Analysis
-
max time kernel
157s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 00:10
Behavioral task
behavioral1
Sample
80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
Resource
win10v2004-en-20220113
General
-
Target
80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
-
Size
1.3MB
-
MD5
c2b31083e0017ef1ca127f87c11557ba
-
SHA1
f27e357f9d973ca8cce23dbcce7de4cf16994e2a
-
SHA256
80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3
-
SHA512
5084988a74cfa15aa68535c1f19b283204bbf54032c186c633eee671aa26c2c3ff36725b7275214e7f0e0346745c73d9cf43a9e62526a331bfcbca5f376e7e1e
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x0008000000012230-56.dat netwire behavioral1/files/0x0008000000012230-57.dat netwire behavioral1/files/0x0008000000012230-58.dat netwire behavioral1/files/0x0008000000012230-59.dat netwire behavioral1/files/0x0008000000012230-60.dat netwire behavioral1/files/0x0008000000012230-72.dat netwire behavioral1/files/0x00060000000125ca-74.dat netwire behavioral1/files/0x00060000000125ca-75.dat netwire behavioral1/files/0x00060000000125ca-73.dat netwire behavioral1/files/0x000800000001226a-81.dat netwire behavioral1/files/0x000800000001226a-82.dat netwire behavioral1/files/0x0008000000012230-84.dat netwire behavioral1/files/0x0008000000012230-87.dat netwire behavioral1/files/0x0008000000012230-86.dat netwire behavioral1/files/0x0008000000012230-85.dat netwire behavioral1/files/0x0008000000012230-88.dat netwire behavioral1/files/0x00060000000125ca-90.dat netwire behavioral1/files/0x000800000001226a-99.dat netwire behavioral1/files/0x0008000000012230-105.dat netwire behavioral1/files/0x000800000001226a-106.dat netwire behavioral1/files/0x0008000000012230-110.dat netwire behavioral1/files/0x0008000000012230-109.dat netwire behavioral1/files/0x0008000000012230-108.dat netwire behavioral1/files/0x0008000000012230-111.dat netwire behavioral1/files/0x000800000001226a-121.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/568-63-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/568-77-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/676-92-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/676-101-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 1772 Blasthost.exe 604 Host.exe 480 RtDCpl64.exe 1636 Blasthost.exe 676 RtDCpl64.exe 1228 RtDCpl64.exe 1812 Blasthost.exe 1616 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 1772 Blasthost.exe 1772 Blasthost.exe 480 RtDCpl64.exe 480 RtDCpl64.exe 480 RtDCpl64.exe 480 RtDCpl64.exe 1228 RtDCpl64.exe 1228 RtDCpl64.exe 1228 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 536 set thread context of 568 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 28 PID 480 set thread context of 676 480 RtDCpl64.exe 39 PID 1228 set thread context of 1616 1228 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000800000001226a-81.dat autoit_exe behavioral1/files/0x000800000001226a-82.dat autoit_exe behavioral1/files/0x000800000001226a-99.dat autoit_exe behavioral1/files/0x000800000001226a-106.dat autoit_exe behavioral1/files/0x000800000001226a-121.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 416 schtasks.exe 1388 schtasks.exe 1280 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 536 wrote to memory of 1772 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 27 PID 536 wrote to memory of 1772 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 27 PID 536 wrote to memory of 1772 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 27 PID 536 wrote to memory of 1772 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 27 PID 536 wrote to memory of 568 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 28 PID 536 wrote to memory of 568 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 28 PID 536 wrote to memory of 568 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 28 PID 536 wrote to memory of 568 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 28 PID 536 wrote to memory of 568 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 28 PID 536 wrote to memory of 568 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 28 PID 1772 wrote to memory of 604 1772 Blasthost.exe 29 PID 1772 wrote to memory of 604 1772 Blasthost.exe 29 PID 1772 wrote to memory of 604 1772 Blasthost.exe 29 PID 1772 wrote to memory of 604 1772 Blasthost.exe 29 PID 536 wrote to memory of 416 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 30 PID 536 wrote to memory of 416 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 30 PID 536 wrote to memory of 416 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 30 PID 536 wrote to memory of 416 536 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 30 PID 568 wrote to memory of 1820 568 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 32 PID 568 wrote to memory of 1820 568 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 32 PID 568 wrote to memory of 1820 568 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 32 PID 568 wrote to memory of 1820 568 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 32 PID 568 wrote to memory of 1820 568 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 32 PID 568 wrote to memory of 1820 568 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 32 PID 108 wrote to memory of 480 108 taskeng.exe 37 PID 108 wrote to memory of 480 108 taskeng.exe 37 PID 108 wrote to memory of 480 108 taskeng.exe 37 PID 108 wrote to memory of 480 108 taskeng.exe 37 PID 480 wrote to memory of 1636 480 RtDCpl64.exe 38 PID 480 wrote to memory of 1636 480 RtDCpl64.exe 38 PID 480 wrote to memory of 1636 480 RtDCpl64.exe 38 PID 480 wrote to memory of 1636 480 RtDCpl64.exe 38 PID 480 wrote to memory of 676 480 RtDCpl64.exe 39 PID 480 wrote to memory of 676 480 RtDCpl64.exe 39 PID 480 wrote to memory of 676 480 RtDCpl64.exe 39 PID 480 wrote to memory of 676 480 RtDCpl64.exe 39 PID 480 wrote to memory of 676 480 RtDCpl64.exe 39 PID 480 wrote to memory of 676 480 RtDCpl64.exe 39 PID 480 wrote to memory of 1388 480 RtDCpl64.exe 40 PID 480 wrote to memory of 1388 480 RtDCpl64.exe 40 PID 480 wrote to memory of 1388 480 RtDCpl64.exe 40 PID 480 wrote to memory of 1388 480 RtDCpl64.exe 40 PID 676 wrote to memory of 2044 676 RtDCpl64.exe 42 PID 676 wrote to memory of 2044 676 RtDCpl64.exe 42 PID 676 wrote to memory of 2044 676 RtDCpl64.exe 42 PID 676 wrote to memory of 2044 676 RtDCpl64.exe 42 PID 676 wrote to memory of 2044 676 RtDCpl64.exe 42 PID 676 wrote to memory of 2044 676 RtDCpl64.exe 42 PID 108 wrote to memory of 1228 108 taskeng.exe 44 PID 108 wrote to memory of 1228 108 taskeng.exe 44 PID 108 wrote to memory of 1228 108 taskeng.exe 44 PID 108 wrote to memory of 1228 108 taskeng.exe 44 PID 1228 wrote to memory of 1812 1228 RtDCpl64.exe 45 PID 1228 wrote to memory of 1812 1228 RtDCpl64.exe 45 PID 1228 wrote to memory of 1812 1228 RtDCpl64.exe 45 PID 1228 wrote to memory of 1812 1228 RtDCpl64.exe 45 PID 1228 wrote to memory of 1616 1228 RtDCpl64.exe 46 PID 1228 wrote to memory of 1616 1228 RtDCpl64.exe 46 PID 1228 wrote to memory of 1616 1228 RtDCpl64.exe 46 PID 1228 wrote to memory of 1616 1228 RtDCpl64.exe 46 PID 1228 wrote to memory of 1616 1228 RtDCpl64.exe 46 PID 1228 wrote to memory of 1616 1228 RtDCpl64.exe 46 PID 1616 wrote to memory of 416 1616 RtDCpl64.exe 47 PID 1616 wrote to memory of 416 1616 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe"C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:604
-
-
-
C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe"C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1820
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:416
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {24120CBF-F49C-476C-89C3-5E991F46C44F} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1636
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2044
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1388
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1812
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:416
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1280
-
-