warzonerat | 43e4f5b32d6b7149da6cddf0b59b3758f20e7ec1251b6b0e88a0e3a74967d1c3

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

132KB
MD5

0c3df708e8a038652d1e524fddef59a9
SHA1

d2666c9438089bd886da4f117a7f95a7dd1b78e9
SHA256

43e4f5b32d6b7149da6cddf0b59b3758f20e7ec1251b6b0e88a0e3a74967d1c3
SHA512

bda314ebb977dc112fd072e5bdc999b91eba220f7eae83497dd8972beace6258d32d51eaf27f2e9ff5c37f3d7e458bbcfc72cc7ce02407fc667446bbf5b7cffd
SSDEEP

3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a

Score

10^/10

warzonerat execution infostealer persistence rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1604 powershell.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

test.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\AppData\\Local\\Temp\\test.exe" test.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1604 powershell.exe
1604 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1604 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

test.exe

pid process

3992 test.exe

pid	process
1604	powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\AppData\\Local\\Temp\\test.exe"	test.exe

pid	process
1604	powershell.exe
1604	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1604	powershell.exe

pid	process
3992	test.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

test.exe

description	pid	process	target process
PID 3992 wrote to memory of 1604	3992	test.exe	powershell.exe
PID 3992 wrote to memory of 1604	3992	test.exe	powershell.exe
PID 3992 wrote to memory of 1604	3992	test.exe	powershell.exe
PID 3992 wrote to memory of 3184	3992	test.exe	cmd.exe
PID 3992 wrote to memory of 3184	3992	test.exe	cmd.exe
PID 3992 wrote to memory of 3184	3992	test.exe	cmd.exe
PID 3992 wrote to memory of 3184	3992	test.exe	cmd.exe
PID 3992 wrote to memory of 3184	3992	test.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1424,i,4778049104057176787,6631751660692402210,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:8
1⤵
PID:1844

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4zqe5ic2.eyc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1604-20-0x000000006FD40000-0x000000006FD8C000-memory.dmp

Filesize
304KB

Download
memory/1604-5-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/1604-19-0x0000000006240000-0x0000000006272000-memory.dmp

Filesize
200KB

Download
memory/1604-4-0x0000000004DD0000-0x0000000004DF2000-memory.dmp

Filesize
136KB

Download
memory/1604-33-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1604-6-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/1604-1-0x0000000002370000-0x00000000023A6000-memory.dmp

Filesize
216KB

Download
memory/1604-16-0x0000000005710000-0x0000000005A64000-memory.dmp

Filesize
3.3MB

Download
memory/1604-17-0x0000000005C80000-0x0000000005C9E000-memory.dmp

Filesize
120KB

Download
memory/1604-18-0x0000000005CD0000-0x0000000005D1C000-memory.dmp

Filesize
304KB

Download
memory/1604-30-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/1604-34-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1604-32-0x0000000006E70000-0x0000000006F13000-memory.dmp

Filesize
652KB

Download
memory/1604-0-0x00000000734CE000-0x00000000734CF000-memory.dmp

Filesize
4KB

Download
memory/1604-3-0x0000000004E90000-0x00000000054B8000-memory.dmp

Filesize
6.2MB

Download
memory/1604-2-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1604-31-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1604-36-0x0000000006FB0000-0x0000000006FCA000-memory.dmp

Filesize
104KB

Download
memory/1604-35-0x00000000075F0000-0x0000000007C6A000-memory.dmp

Filesize
6.5MB

Download
memory/1604-37-0x0000000007020000-0x000000000702A000-memory.dmp

Filesize
40KB

Download
memory/1604-38-0x0000000007230000-0x00000000072C6000-memory.dmp

Filesize
600KB

Download
memory/1604-39-0x00000000071B0000-0x00000000071C1000-memory.dmp

Filesize
68KB

Download
memory/1604-48-0x00000000734C0000-0x0000000073C70000-memory.dmp

Filesize
7.7MB

Download
memory/1604-42-0x00000000071E0000-0x00000000071EE000-memory.dmp

Filesize
56KB

Download
memory/1604-43-0x00000000071F0000-0x0000000007204000-memory.dmp

Filesize
80KB

Download
memory/1604-44-0x00000000072F0000-0x000000000730A000-memory.dmp

Filesize
104KB

Download
memory/1604-45-0x00000000072D0000-0x00000000072D8000-memory.dmp

Filesize
32KB

Download
memory/3184-40-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/3992-49-0x000000000B2A0000-0x000000000B440000-memory.dmp

Filesize
1.6MB

Download