warzonerat | ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

Analysis

max time kernel
131s
max time network
115s
platform
windows10_x64
resource
win10v20201028
submitted
19-01-2021 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
Size

994KB
MD5

86c59d1e4de693a0f5d2ffe3b1cd8ef9
SHA1

64e5247411bbeff10fb09f0f8efe3d923d13f0a5
SHA256

ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040
SHA512

1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

urchy.duckdns.org:30251

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2004-16-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2004-17-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/2004-18-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

3944 images.exe

pid	process
3944	images.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe

description	pid	process	target process
PID 3888 set thread context of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1520 schtasks.exe

pid	process
1520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exepowershell.exe

pid	process
3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
1312	powershell.exe
1312	powershell.exe
1312	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
Token: SeDebugPrivilege	1312	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exeJANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe

C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
"C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\biBtzY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp58DF.tmp"
2⤵
- Creates scheduled task(s)
PID:1520

C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
"C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe"
2⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
"C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe"
2⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
"C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
PID:3944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

MD5
86c59d1e4de693a0f5d2ffe3b1cd8ef9

SHA1
64e5247411bbeff10fb09f0f8efe3d923d13f0a5

SHA256
ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

SHA512
1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

Download Submit
C:\ProgramData\images.exe

MD5
86c59d1e4de693a0f5d2ffe3b1cd8ef9

SHA1
64e5247411bbeff10fb09f0f8efe3d923d13f0a5

SHA256
ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

SHA512
1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58DF.tmp

MD5
8bf4c3ec91dc6cb643fd1d4a92d2abc8

SHA1
96b5b82865df0df6ee0847f94a592c333176cd23

SHA256
21b6b8ae6d621c3724c9afe29230e7f8a2d06b920aa168173d76597f174d5025

SHA512
f10a380cb39456ea4c6579c072207631a0b66198db88aa6d87c2b871f584efdc59aff9be5e156c2448ae1e053e9d7764b600fe11b9f4d4f8cf8abcbdffb57704

Download Submit
memory/1312-55-0x00000000094D0000-0x00000000094D1000-memory.dmp

Filesize
4KB

Download
memory/1312-32-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/1312-56-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/1312-35-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/1312-54-0x0000000009360000-0x0000000009361000-memory.dmp

Filesize
4KB

Download
memory/1312-47-0x00000000093A0000-0x00000000093D3000-memory.dmp

Filesize
204KB

Download
memory/1312-19-0x0000000000000000-mapping.dmp

Download
memory/1312-44-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/1312-57-0x000000007E930000-0x000000007E931000-memory.dmp

Filesize
4KB

Download
memory/1312-38-0x00000000048B2000-0x00000000048B3000-memory.dmp

Filesize
4KB

Download
memory/1312-39-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/1312-40-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/1312-43-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/1312-45-0x00000000084C0000-0x00000000084C1000-memory.dmp

Filesize
4KB

Download
memory/1312-58-0x00000000048B3000-0x00000000048B4000-memory.dmp

Filesize
4KB

Download
memory/1312-59-0x0000000009620000-0x0000000009621000-memory.dmp

Filesize
4KB

Download
memory/1312-61-0x0000000009610000-0x0000000009611000-memory.dmp

Filesize
4KB

Download
memory/1312-41-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/1312-27-0x00000000739E0000-0x00000000740CE000-memory.dmp

Filesize
6.9MB

Download
memory/1312-31-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/1520-14-0x0000000000000000-mapping.dmp

Download
memory/2004-17-0x0000000000405CE2-mapping.dmp

Download
memory/2004-18-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2004-16-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3888-13-0x0000000005EE0000-0x0000000005F35000-memory.dmp

Filesize
340KB

Download
memory/3888-8-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/3888-3-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/3888-5-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3888-6-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/3888-2-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/3888-12-0x00000000057B0000-0x00000000057D3000-memory.dmp

Filesize
140KB

Download
memory/3888-11-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3888-10-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/3888-9-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/3888-7-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/3944-36-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/3944-20-0x0000000000000000-mapping.dmp

Download
memory/3944-23-0x00000000739E0000-0x00000000740CE000-memory.dmp

Filesize
6.9MB

Download
memory/3944-30-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 3888 wrote to memory of 1520	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	schtasks.exe
PID 3888 wrote to memory of 1520	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	schtasks.exe
PID 3888 wrote to memory of 1520	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	schtasks.exe
PID 3888 wrote to memory of 4084	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 4084	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 4084	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 4092	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 4092	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 4092	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 2004 wrote to memory of 1312	2004	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	powershell.exe
PID 2004 wrote to memory of 1312	2004	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	powershell.exe
PID 2004 wrote to memory of 1312	2004	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	powershell.exe
PID 2004 wrote to memory of 3944	2004	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	images.exe
PID 2004 wrote to memory of 3944	2004	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	images.exe
PID 2004 wrote to memory of 3944	2004	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	images.exe