Analysis
-
max time kernel
94s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-01-2025 09:18
General
-
Target
RFQ 675766567456534534534534535434534564456453.scr
-
Size
580KB
-
MD5
6772fb0a8d636027e91b8fa238c4ab3c
-
SHA1
1c1a0b57de7fa94ffadaaf91f846f5a8bea8f019
-
SHA256
247bc285f9b882ff9318ecc7049c4209d43187c0657988dcce7fe5f0a6067be7
-
SHA512
1ae632ec6c00852d2e9ee6953cc15905fab3599eff4340ac0902d99aa5fc0aeb7f21d1a8dc0ced672ee323e54dae374216f19d1f7475d857df04c2fdf94d319f
-
SSDEEP
12288:ShjS4JRwD94pRZASB9+VUEJxcWEak/+s6uQxNlJcbq:StSqR2ipRZDgeEJxP3hb
Malware Config
Extracted
warzonerat
172.245.23.149:4020
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload 6 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Modifies WinLogon 2 TTPs 4 IoCs
-
Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ 675766567456534534534534535434534564456453.scr"C:\Users\Admin\AppData\Local\Temp\RFQ 675766567456534534534534535434534564456453.scr" /S1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ 675766567456534534534534535434534564456453.scr"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sTnBWEz.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sTnBWEz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD764.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\RFQ 675766567456534534534534535434534564456453.scr"C:\Users\Admin\AppData\Local\Temp\RFQ 675766567456534534534534535434534564456453.scr"2⤵
- Server Software Component: Terminal Services DLL
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD50206b2c09f7ab934f2dd117b0a0e6967
SHA1bce6e1ba37d3344cad3e304a53ca48a87415e09d
SHA256e7c64ea14ad95e8e23c7a95dc12c7ac07f48ec9811fc548dc5a23a0cfb894e0b
SHA512da5fcd7b75861010a5f0a54955ebd6117502d4d9194d6eac0f48c2df2ccd67ec2bcde534631b2d9f6a4cee9b4751df23413f2f99c8dd9e165040ac23a3839195
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5efd15d28d7116a961cd40d7b2ed03f2f
SHA1f1f7fef4cd449bf894924900496ab53b77a3e973
SHA256ca821ac0461647155c66bd5148fc148210551f989acbeb9fac3f92f51cdde9bc
SHA5123ad3f8ba9527ddd9f967e775055fc5061fcb1213794dce1ebf5839bd3893b02dc3ee02e4888a85fd9825a66eef1695e0a169ef1dc1317dcee8ace2ba7c64ce71
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
600KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
56KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
652KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
568KB
-
Filesize
112KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
608KB
-
Filesize
400KB
-
Filesize
4KB
-
Filesize
4KB