warzonerat | caf865d460e97d3f1043fdade9be954436bb158f6101d3598d1334acfef400d3

General

Target

EMTECH IPH GROUP.exe
Size

62KB
MD5

4b3470167aed6f5cba3103b3abaaa7c4
SHA1

6282b6635b89c19086e7e77aa508aa3f484b3e6e
SHA256

caf865d460e97d3f1043fdade9be954436bb158f6101d3598d1334acfef400d3
SHA512

8dd0e0ec717afd64255c47424682d642b670d4c8d75deb169a9b433807d23651e79e94b7f78f8d954c19abd99aa332204c2f86df6af98928d2d8b0f0de3e6a8d

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

185.157.160.215:2211

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/732-129-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/732-128-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/732-130-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Drops startup file 3 IoCs

Processes:

cmd.exeEMTECH IPH GROUP.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMTECH IPH GROUP.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMTECH IPH GROUP.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

EMTECH IPH GROUP.exe

description pid process target process

PID 3944 set thread context of 732 3944 EMTECH IPH GROUP.exe EMTECH IPH GROUP.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3944 set thread context of 732	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

EMTECH IPH GROUP.exe

pid	process
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe
3944	EMTECH IPH GROUP.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

EMTECH IPH GROUP.exe

description pid process

Token: SeDebugPrivilege 3944 EMTECH IPH GROUP.exe

description	pid	process
Token: SeDebugPrivilege	3944	EMTECH IPH GROUP.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EMTECH IPH GROUP.exe

description	pid	process	target process
PID 3944 wrote to memory of 3692	3944	EMTECH IPH GROUP.exe	cmd.exe
PID 3944 wrote to memory of 3692	3944	EMTECH IPH GROUP.exe	cmd.exe
PID 3944 wrote to memory of 3692	3944	EMTECH IPH GROUP.exe	cmd.exe
PID 3944 wrote to memory of 4008	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 4008	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 4008	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 1296	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 1296	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 1296	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 1256	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 1256	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 1256	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 732	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 732	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 732	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 732	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 732	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 732	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 732	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 732	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 732	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 732	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe
PID 3944 wrote to memory of 732	3944	EMTECH IPH GROUP.exe	EMTECH IPH GROUP.exe

C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe
"C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c Copy "C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMTECH IPH GROUP.exe"
2⤵
- Drops startup file
PID:3692

C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe
"C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe"
2⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe
"C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe"
2⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe
"C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe"
2⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe
"C:\Users\Admin\AppData\Local\Temp\EMTECH IPH GROUP.exe"
2⤵
PID:732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMTECH IPH GROUP.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/732-130-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/732-128-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/732-129-0x0000000000405CE2-mapping.dmp

Download
memory/3692-124-0x0000000000000000-mapping.dmp

Download
memory/3944-123-0x0000000006B40000-0x0000000006B41000-memory.dmp

Filesize
4KB

Download
memory/3944-121-0x0000000006840000-0x0000000006861000-memory.dmp

Filesize
132KB

Download
memory/3944-122-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

Filesize
4KB

Download
memory/3944-114-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/3944-120-0x00000000054E0000-0x0000000005572000-memory.dmp

Filesize
584KB

Download
memory/3944-125-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/3944-119-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/3944-127-0x0000000006AA0000-0x0000000006B3C000-memory.dmp

Filesize
624KB

Download
memory/3944-118-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/3944-117-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/3944-116-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads