warzonerat | ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

General

Target

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
Size

994KB
MD5

86c59d1e4de693a0f5d2ffe3b1cd8ef9
SHA1

64e5247411bbeff10fb09f0f8efe3d923d13f0a5
SHA256

ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040
SHA512

1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

urchy.duckdns.org:30251

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2004-16-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2004-17-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/2004-18-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

3944 images.exe

pid	process
3944	images.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe

description	pid	process	target process
PID 3888 set thread context of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1520 schtasks.exe

pid	process
1520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exepowershell.exe

pid	process
3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
1312	powershell.exe
1312	powershell.exe
1312	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
Token: SeDebugPrivilege	1312	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exeJANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe

C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
"C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\biBtzY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp58DF.tmp"
2⤵
- Creates scheduled task(s)
PID:1520

C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
"C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe"
2⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
"C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe"
2⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
"C:\Users\Admin\AppData\Local\Temp\JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
PID:3944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
86c59d1e4de693a0f5d2ffe3b1cd8ef9

SHA1
64e5247411bbeff10fb09f0f8efe3d923d13f0a5

SHA256
ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

SHA512
1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

Download Submit
C:\ProgramData\images.exe
MD5
86c59d1e4de693a0f5d2ffe3b1cd8ef9

SHA1
64e5247411bbeff10fb09f0f8efe3d923d13f0a5

SHA256
ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

SHA512
1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58DF.tmp
MD5
8bf4c3ec91dc6cb643fd1d4a92d2abc8

SHA1
96b5b82865df0df6ee0847f94a592c333176cd23

SHA256
21b6b8ae6d621c3724c9afe29230e7f8a2d06b920aa168173d76597f174d5025

SHA512
f10a380cb39456ea4c6579c072207631a0b66198db88aa6d87c2b871f584efdc59aff9be5e156c2448ae1e053e9d7764b600fe11b9f4d4f8cf8abcbdffb57704

Download Submit
memory/1312-55-0x00000000094D0000-0x00000000094D1000-memory.dmp

Filesize
4KB

Download
memory/1312-32-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/1312-56-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/1312-35-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/1312-54-0x0000000009360000-0x0000000009361000-memory.dmp

Filesize
4KB

Download
memory/1312-47-0x00000000093A0000-0x00000000093D3000-memory.dmp

Filesize
204KB

Download
memory/1312-19-0x0000000000000000-mapping.dmp

Download
memory/1312-44-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/1312-57-0x000000007E930000-0x000000007E931000-memory.dmp

Filesize
4KB

Download
memory/1312-38-0x00000000048B2000-0x00000000048B3000-memory.dmp

Filesize
4KB

Download
memory/1312-39-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/1312-40-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/1312-43-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/1312-45-0x00000000084C0000-0x00000000084C1000-memory.dmp

Filesize
4KB

Download
memory/1312-58-0x00000000048B3000-0x00000000048B4000-memory.dmp

Filesize
4KB

Download
memory/1312-59-0x0000000009620000-0x0000000009621000-memory.dmp

Filesize
4KB

Download
memory/1312-61-0x0000000009610000-0x0000000009611000-memory.dmp

Filesize
4KB

Download
memory/1312-41-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/1312-27-0x00000000739E0000-0x00000000740CE000-memory.dmp

Filesize
6.9MB

Download
memory/1312-31-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/1520-14-0x0000000000000000-mapping.dmp

Download
memory/2004-17-0x0000000000405CE2-mapping.dmp

Download
memory/2004-18-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2004-16-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3888-13-0x0000000005EE0000-0x0000000005F35000-memory.dmp

Filesize
340KB

Download
memory/3888-8-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/3888-3-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/3888-5-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3888-6-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/3888-2-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/3888-12-0x00000000057B0000-0x00000000057D3000-memory.dmp

Filesize
140KB

Download
memory/3888-11-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3888-10-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/3888-9-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/3888-7-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/3944-36-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/3944-20-0x0000000000000000-mapping.dmp

Download
memory/3944-23-0x00000000739E0000-0x00000000740CE000-memory.dmp

Filesize
6.9MB

Download
memory/3944-30-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 3888 wrote to memory of 1520	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	schtasks.exe
PID 3888 wrote to memory of 1520	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	schtasks.exe
PID 3888 wrote to memory of 1520	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	schtasks.exe
PID 3888 wrote to memory of 4084	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 4084	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 4084	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 4092	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 4092	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 4092	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 3888 wrote to memory of 2004	3888	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe
PID 2004 wrote to memory of 1312	2004	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	powershell.exe
PID 2004 wrote to memory of 1312	2004	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	powershell.exe
PID 2004 wrote to memory of 1312	2004	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	powershell.exe
PID 2004 wrote to memory of 3944	2004	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	images.exe
PID 2004 wrote to memory of 3944	2004	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	images.exe
PID 2004 wrote to memory of 3944	2004	JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe	images.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads