warzonerat | caf865d460e97d3f1043fdade9be954436bb158f6101d3598d1334acfef400d3

General

Target

EMTECH IPH GROUP.exe
Size

62KB
MD5

4b3470167aed6f5cba3103b3abaaa7c4
SHA1

6282b6635b89c19086e7e77aa508aa3f484b3e6e
SHA256

caf865d460e97d3f1043fdade9be954436bb158f6101d3598d1334acfef400d3
SHA512

8dd0e0ec717afd64255c47424682d642b670d4c8d75deb169a9b433807d23651e79e94b7f78f8d954c19abd99aa332204c2f86df6af98928d2d8b0f0de3e6a8d

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

185.157.160.215:2211

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1192-66-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1192-67-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1192-69-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Drops startup file 3 IoCs

Processes:

cmd.exeEMTECH IPH GROUP.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMTECH IPH GROUP.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMTECH IPH GROUP.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

EMTECH IPH GROUP.exe

description pid process target process

PID 1612 set thread context of 1192 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1612 set thread context of 1192	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

EMTECH IPH GROUP.exe

pid	process
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe
1612	EMTECH IPH GROUP.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

EMTECH IPH GROUP.exe

description pid process

Token: SeDebugPrivilege 1612 EMTECH IPH GROUP.exe

description	pid	process
Token: SeDebugPrivilege	1612	EMTECH IPH GROUP.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EMTECH IPH GROUP.exe

description	pid	process	target process
PID 1612 wrote to memory of 1588	1612	EMTECH IPH GROUP.exe	cmd.exe
PID 1612 wrote to memory of 1588	1612	EMTECH IPH GROUP.exe	cmd.exe
PID 1612 wrote to memory of 1588	1612	EMTECH IPH GROUP.exe	cmd.exe
PID 1612 wrote to memory of 1588	1612	EMTECH IPH GROUP.exe	cmd.exe
PID 1612 wrote to memory of 1176	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 1612 wrote to memory of 1176	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 1612 wrote to memory of 1176	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 1612 wrote to memory of 1176	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 1612 wrote to memory of 1192	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 1612 wrote to memory of 1192	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 1612 wrote to memory of 1192	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 1612 wrote to memory of 1192	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 1612 wrote to memory of 1192	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 1612 wrote to memory of 1192	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 1612 wrote to memory of 1192	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 1612 wrote to memory of 1192	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 1612 wrote to memory of 1192	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 1612 wrote to memory of 1192	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 1612 wrote to memory of 1192	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 1612 wrote to memory of 1192	1612	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe

C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe
"C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c Copy "C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMTECH IPH GROUP.exe"
2⤵
- Drops startup file
PID:1588

C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe
"C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe"
2⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe
"C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe"
2⤵
PID:1192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMTECH IPH GROUP.exe
MD5
4b3470167aed6f5cba3103b3abaaa7c4

SHA1
6282b6635b89c19086e7e77aa508aa3f484b3e6e

SHA256
caf865d460e97d3f1043fdade9be954436bb158f6101d3598d1334acfef400d3

SHA512
8dd0e0ec717afd64255c47424682d642b670d4c8d75deb169a9b433807d23651e79e94b7f78f8d954c19abd99aa332204c2f86df6af98928d2d8b0f0de3e6a8d

Download Submit
memory/1192-66-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1192-67-0x0000000000405CE2-mapping.dmp

Download
memory/1192-68-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1192-69-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1588-63-0x0000000000000000-mapping.dmp

Download
memory/1612-59-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1612-61-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/1612-62-0x0000000000420000-0x0000000000441000-memory.dmp

Filesize
132KB

Download
memory/1612-65-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads