warzonerat | 3c12c79486f13c973e550baa52dfdc8fd94d34e68dcfd388b19f2ebbae431017

Analysis

max time kernel
144s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 18:02 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MACHINE SPECIFICATION/MACHINE SPECIFICATION.exe
Size

633KB
MD5

573c3aa20cab92c93663f0e475323557
SHA1

647598a3a90b23787b83f0c23ba26a8b4b779592
SHA256

9ebea5ecb5f86bccf0564f563a35665876e5bcb1b66285a19965af5f24534b4a
SHA512

06fbf4dfea02ac62c81c9e47581d779891e2da9113ed45f349af2e4c52b86da9701a807872a5cfc059c5553de63bab3a24953a06a63d82cf8bf877c3dc538694
SSDEEP

6144:WTTzzJeyp1RnC7HJnIApeX9vLSaXmWFiB3WOk6f7h9WgFER0u+GIIIIIIIhIIIIw:GTzNeypHnC7HdeXZEWFTOk6fmBm5GV

Score

10^/10

warzonerat discovery infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

198.46.177.153:4532

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 7 IoCs

rat

resource	yara_rule
behavioral1/memory/2764-11-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat
behavioral1/memory/2764-12-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat
behavioral1/memory/2764-9-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat
behavioral1/memory/648-76-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat
behavioral1/memory/648-74-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat
behavioral1/memory/648-77-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat
behavioral1/memory/648-78-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MACHINE SPECIFICATION = "cmd.exe /C \"start \"\" /D \"C:\\Users\\Admin\\SystemRootDoc\" \"C:\\Users\\Admin\\SystemRootDoc\\MACHINE SPECIFICATION.exe\"\""	MACHINE SPECIFICATION.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2216 set thread context of 648	2216	MACHINE SPECIFICATION.exe	39

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	MACHINE SPECIFICATION.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2764	2216	MACHINE SPECIFICATION.exe	30
PID 2216 wrote to memory of 2764	2216	MACHINE SPECIFICATION.exe	30
PID 2216 wrote to memory of 2764	2216	MACHINE SPECIFICATION.exe	30
PID 2216 wrote to memory of 2764	2216	MACHINE SPECIFICATION.exe	30
PID 2216 wrote to memory of 2764	2216	MACHINE SPECIFICATION.exe	30
PID 2216 wrote to memory of 2764	2216	MACHINE SPECIFICATION.exe	30
PID 2216 wrote to memory of 2764	2216	MACHINE SPECIFICATION.exe	30
PID 2216 wrote to memory of 2764	2216	MACHINE SPECIFICATION.exe	30
PID 2216 wrote to memory of 2764	2216	MACHINE SPECIFICATION.exe	30
PID 2216 wrote to memory of 2764	2216	MACHINE SPECIFICATION.exe	30
PID 2216 wrote to memory of 2100	2216	MACHINE SPECIFICATION.exe	31
PID 2216 wrote to memory of 2100	2216	MACHINE SPECIFICATION.exe	31
PID 2216 wrote to memory of 2100	2216	MACHINE SPECIFICATION.exe	31
PID 2216 wrote to memory of 2100	2216	MACHINE SPECIFICATION.exe	31
PID 2216 wrote to memory of 2788	2216	MACHINE SPECIFICATION.exe	32
PID 2216 wrote to memory of 2788	2216	MACHINE SPECIFICATION.exe	32
PID 2216 wrote to memory of 2788	2216	MACHINE SPECIFICATION.exe	32
PID 2216 wrote to memory of 2788	2216	MACHINE SPECIFICATION.exe	32
PID 2216 wrote to memory of 2784	2216	MACHINE SPECIFICATION.exe	33
PID 2216 wrote to memory of 2784	2216	MACHINE SPECIFICATION.exe	33
PID 2216 wrote to memory of 2784	2216	MACHINE SPECIFICATION.exe	33
PID 2216 wrote to memory of 2784	2216	MACHINE SPECIFICATION.exe	33
PID 2216 wrote to memory of 2736	2216	MACHINE SPECIFICATION.exe	34
PID 2216 wrote to memory of 2736	2216	MACHINE SPECIFICATION.exe	34
PID 2216 wrote to memory of 2736	2216	MACHINE SPECIFICATION.exe	34
PID 2216 wrote to memory of 2736	2216	MACHINE SPECIFICATION.exe	34
PID 2216 wrote to memory of 2736	2216	MACHINE SPECIFICATION.exe	34
PID 2216 wrote to memory of 2736	2216	MACHINE SPECIFICATION.exe	34
PID 2216 wrote to memory of 2736	2216	MACHINE SPECIFICATION.exe	34
PID 2216 wrote to memory of 2736	2216	MACHINE SPECIFICATION.exe	34
PID 2216 wrote to memory of 2736	2216	MACHINE SPECIFICATION.exe	34
PID 2216 wrote to memory of 2736	2216	MACHINE SPECIFICATION.exe	34
PID 2216 wrote to memory of 2560	2216	MACHINE SPECIFICATION.exe	35
PID 2216 wrote to memory of 2560	2216	MACHINE SPECIFICATION.exe	35
PID 2216 wrote to memory of 2560	2216	MACHINE SPECIFICATION.exe	35
PID 2216 wrote to memory of 2560	2216	MACHINE SPECIFICATION.exe	35
PID 2216 wrote to memory of 2560	2216	MACHINE SPECIFICATION.exe	35
PID 2216 wrote to memory of 2560	2216	MACHINE SPECIFICATION.exe	35
PID 2216 wrote to memory of 2560	2216	MACHINE SPECIFICATION.exe	35
PID 2216 wrote to memory of 2560	2216	MACHINE SPECIFICATION.exe	35
PID 2216 wrote to memory of 2560	2216	MACHINE SPECIFICATION.exe	35
PID 2216 wrote to memory of 2700	2216	MACHINE SPECIFICATION.exe	36
PID 2216 wrote to memory of 2700	2216	MACHINE SPECIFICATION.exe	36
PID 2216 wrote to memory of 2700	2216	MACHINE SPECIFICATION.exe	36
PID 2216 wrote to memory of 2700	2216	MACHINE SPECIFICATION.exe	36
PID 2216 wrote to memory of 2700	2216	MACHINE SPECIFICATION.exe	36
PID 2216 wrote to memory of 2700	2216	MACHINE SPECIFICATION.exe	36
PID 2216 wrote to memory of 2700	2216	MACHINE SPECIFICATION.exe	36
PID 2216 wrote to memory of 2700	2216	MACHINE SPECIFICATION.exe	36
PID 2216 wrote to memory of 2700	2216	MACHINE SPECIFICATION.exe	36
PID 2216 wrote to memory of 2552	2216	MACHINE SPECIFICATION.exe	37
PID 2216 wrote to memory of 2552	2216	MACHINE SPECIFICATION.exe	37
PID 2216 wrote to memory of 2552	2216	MACHINE SPECIFICATION.exe	37
PID 2216 wrote to memory of 2552	2216	MACHINE SPECIFICATION.exe	37
PID 2216 wrote to memory of 2552	2216	MACHINE SPECIFICATION.exe	37
PID 2216 wrote to memory of 2552	2216	MACHINE SPECIFICATION.exe	37
PID 2216 wrote to memory of 2552	2216	MACHINE SPECIFICATION.exe	37
PID 2216 wrote to memory of 2552	2216	MACHINE SPECIFICATION.exe	37
PID 2216 wrote to memory of 2552	2216	MACHINE SPECIFICATION.exe	37
PID 2216 wrote to memory of 1996	2216	MACHINE SPECIFICATION.exe	38
PID 2216 wrote to memory of 1996	2216	MACHINE SPECIFICATION.exe	38
PID 2216 wrote to memory of 1996	2216	MACHINE SPECIFICATION.exe	38
PID 2216 wrote to memory of 1996	2216	MACHINE SPECIFICATION.exe	38
PID 2216 wrote to memory of 1996	2216	MACHINE SPECIFICATION.exe	38

C:\Users\Admin\AppData\Local\Temp\MACHINE SPECIFICATION\MACHINE SPECIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\MACHINE SPECIFICATION\MACHINE SPECIFICATION.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2736
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2560
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2552
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1996
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:648

Network

No results found

198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
80 B
3
2
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
80 B
3
2
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
80 B
3
2
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3
198.46.177.153:4532

wmplayer.exe

152 B
120 B
3
3

No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/648-76-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/648-74-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/648-77-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/648-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/648-78-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2764-3-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2764-11-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2764-12-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2764-9-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2764-7-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2764-5-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.