Analysis
-
max time kernel
165s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 00:09
Behavioral task
behavioral1
Sample
811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe
Resource
win10v2004-en-20220113
General
-
Target
811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe
-
Size
1.3MB
-
MD5
e440294720dfac313d8c1b331d372664
-
SHA1
b4b1c3cdcfa226fec9b6b750cebbc6797508d5ab
-
SHA256
811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93
-
SHA512
826d6009d1604a67bfb2bc71f16961a89d35e173b050022a4f931dfca450bc46c196e64419097f9803c0ac0e3b7ad7643869bd4f2b00596b9ae9ce838a336b26
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 12 IoCs
resource yara_rule behavioral2/files/0x000300000000072f-130.dat netwire behavioral2/files/0x000300000000072f-131.dat netwire behavioral2/files/0x0004000000016298-141.dat netwire behavioral2/files/0x0004000000016298-142.dat netwire behavioral2/files/0x000300000001e465-147.dat netwire behavioral2/files/0x000300000001e465-148.dat netwire behavioral2/files/0x000300000000072f-149.dat netwire behavioral2/files/0x000300000001e465-157.dat netwire behavioral2/files/0x000300000000072f-160.dat netwire behavioral2/files/0x000300000001e465-161.dat netwire behavioral2/files/0x000300000000072f-162.dat netwire behavioral2/files/0x000300000001e465-170.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral2/memory/364-133-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/364-140-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/4780-150-0x0000000000190000-0x00000000001AD000-memory.dmp warzonerat behavioral2/memory/4780-158-0x0000000000190000-0x00000000001AD000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 4488 Blasthost.exe 4340 Host.exe 4200 RtDCpl64.exe 4372 Blasthost.exe 4780 RtDCpl64.exe 1004 RtDCpl64.exe 4816 Blasthost.exe 4344 RtDCpl64.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1332 set thread context of 364 1332 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 83 PID 4200 set thread context of 4780 4200 RtDCpl64.exe 102 PID 1004 set thread context of 4344 1004 RtDCpl64.exe 114 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000300000001e465-147.dat autoit_exe behavioral2/files/0x000300000001e465-148.dat autoit_exe behavioral2/files/0x000300000001e465-157.dat autoit_exe behavioral2/files/0x000300000001e465-161.dat autoit_exe behavioral2/files/0x000300000001e465-170.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4088 schtasks.exe 3128 schtasks.exe 2400 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1456 svchost.exe Token: SeCreatePagefilePrivilege 1456 svchost.exe Token: SeShutdownPrivilege 1456 svchost.exe Token: SeCreatePagefilePrivilege 1456 svchost.exe Token: SeShutdownPrivilege 1456 svchost.exe Token: SeCreatePagefilePrivilege 1456 svchost.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe Token: SeRestorePrivilege 4940 TiWorker.exe Token: SeSecurityPrivilege 4940 TiWorker.exe Token: SeBackupPrivilege 4940 TiWorker.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 1332 wrote to memory of 4488 1332 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 81 PID 1332 wrote to memory of 4488 1332 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 81 PID 1332 wrote to memory of 4488 1332 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 81 PID 1332 wrote to memory of 364 1332 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 83 PID 1332 wrote to memory of 364 1332 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 83 PID 1332 wrote to memory of 364 1332 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 83 PID 1332 wrote to memory of 364 1332 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 83 PID 1332 wrote to memory of 364 1332 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 83 PID 4488 wrote to memory of 4340 4488 Blasthost.exe 84 PID 4488 wrote to memory of 4340 4488 Blasthost.exe 84 PID 4488 wrote to memory of 4340 4488 Blasthost.exe 84 PID 364 wrote to memory of 1440 364 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 85 PID 364 wrote to memory of 1440 364 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 85 PID 364 wrote to memory of 1440 364 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 85 PID 1332 wrote to memory of 2400 1332 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 87 PID 1332 wrote to memory of 2400 1332 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 87 PID 1332 wrote to memory of 2400 1332 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 87 PID 364 wrote to memory of 1440 364 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 85 PID 364 wrote to memory of 1440 364 811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe 85 PID 4200 wrote to memory of 4372 4200 RtDCpl64.exe 101 PID 4200 wrote to memory of 4372 4200 RtDCpl64.exe 101 PID 4200 wrote to memory of 4372 4200 RtDCpl64.exe 101 PID 4200 wrote to memory of 4780 4200 RtDCpl64.exe 102 PID 4200 wrote to memory of 4780 4200 RtDCpl64.exe 102 PID 4200 wrote to memory of 4780 4200 RtDCpl64.exe 102 PID 4200 wrote to memory of 4780 4200 RtDCpl64.exe 102 PID 4200 wrote to memory of 4780 4200 RtDCpl64.exe 102 PID 4780 wrote to memory of 1324 4780 RtDCpl64.exe 103 PID 4780 wrote to memory of 1324 4780 RtDCpl64.exe 103 PID 4780 wrote to memory of 1324 4780 RtDCpl64.exe 103 PID 4200 wrote to memory of 4088 4200 RtDCpl64.exe 105 PID 4200 wrote to memory of 4088 4200 RtDCpl64.exe 105 PID 4200 wrote to memory of 4088 4200 RtDCpl64.exe 105 PID 4780 wrote to memory of 1324 4780 RtDCpl64.exe 103 PID 4780 wrote to memory of 1324 4780 RtDCpl64.exe 103 PID 1004 wrote to memory of 4816 1004 RtDCpl64.exe 113 PID 1004 wrote to memory of 4816 1004 RtDCpl64.exe 113 PID 1004 wrote to memory of 4816 1004 RtDCpl64.exe 113 PID 1004 wrote to memory of 4344 1004 RtDCpl64.exe 114 PID 1004 wrote to memory of 4344 1004 RtDCpl64.exe 114 PID 1004 wrote to memory of 4344 1004 RtDCpl64.exe 114 PID 1004 wrote to memory of 4344 1004 RtDCpl64.exe 114 PID 1004 wrote to memory of 4344 1004 RtDCpl64.exe 114 PID 4344 wrote to memory of 4300 4344 RtDCpl64.exe 115 PID 4344 wrote to memory of 4300 4344 RtDCpl64.exe 115 PID 4344 wrote to memory of 4300 4344 RtDCpl64.exe 115 PID 1004 wrote to memory of 3128 1004 RtDCpl64.exe 117 PID 1004 wrote to memory of 3128 1004 RtDCpl64.exe 117 PID 1004 wrote to memory of 3128 1004 RtDCpl64.exe 117 PID 4344 wrote to memory of 4300 4344 RtDCpl64.exe 115 PID 4344 wrote to memory of 4300 4344 RtDCpl64.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe"C:\Users\Admin\AppData\Local\Temp\811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:4340
-
-
-
C:\Users\Admin\AppData\Local\Temp\811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe"C:\Users\Admin\AppData\Local\Temp\811c6d66c65626f528eb934b4f2c2cfbfcc2ce2660903b37e8bb2c5013c98c93.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1440
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2400
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:4372
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1324
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4088
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:4816
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4300
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3128
-