Analysis
-
max time kernel
155s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 00:09
Behavioral task
behavioral1
Sample
811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe
Resource
win10v2004-en-20220113
General
-
Target
811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe
-
Size
1.3MB
-
MD5
e440294720dfac313d8c1b331d372664
-
SHA1
b4b1c3cdcfa226fec9b6b750cebbc6797508d5ab
-
SHA256
811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93
-
SHA512
826d6009d1604a67bfb2bc71f16961a89d35e173b050022a4f931dfca450bc46c196e64419097f9803c0ac0e3b7ad7643869bd4f2b00596b9ae9ce838a336b26
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x0008000000012254-55.dat netwire behavioral1/files/0x0008000000012254-56.dat netwire behavioral1/files/0x0008000000012254-57.dat netwire behavioral1/files/0x0008000000012254-58.dat netwire behavioral1/files/0x0008000000012254-59.dat netwire behavioral1/files/0x0008000000012254-61.dat netwire behavioral1/files/0x0008000000012284-62.dat netwire behavioral1/files/0x0008000000012284-63.dat netwire behavioral1/files/0x0008000000012284-64.dat netwire behavioral1/files/0x00060000000125f3-80.dat netwire behavioral1/files/0x00060000000125f3-81.dat netwire behavioral1/files/0x0008000000012254-83.dat netwire behavioral1/files/0x0008000000012254-85.dat netwire behavioral1/files/0x0008000000012254-84.dat netwire behavioral1/files/0x0008000000012254-86.dat netwire behavioral1/files/0x0008000000012254-87.dat netwire behavioral1/files/0x0008000000012284-89.dat netwire behavioral1/files/0x00060000000125f3-98.dat netwire behavioral1/files/0x0008000000012254-101.dat netwire behavioral1/files/0x00060000000125f3-102.dat netwire behavioral1/files/0x0008000000012254-104.dat netwire behavioral1/files/0x0008000000012254-106.dat netwire behavioral1/files/0x0008000000012254-105.dat netwire behavioral1/files/0x0008000000012254-107.dat netwire behavioral1/files/0x00060000000125f3-117.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/1396-67-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1396-75-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1484-110-0x00000000000D0000-0x00000000000ED000-memory.dmp warzonerat behavioral1/memory/1484-119-0x00000000000D0000-0x00000000000ED000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 1248 Blasthost.exe 524 Host.exe 1148 RtDCpl64.exe 1892 Blasthost.exe 1996 RtDCpl64.exe 1084 RtDCpl64.exe 568 Blasthost.exe 1484 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 1248 Blasthost.exe 1248 Blasthost.exe 1148 RtDCpl64.exe 1148 RtDCpl64.exe 1148 RtDCpl64.exe 1148 RtDCpl64.exe 1084 RtDCpl64.exe 1084 RtDCpl64.exe 1084 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1528 set thread context of 1396 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 29 PID 1148 set thread context of 1996 1148 RtDCpl64.exe 38 PID 1084 set thread context of 1484 1084 RtDCpl64.exe 44 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00060000000125f3-80.dat autoit_exe behavioral1/files/0x00060000000125f3-81.dat autoit_exe behavioral1/files/0x00060000000125f3-98.dat autoit_exe behavioral1/files/0x00060000000125f3-102.dat autoit_exe behavioral1/files/0x00060000000125f3-117.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 340 schtasks.exe 1728 schtasks.exe 944 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1528 wrote to memory of 1248 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 27 PID 1528 wrote to memory of 1248 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 27 PID 1528 wrote to memory of 1248 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 27 PID 1528 wrote to memory of 1248 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 27 PID 1248 wrote to memory of 524 1248 Blasthost.exe 28 PID 1248 wrote to memory of 524 1248 Blasthost.exe 28 PID 1248 wrote to memory of 524 1248 Blasthost.exe 28 PID 1248 wrote to memory of 524 1248 Blasthost.exe 28 PID 1528 wrote to memory of 1396 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 29 PID 1528 wrote to memory of 1396 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 29 PID 1528 wrote to memory of 1396 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 29 PID 1528 wrote to memory of 1396 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 29 PID 1528 wrote to memory of 1396 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 29 PID 1528 wrote to memory of 1396 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 29 PID 1396 wrote to memory of 1272 1396 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 30 PID 1396 wrote to memory of 1272 1396 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 30 PID 1396 wrote to memory of 1272 1396 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 30 PID 1396 wrote to memory of 1272 1396 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 30 PID 1528 wrote to memory of 340 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 32 PID 1528 wrote to memory of 340 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 32 PID 1528 wrote to memory of 340 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 32 PID 1528 wrote to memory of 340 1528 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 32 PID 1396 wrote to memory of 1272 1396 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 30 PID 1396 wrote to memory of 1272 1396 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 30 PID 608 wrote to memory of 1148 608 taskeng.exe 35 PID 608 wrote to memory of 1148 608 taskeng.exe 35 PID 608 wrote to memory of 1148 608 taskeng.exe 35 PID 608 wrote to memory of 1148 608 taskeng.exe 35 PID 1148 wrote to memory of 1892 1148 RtDCpl64.exe 36 PID 1148 wrote to memory of 1892 1148 RtDCpl64.exe 36 PID 1148 wrote to memory of 1892 1148 RtDCpl64.exe 36 PID 1148 wrote to memory of 1892 1148 RtDCpl64.exe 36 PID 1148 wrote to memory of 1996 1148 RtDCpl64.exe 38 PID 1148 wrote to memory of 1996 1148 RtDCpl64.exe 38 PID 1148 wrote to memory of 1996 1148 RtDCpl64.exe 38 PID 1148 wrote to memory of 1996 1148 RtDCpl64.exe 38 PID 1148 wrote to memory of 1996 1148 RtDCpl64.exe 38 PID 1148 wrote to memory of 1996 1148 RtDCpl64.exe 38 PID 1148 wrote to memory of 1728 1148 RtDCpl64.exe 40 PID 1148 wrote to memory of 1728 1148 RtDCpl64.exe 40 PID 1148 wrote to memory of 1728 1148 RtDCpl64.exe 40 PID 1148 wrote to memory of 1728 1148 RtDCpl64.exe 40 PID 608 wrote to memory of 1084 608 taskeng.exe 42 PID 608 wrote to memory of 1084 608 taskeng.exe 42 PID 608 wrote to memory of 1084 608 taskeng.exe 42 PID 608 wrote to memory of 1084 608 taskeng.exe 42 PID 1084 wrote to memory of 568 1084 RtDCpl64.exe 43 PID 1084 wrote to memory of 568 1084 RtDCpl64.exe 43 PID 1084 wrote to memory of 568 1084 RtDCpl64.exe 43 PID 1084 wrote to memory of 568 1084 RtDCpl64.exe 43 PID 1084 wrote to memory of 1484 1084 RtDCpl64.exe 44 PID 1084 wrote to memory of 1484 1084 RtDCpl64.exe 44 PID 1084 wrote to memory of 1484 1084 RtDCpl64.exe 44 PID 1084 wrote to memory of 1484 1084 RtDCpl64.exe 44 PID 1084 wrote to memory of 1484 1084 RtDCpl64.exe 44 PID 1084 wrote to memory of 1484 1084 RtDCpl64.exe 44 PID 1484 wrote to memory of 392 1484 RtDCpl64.exe 45 PID 1484 wrote to memory of 392 1484 RtDCpl64.exe 45 PID 1484 wrote to memory of 392 1484 RtDCpl64.exe 45 PID 1484 wrote to memory of 392 1484 RtDCpl64.exe 45 PID 1084 wrote to memory of 944 1084 RtDCpl64.exe 47 PID 1084 wrote to memory of 944 1084 RtDCpl64.exe 47 PID 1084 wrote to memory of 944 1084 RtDCpl64.exe 47 PID 1084 wrote to memory of 944 1084 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe"C:\Users\Admin\AppData\Local\Temp\811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:524
-
-
-
C:\Users\Admin\AppData\Local\Temp\811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe"C:\Users\Admin\AppData\Local\Temp\811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1272
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:340
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0A7BD9E7-B3BD-4298-A410-ACB2F14791D6} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1892
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
PID:1996
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1728
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:568
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:392
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:944
-
-