	1720	RFQ 675766567456534534534534535434534564456453.scr	31
PID 1720 wrote to memory of 2080	1720	RFQ 675766567456534534534534535434534564456453.scr	33
PID 1720 wrote to memory of 2080	1720	RFQ 675766567456534534534534535434534564456453.scr	33
PID 1720 wrote to memory of 2080	1720	RFQ 675766567456534534534534535434534564456453.scr	33
PID 1720 wrote to memory of 2080	1720	RFQ 675766567456534534534534535434534564456453.scr	33
PID 1720 wrote to memory of 2860	1720	RFQ 675766567456534534534534535434534564456453.scr	34
PID 1720 wrote to memory of 2860	1720	RFQ 675766567456534534534534535434534564456453.scr	34
PID 1720 wrote to memory of 2860	1720	RFQ 675766567456534534534534535434534564456453.scr	34
PID 1720 wrote to memory of 2860	1720	RFQ 675766567456534534534534535434534564456453.scr	34
PID 1720 wrote to memory of 2908	1720	RFQ 675766567456534534534534535434534564456453.scr	37
PID 1720 wrote to memory of 2908	1720	RFQ 675766567456534534534534535434534564456453.scr	37
PID 1720 wrote to memory of 2908	1720	RFQ 675766567456534534534534535434534564456453.scr	37
PID 1720 wrote to memory of 2908	1720	RFQ 675766567456534534534534535434534564456453.scr	37
PID 1720 wrote to memory of 2884	1720	RFQ 675766567456534534534534535434534564456453.scr	38
PID 1720 wrote to memory of 2884	1720	RFQ 675766567456534534534534535434534564456453.scr	38
PID 1720 wrote to memory of 2884	1720	RFQ 675766567456534534534534535434534564456453.scr	38
PID 1720 wrote to memory of 2884	1720	RFQ 675766567456534534534534535434534564456453.scr	38
PID 1720 wrote to memory of 2884	1720	RFQ 675766567456534534534534535434534564456453.scr	38
PID 1720 wrote to memory of 2884	1720	RFQ 675766567456534534534534535434534564456453.scr	38
PID 1720 wrote to memory of 2884	1720	RFQ 675766567456534534534534535434534564456453.scr	38
PID 1720 wrote to memory of 2884	1720	RFQ 675766567456534534534534535434534564456453.scr	38
PID 1720 wrote to memory of 2884	1720	RFQ 675766567456534534534534535434534564456453.scr	38
PID 1720 wrote to memory of 2884	1720	RFQ 675766567456534534534534535434534564456453.scr	38
PID 1720 wrote to memory of 2884	1720	RFQ 675766567456534534534534535434534564456453.scr	38
PID 1720 wrote to memory of 2884	1720	RFQ 675766567456534534534534535434534564456453.scr	38
PID 2884 wrote to memory of 2364	2884	RFQ 675766567456534534534534535434534564456453.scr	39
PID 2884 wrote to memory of 2364	2884	RFQ 675766567456534534534534535434534564456453.scr	39
PID 2884 wrote to memory of 2364	2884	RFQ 675766567456534534534534535434534564456453.scr	39
PID 2884 wrote to memory of 2364	2884	RFQ 675766567456534534534534535434534564456453.scr	39
PID 2884 wrote to memory of 2364	2884	RFQ 675766567456534534534534535434534564456453.scr	39
PID 2884 wrote to memory of 2364	2884	RFQ 675766567456534534534534535434534564456453.scr	39

C:\Users\Admin\AppData\Local\Temp\RFQ 675766567456534534534534535434534564456453.scr
"C:\Users\Admin\AppData\Local\Temp\RFQ 675766567456534534534534535434534564456453.scr" /S
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ 675766567456534534534534535434534564456453.scr"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sTnBWEz.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sTnBWEz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDD45.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2860
- C:\Users\Admin\AppData\Local\Temp\RFQ 675766567456534534534534535434534564456453.scr
  "C:\Users\Admin\AppData\Local\Temp\RFQ 675766567456534534534534535434534564456453.scr"
  2⤵
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\RFQ 675766567456534534534534535434534564456453.scr
  "C:\Users\Admin\AppData\Local\Temp\RFQ 675766567456534534534534535434534564456453.scr"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Modifies WinLogon
  - Hide Artifacts: Hidden Users
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDD45.tmp

Filesize
1KB

MD5
b3ffae27bb02cbb9b769611fb3f675a5

SHA1
b3bf49c4821e038904b31a87023e7c4db2b994f6

SHA256
169118ad15d66a8f61f6f084281c8d84e9010390967d81a43d62659619afdd42

SHA512
3ab471726fada54b4bd31cfd7c212e2cd68bb83092d1da915c9f70bf9b1c5f5c66dc2c9048099788a5f29ac6bd643127dc180eccfe60aef6e1bcb13e1eceff2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\45AJEPVNZZLIQMRA9LTL.temp

Filesize
7KB

MD5
598a6bdc48cd40a6f4dd0fbe6b44fdf9

SHA1
2e44302b5b284af48a63ca396418558ca3f5245f

SHA256
094708146d762a41351c3143458008e345e7a8c02e25ee649efcd899a71c31dc

SHA512
a5e0db72bb55ee090113bcf04ac66e9bcca3eb9a7d0351cbfa7ff0a923f8d5aa5e9072c143334add98a092a4c77a4dcf31abcc4c4ba69bde629d99ddbe18f5b8

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
memory/1720-37-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-1-0x0000000001190000-0x0000000001228000-memory.dmp

Filesize
608KB

Download
memory/1720-2-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-3-0x0000000004630000-0x00000000046BE000-memory.dmp

Filesize
568KB

Download
memory/1720-4-0x0000000000540000-0x000000000055C000-memory.dmp

Filesize
112KB

Download
memory/1720-5-0x000000007499E000-0x000000007499F000-memory.dmp

Filesize
4KB

Download
memory/1720-6-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-7-0x00000000047E0000-0x0000000004844000-memory.dmp

Filesize
400KB

Download
memory/1720-0-0x000000007499E000-0x000000007499F000-memory.dmp

Filesize
4KB

Download
memory/2364-38-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2364-40-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2884-26-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2884-35-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2884-32-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2884-24-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2884-22-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2884-36-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2884-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-28-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2884-30-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2884-43-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2884-45-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2884-20-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2884-51-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2884-52-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download