Analysis

  • max time kernel
    138s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2025 06:30

General

  • Target

    RFQ 8976765564566787978754566787909875654567.scr

  • Size

    557KB

  • MD5

    f302ac3931ec4406589e92bb0ceb5a05

  • SHA1

    e9fc3f3264cd3a1ec6023493a5c96c2ba317755f

  • SHA256

    6b83778b6931df0a74268e44daf5ca87dee79b0360b1022e6976281c5a1c58de

  • SHA512

    a3ce33d824ccd13a368e974d0df5d33081474652223280fd8464339f59a2598d80b8c83490b543a3d2cb09af60d4a342fe918fdb72076dafe4fdfe954817922c

  • SSDEEP

    12288:8zll9Z7a0GM4Rb9So1JELBYaKMwHI3lpa+zD56gsjFQX0zHVjczn4SB0AjlEVwtw:qawL6Ib/N6zjFQERQn4SB1jRti

Malware Config

Extracted

Family

warzonerat

C2

172.245.23.149:4020

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzonerat family
  • Warzone RAT payload 10 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies WinLogon 2 TTPs 5 IoCs
  • Hide Artifacts: Hidden Users 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ 8976765564566787978754566787909875654567.scr
    "C:\Users\Admin\AppData\Local\Temp\RFQ 8976765564566787978754566787909875654567.scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ 8976765564566787978754566787909875654567.scr"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2440
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rQCIRoFZewxkov.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2132
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rQCIRoFZewxkov" /XML "C:\Users\Admin\AppData\Local\Temp\tmp261.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2796
    • C:\Users\Admin\AppData\Local\Temp\RFQ 8976765564566787978754566787909875654567.scr
      "C:\Users\Admin\AppData\Local\Temp\RFQ 8976765564566787978754566787909875654567.scr"
      2⤵
      • Server Software Component: Terminal Services DLL
      • Modifies WinLogon
      • Hide Artifacts: Hidden Users
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp261.tmp

    Filesize

    1KB

    MD5

    82466f69c4abb0b9facf8e5dbed8de20

    SHA1

    92f137653b5bd9622031cc57dc69af03f7c6bf20

    SHA256

    ccb48b5e85139c558604aacf59761c569bd3a2bcfe80095d9870a5d4b4ac5343

    SHA512

    5b7f99875d2ddb2d5c3d9e6ee3ebc23baffed01dfa7a245663f4661bd075cd509c21a24730ee1d899d91a5db61d7b7f36dba28f2a70d4ffdc3ec07007565ae86

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    fc0abb315829568b7af5b72c6384725e

    SHA1

    ca218e5e8698e9825abeaa68efa8ef53cc5d65cf

    SHA256

    164c76e1fce97468a765a6f39153e85e8ca0ef45bb041c408960b34092934141

    SHA512

    b0a44962b07d6f2cfccb0c79f17d097273d69ab3e6828a36af51b6c0d9c30fb2f97dffa2961481781273c2adbf689708ef7276f3bbda34d14033022301dc8c29

  • \Program Files\Microsoft DN1\sqlmap.dll

    Filesize

    114KB

    MD5

    461ade40b800ae80a40985594e1ac236

    SHA1

    b3892eef846c044a2b0785d54a432b3e93a968c8

    SHA256

    798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

    SHA512

    421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

  • memory/1872-0-0x00000000741AE000-0x00000000741AF000-memory.dmp

    Filesize

    4KB

  • memory/1872-1-0x00000000000F0000-0x0000000000180000-memory.dmp

    Filesize

    576KB

  • memory/1872-2-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

  • memory/1872-3-0x0000000000490000-0x00000000004AA000-memory.dmp

    Filesize

    104KB

  • memory/1872-4-0x00000000741AE000-0x00000000741AF000-memory.dmp

    Filesize

    4KB

  • memory/1872-5-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

  • memory/1872-6-0x0000000004440000-0x00000000044A4000-memory.dmp

    Filesize

    400KB

  • memory/1872-34-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

  • memory/2628-30-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2628-35-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2628-28-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2628-26-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2628-24-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2628-22-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2628-20-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2628-33-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2628-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2628-49-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2628-48-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2628-41-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2628-43-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2628-18-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/2644-36-0x00000000000B0000-0x00000000000B1000-memory.dmp

    Filesize

    4KB

  • memory/2644-38-0x00000000000B0000-0x00000000000B1000-memory.dmp

    Filesize

    4KB