Analysis
-
max time kernel
157s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 00:10
Behavioral task
behavioral1
Sample
80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe
Resource
win10v2004-en-20220113
General
-
Target
80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe
-
Size
1.3MB
-
MD5
bcac3f68b7c2704b202b399007b93c22
-
SHA1
bed46515483bcf895b334e919ed146fb81c35d47
-
SHA256
80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b
-
SHA512
b916313639e3d254a5f728de22f78aa6187423ed26aca0c99c65bf86152ecb1025596d2531f19a0d3d3964841fccf956c455b47a25b63888bbf861c82be33dd0
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 15 IoCs
resource yara_rule behavioral2/files/0x000900000001e7bd-130.dat netwire behavioral2/files/0x000900000001e7bd-131.dat netwire behavioral2/files/0x000400000001e7d4-141.dat netwire behavioral2/files/0x000400000001e7d4-142.dat netwire behavioral2/files/0x000400000001e7d8-144.dat netwire behavioral2/files/0x000400000001e7d8-145.dat netwire behavioral2/files/0x000900000001e7bd-146.dat netwire behavioral2/files/0x000400000001e7d8-154.dat netwire behavioral2/files/0x000900000001e7bd-157.dat netwire behavioral2/files/0x000400000001e7d8-161.dat netwire behavioral2/files/0x000900000001e7bd-162.dat netwire behavioral2/files/0x000400000001e7d8-170.dat netwire behavioral2/files/0x000400000001e7d8-173.dat netwire behavioral2/files/0x000900000001e7bd-174.dat netwire behavioral2/files/0x000400000001e7d8-182.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral2/memory/4284-133-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/4284-140-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 11 IoCs
pid Process 4348 Blasthost.exe 4832 Host.exe 3528 RtDCpl64.exe 4088 Blasthost.exe 112 RtDCpl64.exe 4084 RtDCpl64.exe 4844 Blasthost.exe 4912 RtDCpl64.exe 4568 RtDCpl64.exe 720 Blasthost.exe 1124 RtDCpl64.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1512 set thread context of 4284 1512 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 83 PID 3528 set thread context of 112 3528 RtDCpl64.exe 95 PID 4084 set thread context of 4912 4084 RtDCpl64.exe 113 PID 4568 set thread context of 1124 4568 RtDCpl64.exe 127 -
autoit_exe 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000400000001e7d8-144.dat autoit_exe behavioral2/files/0x000400000001e7d8-145.dat autoit_exe behavioral2/files/0x000400000001e7d8-154.dat autoit_exe behavioral2/files/0x000400000001e7d8-161.dat autoit_exe behavioral2/files/0x000400000001e7d8-170.dat autoit_exe behavioral2/files/0x000400000001e7d8-173.dat autoit_exe behavioral2/files/0x000400000001e7d8-182.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4060 schtasks.exe 4480 schtasks.exe 4740 schtasks.exe 5104 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4140 svchost.exe Token: SeCreatePagefilePrivilege 4140 svchost.exe Token: SeShutdownPrivilege 4140 svchost.exe Token: SeCreatePagefilePrivilege 4140 svchost.exe Token: SeShutdownPrivilege 4140 svchost.exe Token: SeCreatePagefilePrivilege 4140 svchost.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe Token: SeRestorePrivilege 1412 TiWorker.exe Token: SeSecurityPrivilege 1412 TiWorker.exe Token: SeBackupPrivilege 1412 TiWorker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1512 wrote to memory of 4348 1512 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 81 PID 1512 wrote to memory of 4348 1512 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 81 PID 1512 wrote to memory of 4348 1512 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 81 PID 1512 wrote to memory of 4284 1512 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 83 PID 1512 wrote to memory of 4284 1512 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 83 PID 1512 wrote to memory of 4284 1512 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 83 PID 1512 wrote to memory of 4284 1512 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 83 PID 1512 wrote to memory of 4284 1512 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 83 PID 4348 wrote to memory of 4832 4348 Blasthost.exe 84 PID 4348 wrote to memory of 4832 4348 Blasthost.exe 84 PID 4348 wrote to memory of 4832 4348 Blasthost.exe 84 PID 1512 wrote to memory of 4060 1512 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 85 PID 1512 wrote to memory of 4060 1512 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 85 PID 1512 wrote to memory of 4060 1512 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 85 PID 4284 wrote to memory of 3016 4284 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 87 PID 4284 wrote to memory of 3016 4284 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 87 PID 4284 wrote to memory of 3016 4284 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 87 PID 4284 wrote to memory of 3016 4284 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 87 PID 4284 wrote to memory of 3016 4284 80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe 87 PID 3528 wrote to memory of 4088 3528 RtDCpl64.exe 94 PID 3528 wrote to memory of 4088 3528 RtDCpl64.exe 94 PID 3528 wrote to memory of 4088 3528 RtDCpl64.exe 94 PID 3528 wrote to memory of 112 3528 RtDCpl64.exe 95 PID 3528 wrote to memory of 112 3528 RtDCpl64.exe 95 PID 3528 wrote to memory of 112 3528 RtDCpl64.exe 95 PID 3528 wrote to memory of 112 3528 RtDCpl64.exe 95 PID 3528 wrote to memory of 112 3528 RtDCpl64.exe 95 PID 112 wrote to memory of 3452 112 RtDCpl64.exe 96 PID 112 wrote to memory of 3452 112 RtDCpl64.exe 96 PID 112 wrote to memory of 3452 112 RtDCpl64.exe 96 PID 3528 wrote to memory of 4480 3528 RtDCpl64.exe 98 PID 3528 wrote to memory of 4480 3528 RtDCpl64.exe 98 PID 3528 wrote to memory of 4480 3528 RtDCpl64.exe 98 PID 112 wrote to memory of 3452 112 RtDCpl64.exe 96 PID 112 wrote to memory of 3452 112 RtDCpl64.exe 96 PID 4084 wrote to memory of 4844 4084 RtDCpl64.exe 112 PID 4084 wrote to memory of 4844 4084 RtDCpl64.exe 112 PID 4084 wrote to memory of 4844 4084 RtDCpl64.exe 112 PID 4084 wrote to memory of 4912 4084 RtDCpl64.exe 113 PID 4084 wrote to memory of 4912 4084 RtDCpl64.exe 113 PID 4084 wrote to memory of 4912 4084 RtDCpl64.exe 113 PID 4084 wrote to memory of 4912 4084 RtDCpl64.exe 113 PID 4084 wrote to memory of 4912 4084 RtDCpl64.exe 113 PID 4912 wrote to memory of 364 4912 RtDCpl64.exe 114 PID 4912 wrote to memory of 364 4912 RtDCpl64.exe 114 PID 4912 wrote to memory of 364 4912 RtDCpl64.exe 114 PID 4084 wrote to memory of 4740 4084 RtDCpl64.exe 116 PID 4084 wrote to memory of 4740 4084 RtDCpl64.exe 116 PID 4084 wrote to memory of 4740 4084 RtDCpl64.exe 116 PID 4912 wrote to memory of 364 4912 RtDCpl64.exe 114 PID 4912 wrote to memory of 364 4912 RtDCpl64.exe 114 PID 4568 wrote to memory of 720 4568 RtDCpl64.exe 126 PID 4568 wrote to memory of 720 4568 RtDCpl64.exe 126 PID 4568 wrote to memory of 720 4568 RtDCpl64.exe 126 PID 4568 wrote to memory of 1124 4568 RtDCpl64.exe 127 PID 4568 wrote to memory of 1124 4568 RtDCpl64.exe 127 PID 4568 wrote to memory of 1124 4568 RtDCpl64.exe 127 PID 4568 wrote to memory of 1124 4568 RtDCpl64.exe 127 PID 4568 wrote to memory of 1124 4568 RtDCpl64.exe 127 PID 1124 wrote to memory of 1816 1124 RtDCpl64.exe 128 PID 1124 wrote to memory of 1816 1124 RtDCpl64.exe 128 PID 1124 wrote to memory of 1816 1124 RtDCpl64.exe 128 PID 4568 wrote to memory of 5104 4568 RtDCpl64.exe 130 PID 4568 wrote to memory of 5104 4568 RtDCpl64.exe 130
Processes
-
C:\Users\Admin\AppData\Local\Temp\80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe"C:\Users\Admin\AppData\Local\Temp\80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:4832
-
-
-
C:\Users\Admin\AppData\Local\Temp\80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe"C:\Users\Admin\AppData\Local\Temp\80dd9997a3d7e997bda41e07b951cc4e1ce52c60113c4ce98776f42af57ea65b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3016
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4060
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:4088
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3452
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4480
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4140
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:4844
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:364
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4740
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:720
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1816
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:5104
-