Malware Analysis Report

2025-08-11 01:39

Sample ID 230224-sez1lshg54
Target New order No 09052622.zip
SHA256 0dc43c6b572e28d5744fcf9620589793255a2084069dc447c6c7904bb6f7a005
Tags
warzonerat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dc43c6b572e28d5744fcf9620589793255a2084069dc447c6c7904bb6f7a005

Threat Level: Known bad

The file New order No 09052622.zip was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat

WarzoneRat, AveMaria

Warzone RAT payload

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-24 15:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-24 15:03

Reported

2023-02-24 15:08

Platform

win7-20230220-en

Max time kernel

228s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\oxxhddmvqq = "C:\\Users\\Admin\\AppData\\Roaming\\bkkg\\pyyueenjss.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\jwnpsq.exe\" C:\\Users\\Admin\\AppData\\Local\\Tem" C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1764 set thread context of 1072 N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\images.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
PID 2040 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
PID 2040 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
PID 2040 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
PID 1764 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
PID 1764 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
PID 1764 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
PID 1764 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
PID 1764 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe
PID 1072 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe C:\ProgramData\images.exe
PID 1072 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe C:\ProgramData\images.exe
PID 1072 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe C:\ProgramData\images.exe
PID 1072 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe C:\ProgramData\images.exe
PID 1620 wrote to memory of 1656 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WerFault.exe
PID 1620 wrote to memory of 1656 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WerFault.exe
PID 1620 wrote to memory of 1656 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WerFault.exe
PID 1620 wrote to memory of 1656 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe

"C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe"

C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe

"C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe" C:\Users\Admin\AppData\Local\Temp\vrsklc.xz

C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe

"C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 196

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\jwnpsq.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

C:\Users\Admin\AppData\Local\Temp\vrsklc.xz

MD5 7e2edc697812c644fdc4746a640ae897
SHA1 5489052b98e2b6e1dd9324197779917476530447
SHA256 910d185175a46657ac9c59ae8b9078e1ff161d690c6c5005320a7ca7fd89144a
SHA512 36f2ea469a7ab3fe0740c4ba329ee2570e3a28f954fddc3d273e1b3253471cabcb5418a356ff82361915792aea17a73aeca6736e9873b1a56d2c09cff04779bd

C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

C:\Users\Admin\AppData\Local\Temp\jsajvgqriul.w

MD5 2d79043ccde13c76615fef3dbf9f5577
SHA1 6b49c16ee46dc298363d68d05112e88b043ce93b
SHA256 549e8a7b2bd362b55af4e914367ed444fd327a36f6cf7a42ce1e42f066565681
SHA512 b5756da5331bb08daaa49c87ef4778f0de33e3124b87d0563d156d2f6f2184aa5cb2de3761ce708b285614cd0a2d961a48e275f1e71af335211400ba18725532

\Users\Admin\AppData\Local\Temp\jwnpsq.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

memory/1072-66-0x0000000000400000-0x0000000000554000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

memory/1072-70-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1072-71-0x0000000000400000-0x0000000000554000-memory.dmp

C:\ProgramData\images.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

\ProgramData\images.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

C:\ProgramData\images.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

memory/1072-77-0x0000000000400000-0x0000000000554000-memory.dmp

\ProgramData\images.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

\ProgramData\images.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

\ProgramData\images.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

\ProgramData\images.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-24 15:03

Reported

2023-02-24 15:08

Platform

win10v2004-20230220-en

Max time kernel

291s

Max time network

293s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxxhddmvqq = "C:\\Users\\Admin\\AppData\\Roaming\\bkkg\\pyyueenjss.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\jwnpsq.exe\" C:\\Users\\Admin\\AppData\\Local\\Tem" C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4424 set thread context of 4428 N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\images.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe

"C:\Users\Admin\AppData\Local\Temp\New order No 09052622.exe"

C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe

"C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe" C:\Users\Admin\AppData\Local\Temp\vrsklc.xz

C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe

"C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3792 -ip 3792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 516

Network

Country Destination Domain Proto
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.8.8.8:53 240.232.229.192.in-addr.arpa udp
US 20.189.173.5:443 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
NL 8.238.177.126:80 tcp
US 8.8.8.8:53 155.25.221.88.in-addr.arpa udp
NL 8.238.177.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 192.98.74.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

C:\Users\Admin\AppData\Local\Temp\vrsklc.xz

MD5 7e2edc697812c644fdc4746a640ae897
SHA1 5489052b98e2b6e1dd9324197779917476530447
SHA256 910d185175a46657ac9c59ae8b9078e1ff161d690c6c5005320a7ca7fd89144a
SHA512 36f2ea469a7ab3fe0740c4ba329ee2570e3a28f954fddc3d273e1b3253471cabcb5418a356ff82361915792aea17a73aeca6736e9873b1a56d2c09cff04779bd

C:\Users\Admin\AppData\Local\Temp\jsajvgqriul.w

MD5 2d79043ccde13c76615fef3dbf9f5577
SHA1 6b49c16ee46dc298363d68d05112e88b043ce93b
SHA256 549e8a7b2bd362b55af4e914367ed444fd327a36f6cf7a42ce1e42f066565681
SHA512 b5756da5331bb08daaa49c87ef4778f0de33e3124b87d0563d156d2f6f2184aa5cb2de3761ce708b285614cd0a2d961a48e275f1e71af335211400ba18725532

memory/4428-142-0x0000000000400000-0x0000000000554000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jwnpsq.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

memory/4428-146-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4428-147-0x0000000000400000-0x0000000000554000-memory.dmp

C:\ProgramData\images.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

C:\ProgramData\images.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce

memory/4428-151-0x0000000000400000-0x0000000000554000-memory.dmp

C:\ProgramData\images.exe

MD5 d59554cdd4233718e886bf002a0cef7e
SHA1 9bbc2034af89d1f506c571778801bc14144c61ba
SHA256 2350ae73c003cbd494242d2cf66b5e750107666fbcb3d61f8cfaf57e4abafb71
SHA512 0f9eaeeb790c5644fbb69db30998e387d1f99af7c57f558dc912e853eaae4f840ccdb582e6862f2d5e687022e7ba7a5be2849b58212ecb767d1f779a76ad67ce