warzonerat | ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

General

Target

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
Size

994KB
MD5

86c59d1e4de693a0f5d2ffe3b1cd8ef9
SHA1

64e5247411bbeff10fb09f0f8efe3d923d13f0a5
SHA256

ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040
SHA512

1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

urchy.duckdns.org:30251

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/864-10-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/864-11-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/864-13-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

1476 images.exe
Loads dropped DLL 1 IoCs

Processes:

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe

pid process

864 JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe

pid	process
1476	images.exe

pid	process
864	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe

description	pid	process	target process
PID 1832 set thread context of 864	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1292 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exepowershell.exe

pid process

1832 JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
572 powershell.exe
572 powershell.exe

pid	process
1292	schtasks.exe

pid	process
1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
572	powershell.exe
572	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
Token: SeDebugPrivilege	572	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exeJANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe

description	pid	process	target process
PID 1832 wrote to memory of 1292	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	schtasks.exe
PID 1832 wrote to memory of 1292	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	schtasks.exe
PID 1832 wrote to memory of 1292	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	schtasks.exe
PID 1832 wrote to memory of 1292	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	schtasks.exe
PID 1832 wrote to memory of 864	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 1832 wrote to memory of 864	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 1832 wrote to memory of 864	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 1832 wrote to memory of 864	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 1832 wrote to memory of 864	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 1832 wrote to memory of 864	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 1832 wrote to memory of 864	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 1832 wrote to memory of 864	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 1832 wrote to memory of 864	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 1832 wrote to memory of 864	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 1832 wrote to memory of 864	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 1832 wrote to memory of 864	1832	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 864 wrote to memory of 572	864	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	powershell.exe
PID 864 wrote to memory of 572	864	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	powershell.exe
PID 864 wrote to memory of 572	864	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	powershell.exe
PID 864 wrote to memory of 572	864	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	powershell.exe
PID 864 wrote to memory of 1476	864	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	images.exe
PID 864 wrote to memory of 1476	864	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	images.exe
PID 864 wrote to memory of 1476	864	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	images.exe
PID 864 wrote to memory of 1476	864	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
"C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\biBtzY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6384.tmp"
2⤵
- Creates scheduled task(s)
PID:1292

C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
"C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

MD5
86c59d1e4de693a0f5d2ffe3b1cd8ef9

SHA1
64e5247411bbeff10fb09f0f8efe3d923d13f0a5

SHA256
ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

SHA512
1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

Download Submit
C:\ProgramData\images.exe

MD5
86c59d1e4de693a0f5d2ffe3b1cd8ef9

SHA1
64e5247411bbeff10fb09f0f8efe3d923d13f0a5

SHA256
ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

SHA512
1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6384.tmp

MD5
f66f77bcf974f87db0a55bdc3ea95e39

SHA1
48b6e70ab1643271fedcde9fcea33a73adcb31ae

SHA256
6078cc1f37dec442f9cbe20191e0c3bf25db024672a19c795c579375054a1274

SHA512
7ee118c1ae6d87cd3be33b293a36a0170f2685c9fab9895c4cf767ef0bb5214322d5f183ce5d089fa769841ede7746e6e951b70099d7e6931b4f86c3715fa02a

Download Submit
\ProgramData\images.exe

MD5
86c59d1e4de693a0f5d2ffe3b1cd8ef9

SHA1
64e5247411bbeff10fb09f0f8efe3d923d13f0a5

SHA256
ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

SHA512
1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

Download Submit
memory/572-47-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/572-14-0x0000000000000000-mapping.dmp

Download
memory/572-48-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/572-40-0x0000000006140000-0x0000000006141000-memory.dmp

Filesize
4KB

Download
memory/572-39-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/572-34-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

Filesize
4KB

Download
memory/572-31-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/572-26-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/572-62-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/572-30-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/572-63-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/572-64-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/572-29-0x0000000002902000-0x0000000002903000-memory.dmp

Filesize
4KB

Download
memory/572-28-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/572-27-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/572-25-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/864-11-0x0000000000405CE2-mapping.dmp

Download
memory/864-13-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/864-12-0x0000000076371000-0x0000000076373000-memory.dmp

Filesize
8KB

Download
memory/864-10-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1292-8-0x0000000000000000-mapping.dmp

Download
memory/1476-21-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/1476-20-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/1476-16-0x0000000000000000-mapping.dmp

Download
memory/1476-24-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/1832-2-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1832-7-0x00000000048E0000-0x0000000004935000-memory.dmp

Filesize
340KB

Download
memory/1832-6-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1832-5-0x00000000003A0000-0x00000000003C3000-memory.dmp

Filesize
140KB

Download
memory/1832-3-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads