Analysis
-
max time kernel
154s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 00:10
Behavioral task
behavioral1
Sample
80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe
Resource
win10v2004-en-20220113
General
-
Target
80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe
-
Size
1.3MB
-
MD5
bcac3f68b7c2704b202b399007b93c22
-
SHA1
bed46515483bcf895b334e919ed146fb81c35d47
-
SHA256
80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b
-
SHA512
b916313639e3d254a5f728de22f78aa6187423ed26aca0c99c65bf86152ecb1025596d2531f19a0d3d3964841fccf956c455b47a25b63888bbf861c82be33dd0
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x00070000000133dd-56.dat netwire behavioral1/files/0x00070000000133dd-57.dat netwire behavioral1/files/0x00070000000133dd-58.dat netwire behavioral1/files/0x00070000000133dd-59.dat netwire behavioral1/files/0x00070000000133dd-60.dat netwire behavioral1/files/0x00070000000133dd-73.dat netwire behavioral1/files/0x0006000000013902-74.dat netwire behavioral1/files/0x0006000000013902-75.dat netwire behavioral1/files/0x0006000000013902-76.dat netwire behavioral1/files/0x00070000000138e6-81.dat netwire behavioral1/files/0x00070000000138e6-82.dat netwire behavioral1/files/0x00070000000133dd-84.dat netwire behavioral1/files/0x00070000000133dd-85.dat netwire behavioral1/files/0x00070000000133dd-87.dat netwire behavioral1/files/0x00070000000133dd-86.dat netwire behavioral1/files/0x00070000000133dd-88.dat netwire behavioral1/files/0x0006000000013902-90.dat netwire behavioral1/files/0x00070000000138e6-99.dat netwire behavioral1/files/0x00070000000133dd-106.dat netwire behavioral1/files/0x00070000000138e6-107.dat netwire behavioral1/files/0x00070000000133dd-109.dat netwire behavioral1/files/0x00070000000133dd-111.dat netwire behavioral1/files/0x00070000000133dd-110.dat netwire behavioral1/files/0x00070000000133dd-112.dat netwire behavioral1/files/0x00070000000138e6-122.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral1/memory/880-62-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/880-72-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 1640 Blasthost.exe 860 Host.exe 1060 RtDCpl64.exe 1080 Blasthost.exe 1084 RtDCpl64.exe 1592 RtDCpl64.exe 676 Blasthost.exe 420 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 1640 Blasthost.exe 1640 Blasthost.exe 1060 RtDCpl64.exe 1060 RtDCpl64.exe 1060 RtDCpl64.exe 1060 RtDCpl64.exe 1592 RtDCpl64.exe 1592 RtDCpl64.exe 1592 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 952 set thread context of 880 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 28 PID 1060 set thread context of 1084 1060 RtDCpl64.exe 39 PID 1592 set thread context of 420 1592 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00070000000138e6-81.dat autoit_exe behavioral1/files/0x00070000000138e6-82.dat autoit_exe behavioral1/files/0x00070000000138e6-99.dat autoit_exe behavioral1/files/0x00070000000138e6-107.dat autoit_exe behavioral1/files/0x00070000000138e6-122.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1072 schtasks.exe 1464 schtasks.exe 1924 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 952 wrote to memory of 1640 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 27 PID 952 wrote to memory of 1640 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 27 PID 952 wrote to memory of 1640 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 27 PID 952 wrote to memory of 1640 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 27 PID 952 wrote to memory of 880 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 28 PID 952 wrote to memory of 880 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 28 PID 952 wrote to memory of 880 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 28 PID 952 wrote to memory of 880 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 28 PID 952 wrote to memory of 880 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 28 PID 952 wrote to memory of 880 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 28 PID 1640 wrote to memory of 860 1640 Blasthost.exe 29 PID 1640 wrote to memory of 860 1640 Blasthost.exe 29 PID 1640 wrote to memory of 860 1640 Blasthost.exe 29 PID 1640 wrote to memory of 860 1640 Blasthost.exe 29 PID 952 wrote to memory of 1072 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 30 PID 952 wrote to memory of 1072 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 30 PID 952 wrote to memory of 1072 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 30 PID 952 wrote to memory of 1072 952 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 30 PID 880 wrote to memory of 1668 880 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 32 PID 880 wrote to memory of 1668 880 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 32 PID 880 wrote to memory of 1668 880 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 32 PID 880 wrote to memory of 1668 880 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 32 PID 880 wrote to memory of 1668 880 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 32 PID 880 wrote to memory of 1668 880 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 32 PID 1920 wrote to memory of 1060 1920 taskeng.exe 37 PID 1920 wrote to memory of 1060 1920 taskeng.exe 37 PID 1920 wrote to memory of 1060 1920 taskeng.exe 37 PID 1920 wrote to memory of 1060 1920 taskeng.exe 37 PID 1060 wrote to memory of 1080 1060 RtDCpl64.exe 38 PID 1060 wrote to memory of 1080 1060 RtDCpl64.exe 38 PID 1060 wrote to memory of 1080 1060 RtDCpl64.exe 38 PID 1060 wrote to memory of 1080 1060 RtDCpl64.exe 38 PID 1060 wrote to memory of 1084 1060 RtDCpl64.exe 39 PID 1060 wrote to memory of 1084 1060 RtDCpl64.exe 39 PID 1060 wrote to memory of 1084 1060 RtDCpl64.exe 39 PID 1060 wrote to memory of 1084 1060 RtDCpl64.exe 39 PID 1060 wrote to memory of 1084 1060 RtDCpl64.exe 39 PID 1060 wrote to memory of 1084 1060 RtDCpl64.exe 39 PID 1060 wrote to memory of 1464 1060 RtDCpl64.exe 40 PID 1060 wrote to memory of 1464 1060 RtDCpl64.exe 40 PID 1060 wrote to memory of 1464 1060 RtDCpl64.exe 40 PID 1060 wrote to memory of 1464 1060 RtDCpl64.exe 40 PID 1084 wrote to memory of 1564 1084 RtDCpl64.exe 42 PID 1084 wrote to memory of 1564 1084 RtDCpl64.exe 42 PID 1084 wrote to memory of 1564 1084 RtDCpl64.exe 42 PID 1084 wrote to memory of 1564 1084 RtDCpl64.exe 42 PID 1084 wrote to memory of 1564 1084 RtDCpl64.exe 42 PID 1084 wrote to memory of 1564 1084 RtDCpl64.exe 42 PID 1920 wrote to memory of 1592 1920 taskeng.exe 44 PID 1920 wrote to memory of 1592 1920 taskeng.exe 44 PID 1920 wrote to memory of 1592 1920 taskeng.exe 44 PID 1920 wrote to memory of 1592 1920 taskeng.exe 44 PID 1592 wrote to memory of 676 1592 RtDCpl64.exe 45 PID 1592 wrote to memory of 676 1592 RtDCpl64.exe 45 PID 1592 wrote to memory of 676 1592 RtDCpl64.exe 45 PID 1592 wrote to memory of 676 1592 RtDCpl64.exe 45 PID 1592 wrote to memory of 420 1592 RtDCpl64.exe 46 PID 1592 wrote to memory of 420 1592 RtDCpl64.exe 46 PID 1592 wrote to memory of 420 1592 RtDCpl64.exe 46 PID 1592 wrote to memory of 420 1592 RtDCpl64.exe 46 PID 1592 wrote to memory of 420 1592 RtDCpl64.exe 46 PID 1592 wrote to memory of 420 1592 RtDCpl64.exe 46 PID 420 wrote to memory of 1472 420 RtDCpl64.exe 47 PID 420 wrote to memory of 1472 420 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe"C:\Users\Admin\AppData\Local\Temp\80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:860
-
-
-
C:\Users\Admin\AppData\Local\Temp\80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe"C:\Users\Admin\AppData\Local\Temp\80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1668
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1072
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {FEEC22BA-3ABB-4FE0-8C79-FCF9979BCA7C} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1080
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1564
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1464
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:676
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1472
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1924
-
-