Analysis
-
max time kernel
166s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 00:10
Behavioral task
behavioral1
Sample
80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe
Resource
win10v2004-en-20220113
General
-
Target
80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe
-
Size
1.3MB
-
MD5
09562c72fd075ce98816c5bb93d791d1
-
SHA1
399f98dcf86838c28506a61960dd2e7642c18710
-
SHA256
80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066
-
SHA512
160a6dcf0184568ccb640736aa11f268546973a872378a1fadc8001b31b5ee06822cd3da21d05f199fdaeeb8826e06ddac1cd5c77c90819da24185c6324fd5c9
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 15 IoCs
resource yara_rule behavioral2/files/0x000600000001e7cf-130.dat netwire behavioral2/files/0x000600000001e7cf-131.dat netwire behavioral2/files/0x000400000001e7da-132.dat netwire behavioral2/files/0x000400000001e7da-133.dat netwire behavioral2/files/0x000400000001e7e0-144.dat netwire behavioral2/files/0x000400000001e7e0-145.dat netwire behavioral2/files/0x000600000001e7cf-148.dat netwire behavioral2/files/0x000400000001e7e0-157.dat netwire behavioral2/files/0x000600000001e7cf-160.dat netwire behavioral2/files/0x000400000001e7e0-161.dat netwire behavioral2/files/0x000600000001e7cf-162.dat netwire behavioral2/files/0x000400000001e7e0-170.dat netwire behavioral2/files/0x000400000001e7e0-174.dat netwire behavioral2/files/0x000600000001e7cf-175.dat netwire behavioral2/files/0x000400000001e7e0-183.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral2/memory/1916-135-0x0000000000470000-0x000000000048D000-memory.dmp warzonerat behavioral2/memory/1916-142-0x0000000000470000-0x000000000048D000-memory.dmp warzonerat behavioral2/memory/5068-150-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/5068-158-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 11 IoCs
pid Process 3412 Blasthost.exe 3276 Host.exe 5012 RtDCpl64.exe 5104 Blasthost.exe 5068 RtDCpl64.exe 1424 RtDCpl64.exe 2280 Blasthost.exe 1460 RtDCpl64.exe 4156 RtDCpl64.exe 620 Blasthost.exe 4788 RtDCpl64.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2704 set thread context of 1916 2704 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 85 PID 5012 set thread context of 5068 5012 RtDCpl64.exe 98 PID 1424 set thread context of 1460 1424 RtDCpl64.exe 115 PID 4156 set thread context of 4788 4156 RtDCpl64.exe 125 -
autoit_exe 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000400000001e7e0-144.dat autoit_exe behavioral2/files/0x000400000001e7e0-145.dat autoit_exe behavioral2/files/0x000400000001e7e0-157.dat autoit_exe behavioral2/files/0x000400000001e7e0-161.dat autoit_exe behavioral2/files/0x000400000001e7e0-170.dat autoit_exe behavioral2/files/0x000400000001e7e0-174.dat autoit_exe behavioral2/files/0x000400000001e7e0-183.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4576 schtasks.exe 2668 schtasks.exe 2580 schtasks.exe 3332 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1012 svchost.exe Token: SeCreatePagefilePrivilege 1012 svchost.exe Token: SeShutdownPrivilege 1012 svchost.exe Token: SeCreatePagefilePrivilege 1012 svchost.exe Token: SeShutdownPrivilege 1012 svchost.exe Token: SeCreatePagefilePrivilege 1012 svchost.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe Token: SeRestorePrivilege 968 TiWorker.exe Token: SeSecurityPrivilege 968 TiWorker.exe Token: SeBackupPrivilege 968 TiWorker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2704 wrote to memory of 3412 2704 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 82 PID 2704 wrote to memory of 3412 2704 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 82 PID 2704 wrote to memory of 3412 2704 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 82 PID 3412 wrote to memory of 3276 3412 Blasthost.exe 84 PID 3412 wrote to memory of 3276 3412 Blasthost.exe 84 PID 3412 wrote to memory of 3276 3412 Blasthost.exe 84 PID 2704 wrote to memory of 1916 2704 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 85 PID 2704 wrote to memory of 1916 2704 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 85 PID 2704 wrote to memory of 1916 2704 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 85 PID 2704 wrote to memory of 1916 2704 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 85 PID 2704 wrote to memory of 1916 2704 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 85 PID 1916 wrote to memory of 4200 1916 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 86 PID 1916 wrote to memory of 4200 1916 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 86 PID 1916 wrote to memory of 4200 1916 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 86 PID 2704 wrote to memory of 4576 2704 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 88 PID 2704 wrote to memory of 4576 2704 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 88 PID 2704 wrote to memory of 4576 2704 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 88 PID 1916 wrote to memory of 4200 1916 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 86 PID 1916 wrote to memory of 4200 1916 80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe 86 PID 5012 wrote to memory of 5104 5012 RtDCpl64.exe 97 PID 5012 wrote to memory of 5104 5012 RtDCpl64.exe 97 PID 5012 wrote to memory of 5104 5012 RtDCpl64.exe 97 PID 5012 wrote to memory of 5068 5012 RtDCpl64.exe 98 PID 5012 wrote to memory of 5068 5012 RtDCpl64.exe 98 PID 5012 wrote to memory of 5068 5012 RtDCpl64.exe 98 PID 5012 wrote to memory of 5068 5012 RtDCpl64.exe 98 PID 5012 wrote to memory of 5068 5012 RtDCpl64.exe 98 PID 5068 wrote to memory of 4516 5068 RtDCpl64.exe 99 PID 5068 wrote to memory of 4516 5068 RtDCpl64.exe 99 PID 5068 wrote to memory of 4516 5068 RtDCpl64.exe 99 PID 5012 wrote to memory of 2668 5012 RtDCpl64.exe 103 PID 5012 wrote to memory of 2668 5012 RtDCpl64.exe 103 PID 5012 wrote to memory of 2668 5012 RtDCpl64.exe 103 PID 5068 wrote to memory of 4516 5068 RtDCpl64.exe 99 PID 5068 wrote to memory of 4516 5068 RtDCpl64.exe 99 PID 1424 wrote to memory of 2280 1424 RtDCpl64.exe 114 PID 1424 wrote to memory of 2280 1424 RtDCpl64.exe 114 PID 1424 wrote to memory of 2280 1424 RtDCpl64.exe 114 PID 1424 wrote to memory of 1460 1424 RtDCpl64.exe 115 PID 1424 wrote to memory of 1460 1424 RtDCpl64.exe 115 PID 1424 wrote to memory of 1460 1424 RtDCpl64.exe 115 PID 1424 wrote to memory of 1460 1424 RtDCpl64.exe 115 PID 1424 wrote to memory of 1460 1424 RtDCpl64.exe 115 PID 1460 wrote to memory of 2400 1460 RtDCpl64.exe 116 PID 1460 wrote to memory of 2400 1460 RtDCpl64.exe 116 PID 1460 wrote to memory of 2400 1460 RtDCpl64.exe 116 PID 1424 wrote to memory of 2580 1424 RtDCpl64.exe 118 PID 1424 wrote to memory of 2580 1424 RtDCpl64.exe 118 PID 1424 wrote to memory of 2580 1424 RtDCpl64.exe 118 PID 1460 wrote to memory of 2400 1460 RtDCpl64.exe 116 PID 1460 wrote to memory of 2400 1460 RtDCpl64.exe 116 PID 4156 wrote to memory of 620 4156 RtDCpl64.exe 124 PID 4156 wrote to memory of 620 4156 RtDCpl64.exe 124 PID 4156 wrote to memory of 620 4156 RtDCpl64.exe 124 PID 4156 wrote to memory of 4788 4156 RtDCpl64.exe 125 PID 4156 wrote to memory of 4788 4156 RtDCpl64.exe 125 PID 4156 wrote to memory of 4788 4156 RtDCpl64.exe 125 PID 4156 wrote to memory of 4788 4156 RtDCpl64.exe 125 PID 4156 wrote to memory of 4788 4156 RtDCpl64.exe 125 PID 4788 wrote to memory of 4480 4788 RtDCpl64.exe 126 PID 4788 wrote to memory of 4480 4788 RtDCpl64.exe 126 PID 4788 wrote to memory of 4480 4788 RtDCpl64.exe 126 PID 4156 wrote to memory of 3332 4156 RtDCpl64.exe 128 PID 4156 wrote to memory of 3332 4156 RtDCpl64.exe 128
Processes
-
C:\Users\Admin\AppData\Local\Temp\80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe"C:\Users\Admin\AppData\Local\Temp\80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:3276
-
-
-
C:\Users\Admin\AppData\Local\Temp\80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe"C:\Users\Admin\AppData\Local\Temp\80aa3b26af6e7cbb8d1918a82fa6bc07c3bd6cca14460743eb3b4813df433066.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4200
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4576
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:5104
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4516
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2668
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:968
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:2280
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2400
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2580
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:620
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4480
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3332
-