Analysis
-
max time kernel
155s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 00:10
Behavioral task
behavioral1
Sample
80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe
Resource
win10v2004-en-20220113
General
-
Target
80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe
-
Size
1.3MB
-
MD5
09562c72fd075ce98816c5bb93d791d1
-
SHA1
399f98dcf86838c28506a61960dd2e7642c18710
-
SHA256
80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066
-
SHA512
160a6dcf0184568ccb640736aa11f268546973a872378a1fadc8001b31b5ee06822cd3da21d05f199fdaeeb8826e06ddac1cd5c77c90819da24185c6324fd5c9
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x000700000001321e-55.dat netwire behavioral1/files/0x000700000001321e-56.dat netwire behavioral1/files/0x000700000001321e-58.dat netwire behavioral1/files/0x000700000001321e-57.dat netwire behavioral1/files/0x000700000001321e-59.dat netwire behavioral1/files/0x000700000001321e-61.dat netwire behavioral1/files/0x00070000000132fe-62.dat netwire behavioral1/files/0x00070000000132fe-63.dat netwire behavioral1/files/0x00070000000132fe-64.dat netwire behavioral1/files/0x00060000000133c1-80.dat netwire behavioral1/files/0x00060000000133c1-81.dat netwire behavioral1/files/0x000700000001321e-83.dat netwire behavioral1/files/0x000700000001321e-84.dat netwire behavioral1/files/0x000700000001321e-85.dat netwire behavioral1/files/0x000700000001321e-86.dat netwire behavioral1/files/0x000700000001321e-87.dat netwire behavioral1/files/0x00070000000132fe-89.dat netwire behavioral1/files/0x00060000000133c1-98.dat netwire behavioral1/files/0x000700000001321e-104.dat netwire behavioral1/files/0x00060000000133c1-105.dat netwire behavioral1/files/0x000700000001321e-107.dat netwire behavioral1/files/0x000700000001321e-108.dat netwire behavioral1/files/0x000700000001321e-109.dat netwire behavioral1/files/0x000700000001321e-110.dat netwire behavioral1/files/0x00060000000133c1-120.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 6 IoCs
resource yara_rule behavioral1/memory/1496-67-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/1496-75-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/1748-91-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/1748-100-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/320-113-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/320-122-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 744 Blasthost.exe 924 Host.exe 1292 RtDCpl64.exe 1736 Blasthost.exe 1748 RtDCpl64.exe 852 RtDCpl64.exe 1792 Blasthost.exe 320 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 744 Blasthost.exe 744 Blasthost.exe 1292 RtDCpl64.exe 1292 RtDCpl64.exe 1292 RtDCpl64.exe 1292 RtDCpl64.exe 852 RtDCpl64.exe 852 RtDCpl64.exe 852 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 320 set thread context of 1496 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 29 PID 1292 set thread context of 1748 1292 RtDCpl64.exe 37 PID 852 set thread context of 320 852 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00060000000133c1-80.dat autoit_exe behavioral1/files/0x00060000000133c1-81.dat autoit_exe behavioral1/files/0x00060000000133c1-98.dat autoit_exe behavioral1/files/0x00060000000133c1-105.dat autoit_exe behavioral1/files/0x00060000000133c1-120.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1324 schtasks.exe 1220 schtasks.exe 1548 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 320 wrote to memory of 744 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 27 PID 320 wrote to memory of 744 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 27 PID 320 wrote to memory of 744 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 27 PID 320 wrote to memory of 744 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 27 PID 744 wrote to memory of 924 744 Blasthost.exe 28 PID 744 wrote to memory of 924 744 Blasthost.exe 28 PID 744 wrote to memory of 924 744 Blasthost.exe 28 PID 744 wrote to memory of 924 744 Blasthost.exe 28 PID 320 wrote to memory of 1496 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 29 PID 320 wrote to memory of 1496 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 29 PID 320 wrote to memory of 1496 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 29 PID 320 wrote to memory of 1496 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 29 PID 320 wrote to memory of 1496 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 29 PID 320 wrote to memory of 1496 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 29 PID 320 wrote to memory of 1324 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 30 PID 320 wrote to memory of 1324 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 30 PID 320 wrote to memory of 1324 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 30 PID 320 wrote to memory of 1324 320 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 30 PID 1496 wrote to memory of 860 1496 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 31 PID 1496 wrote to memory of 860 1496 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 31 PID 1496 wrote to memory of 860 1496 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 31 PID 1496 wrote to memory of 860 1496 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 31 PID 1496 wrote to memory of 860 1496 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 31 PID 1496 wrote to memory of 860 1496 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 31 PID 1452 wrote to memory of 1292 1452 taskeng.exe 35 PID 1452 wrote to memory of 1292 1452 taskeng.exe 35 PID 1452 wrote to memory of 1292 1452 taskeng.exe 35 PID 1452 wrote to memory of 1292 1452 taskeng.exe 35 PID 1292 wrote to memory of 1736 1292 RtDCpl64.exe 36 PID 1292 wrote to memory of 1736 1292 RtDCpl64.exe 36 PID 1292 wrote to memory of 1736 1292 RtDCpl64.exe 36 PID 1292 wrote to memory of 1736 1292 RtDCpl64.exe 36 PID 1292 wrote to memory of 1748 1292 RtDCpl64.exe 37 PID 1292 wrote to memory of 1748 1292 RtDCpl64.exe 37 PID 1292 wrote to memory of 1748 1292 RtDCpl64.exe 37 PID 1292 wrote to memory of 1748 1292 RtDCpl64.exe 37 PID 1292 wrote to memory of 1748 1292 RtDCpl64.exe 37 PID 1292 wrote to memory of 1748 1292 RtDCpl64.exe 37 PID 1748 wrote to memory of 1180 1748 RtDCpl64.exe 38 PID 1748 wrote to memory of 1180 1748 RtDCpl64.exe 38 PID 1748 wrote to memory of 1180 1748 RtDCpl64.exe 38 PID 1748 wrote to memory of 1180 1748 RtDCpl64.exe 38 PID 1292 wrote to memory of 1220 1292 RtDCpl64.exe 40 PID 1292 wrote to memory of 1220 1292 RtDCpl64.exe 40 PID 1292 wrote to memory of 1220 1292 RtDCpl64.exe 40 PID 1292 wrote to memory of 1220 1292 RtDCpl64.exe 40 PID 1748 wrote to memory of 1180 1748 RtDCpl64.exe 38 PID 1748 wrote to memory of 1180 1748 RtDCpl64.exe 38 PID 1452 wrote to memory of 852 1452 taskeng.exe 44 PID 1452 wrote to memory of 852 1452 taskeng.exe 44 PID 1452 wrote to memory of 852 1452 taskeng.exe 44 PID 1452 wrote to memory of 852 1452 taskeng.exe 44 PID 852 wrote to memory of 1792 852 RtDCpl64.exe 45 PID 852 wrote to memory of 1792 852 RtDCpl64.exe 45 PID 852 wrote to memory of 1792 852 RtDCpl64.exe 45 PID 852 wrote to memory of 1792 852 RtDCpl64.exe 45 PID 852 wrote to memory of 320 852 RtDCpl64.exe 46 PID 852 wrote to memory of 320 852 RtDCpl64.exe 46 PID 852 wrote to memory of 320 852 RtDCpl64.exe 46 PID 852 wrote to memory of 320 852 RtDCpl64.exe 46 PID 852 wrote to memory of 320 852 RtDCpl64.exe 46 PID 852 wrote to memory of 320 852 RtDCpl64.exe 46 PID 852 wrote to memory of 1548 852 RtDCpl64.exe 47 PID 852 wrote to memory of 1548 852 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe"C:\Users\Admin\AppData\Local\Temp\80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:924
-
-
-
C:\Users\Admin\AppData\Local\Temp\80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe"C:\Users\Admin\AppData\Local\Temp\80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:860
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1324
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D83A4A34-36B6-424B-8E06-D2F1B9A8D81F} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1736
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1180
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1220
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1792
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1984
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1548
-
-