Analysis
-
max time kernel
40s -
max time network
142s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-07-2021 14:11
Static task
static1
Behavioral task
behavioral1
Sample
EMTECH IPH GROUP.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
EMTECH IPH GROUP.exe
Resource
win10v20210410
General
-
Target
EMTECH IPH GROUP.exe
-
Size
62KB
-
MD5
4b3470167aed6f5cba3103b3abaaa7c4
-
SHA1
6282b6635b89c19086e7e77aa508aa3f484b3e6e
-
SHA256
caf865d460e97d3f1043fdade9be954436bb158f6101d3598d1334acfef400d3
-
SHA512
8dd0e0ec717afd64255c47424682d642b670d4c8d75deb169a9b433807d23651e79e94b7f78f8d954c19abd99aa332204c2f86df6af98928d2d8b0f0de3e6a8d
Malware Config
Extracted
warzonerat
185.157.160.215:2211
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1192-66-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/1192-67-0x0000000000405CE2-mapping.dmp warzonerat behavioral1/memory/1192-69-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Drops startup file 3 IoCs
Processes:
cmd.exeEMTECH IPH GROUP.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMTECH IPH GROUP.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMTECH IPH GROUP.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
EMTECH IPH GROUP.exedescription pid process target process PID 1612 set thread context of 1192 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
EMTECH IPH GROUP.exepid process 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe 1612 EMTECH IPH GROUP.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
EMTECH IPH GROUP.exedescription pid process Token: SeDebugPrivilege 1612 EMTECH IPH GROUP.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EMTECH IPH GROUP.exedescription pid process target process PID 1612 wrote to memory of 1588 1612 EMTECH IPH GROUP.exe cmd.exe PID 1612 wrote to memory of 1588 1612 EMTECH IPH GROUP.exe cmd.exe PID 1612 wrote to memory of 1588 1612 EMTECH IPH GROUP.exe cmd.exe PID 1612 wrote to memory of 1588 1612 EMTECH IPH GROUP.exe cmd.exe PID 1612 wrote to memory of 1176 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe PID 1612 wrote to memory of 1176 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe PID 1612 wrote to memory of 1176 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe PID 1612 wrote to memory of 1176 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe PID 1612 wrote to memory of 1192 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe PID 1612 wrote to memory of 1192 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe PID 1612 wrote to memory of 1192 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe PID 1612 wrote to memory of 1192 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe PID 1612 wrote to memory of 1192 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe PID 1612 wrote to memory of 1192 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe PID 1612 wrote to memory of 1192 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe PID 1612 wrote to memory of 1192 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe PID 1612 wrote to memory of 1192 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe PID 1612 wrote to memory of 1192 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe PID 1612 wrote to memory of 1192 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe PID 1612 wrote to memory of 1192 1612 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe"C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Copy "C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMTECH IPH GROUP.exe"2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe"C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe"C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMTECH IPH GROUP.exeMD5
4b3470167aed6f5cba3103b3abaaa7c4
SHA16282b6635b89c19086e7e77aa508aa3f484b3e6e
SHA256caf865d460e97d3f1043fdade9be954436bb158f6101d3598d1334acfef400d3
SHA5128dd0e0ec717afd64255c47424682d642b670d4c8d75deb169a9b433807d23651e79e94b7f78f8d954c19abd99aa332204c2f86df6af98928d2d8b0f0de3e6a8d
-
memory/1192-66-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/1192-67-0x0000000000405CE2-mapping.dmp
-
memory/1192-68-0x0000000075D51000-0x0000000075D53000-memory.dmpFilesize
8KB
-
memory/1192-69-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/1588-63-0x0000000000000000-mapping.dmp
-
memory/1612-59-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/1612-61-0x00000000047B0000-0x00000000047B1000-memory.dmpFilesize
4KB
-
memory/1612-62-0x0000000000420000-0x0000000000441000-memory.dmpFilesize
132KB
-
memory/1612-65-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB