Analysis
-
max time kernel
170s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 00:10
Behavioral task
behavioral1
Sample
80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
Resource
win10v2004-en-20220113
General
-
Target
80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe
-
Size
1.3MB
-
MD5
c2b31083e0017ef1ca127f87c11557ba
-
SHA1
f27e357f9d973ca8cce23dbcce7de4cf16994e2a
-
SHA256
80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3
-
SHA512
5084988a74cfa15aa68535c1f19b283204bbf54032c186c633eee671aa26c2c3ff36725b7275214e7f0e0346745c73d9cf43a9e62526a331bfcbca5f376e7e1e
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 15 IoCs
resource yara_rule behavioral2/files/0x000400000001e797-130.dat netwire behavioral2/files/0x000400000001e797-131.dat netwire behavioral2/files/0x000400000001e799-132.dat netwire behavioral2/files/0x000400000001e799-133.dat netwire behavioral2/files/0x000300000001e79c-144.dat netwire behavioral2/files/0x000300000001e79c-145.dat netwire behavioral2/files/0x000400000001e797-146.dat netwire behavioral2/files/0x000300000001e79c-154.dat netwire behavioral2/files/0x000400000001e797-157.dat netwire behavioral2/files/0x000300000001e79c-161.dat netwire behavioral2/files/0x000400000001e797-162.dat netwire behavioral2/files/0x000300000001e79c-170.dat netwire behavioral2/files/0x000300000001e79c-174.dat netwire behavioral2/files/0x000400000001e797-175.dat netwire behavioral2/files/0x000300000001e79c-183.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral2/memory/4900-135-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/4900-142-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 11 IoCs
pid Process 4604 Blasthost.exe 1864 Host.exe 1944 RtDCpl64.exe 2508 Blasthost.exe 1308 RtDCpl64.exe 1128 RtDCpl64.exe 2228 Blasthost.exe 1272 RtDCpl64.exe 4404 RtDCpl64.exe 2892 Blasthost.exe 4776 RtDCpl64.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 428 set thread context of 4900 428 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 84 PID 1944 set thread context of 1308 1944 RtDCpl64.exe 95 PID 1128 set thread context of 1272 1128 RtDCpl64.exe 112 PID 4404 set thread context of 4776 4404 RtDCpl64.exe 124 -
autoit_exe 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000300000001e79c-144.dat autoit_exe behavioral2/files/0x000300000001e79c-145.dat autoit_exe behavioral2/files/0x000300000001e79c-154.dat autoit_exe behavioral2/files/0x000300000001e79c-161.dat autoit_exe behavioral2/files/0x000300000001e79c-170.dat autoit_exe behavioral2/files/0x000300000001e79c-174.dat autoit_exe behavioral2/files/0x000300000001e79c-183.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1256 schtasks.exe 2628 schtasks.exe 4504 schtasks.exe 1088 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3936 svchost.exe Token: SeCreatePagefilePrivilege 3936 svchost.exe Token: SeShutdownPrivilege 3936 svchost.exe Token: SeCreatePagefilePrivilege 3936 svchost.exe Token: SeShutdownPrivilege 3936 svchost.exe Token: SeCreatePagefilePrivilege 3936 svchost.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe Token: SeRestorePrivilege 1760 TiWorker.exe Token: SeSecurityPrivilege 1760 TiWorker.exe Token: SeBackupPrivilege 1760 TiWorker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 428 wrote to memory of 4604 428 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 81 PID 428 wrote to memory of 4604 428 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 81 PID 428 wrote to memory of 4604 428 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 81 PID 4604 wrote to memory of 1864 4604 Blasthost.exe 83 PID 4604 wrote to memory of 1864 4604 Blasthost.exe 83 PID 4604 wrote to memory of 1864 4604 Blasthost.exe 83 PID 428 wrote to memory of 4900 428 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 84 PID 428 wrote to memory of 4900 428 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 84 PID 428 wrote to memory of 4900 428 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 84 PID 428 wrote to memory of 4900 428 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 84 PID 428 wrote to memory of 4900 428 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 84 PID 4900 wrote to memory of 2796 4900 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 85 PID 4900 wrote to memory of 2796 4900 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 85 PID 4900 wrote to memory of 2796 4900 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 85 PID 428 wrote to memory of 2628 428 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 87 PID 428 wrote to memory of 2628 428 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 87 PID 428 wrote to memory of 2628 428 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 87 PID 4900 wrote to memory of 2796 4900 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 85 PID 4900 wrote to memory of 2796 4900 80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe 85 PID 1944 wrote to memory of 2508 1944 RtDCpl64.exe 94 PID 1944 wrote to memory of 2508 1944 RtDCpl64.exe 94 PID 1944 wrote to memory of 2508 1944 RtDCpl64.exe 94 PID 1944 wrote to memory of 1308 1944 RtDCpl64.exe 95 PID 1944 wrote to memory of 1308 1944 RtDCpl64.exe 95 PID 1944 wrote to memory of 1308 1944 RtDCpl64.exe 95 PID 1944 wrote to memory of 1308 1944 RtDCpl64.exe 95 PID 1944 wrote to memory of 1308 1944 RtDCpl64.exe 95 PID 1308 wrote to memory of 4252 1308 RtDCpl64.exe 96 PID 1308 wrote to memory of 4252 1308 RtDCpl64.exe 96 PID 1308 wrote to memory of 4252 1308 RtDCpl64.exe 96 PID 1944 wrote to memory of 4504 1944 RtDCpl64.exe 98 PID 1944 wrote to memory of 4504 1944 RtDCpl64.exe 98 PID 1944 wrote to memory of 4504 1944 RtDCpl64.exe 98 PID 1308 wrote to memory of 4252 1308 RtDCpl64.exe 96 PID 1308 wrote to memory of 4252 1308 RtDCpl64.exe 96 PID 1128 wrote to memory of 2228 1128 RtDCpl64.exe 111 PID 1128 wrote to memory of 2228 1128 RtDCpl64.exe 111 PID 1128 wrote to memory of 2228 1128 RtDCpl64.exe 111 PID 1128 wrote to memory of 1272 1128 RtDCpl64.exe 112 PID 1128 wrote to memory of 1272 1128 RtDCpl64.exe 112 PID 1128 wrote to memory of 1272 1128 RtDCpl64.exe 112 PID 1128 wrote to memory of 1272 1128 RtDCpl64.exe 112 PID 1128 wrote to memory of 1272 1128 RtDCpl64.exe 112 PID 1272 wrote to memory of 2416 1272 RtDCpl64.exe 113 PID 1272 wrote to memory of 2416 1272 RtDCpl64.exe 113 PID 1272 wrote to memory of 2416 1272 RtDCpl64.exe 113 PID 1128 wrote to memory of 1088 1128 RtDCpl64.exe 116 PID 1128 wrote to memory of 1088 1128 RtDCpl64.exe 116 PID 1128 wrote to memory of 1088 1128 RtDCpl64.exe 116 PID 1272 wrote to memory of 2416 1272 RtDCpl64.exe 113 PID 1272 wrote to memory of 2416 1272 RtDCpl64.exe 113 PID 4404 wrote to memory of 2892 4404 RtDCpl64.exe 123 PID 4404 wrote to memory of 2892 4404 RtDCpl64.exe 123 PID 4404 wrote to memory of 2892 4404 RtDCpl64.exe 123 PID 4404 wrote to memory of 4776 4404 RtDCpl64.exe 124 PID 4404 wrote to memory of 4776 4404 RtDCpl64.exe 124 PID 4404 wrote to memory of 4776 4404 RtDCpl64.exe 124 PID 4404 wrote to memory of 4776 4404 RtDCpl64.exe 124 PID 4404 wrote to memory of 4776 4404 RtDCpl64.exe 124 PID 4776 wrote to memory of 5036 4776 RtDCpl64.exe 125 PID 4776 wrote to memory of 5036 4776 RtDCpl64.exe 125 PID 4776 wrote to memory of 5036 4776 RtDCpl64.exe 125 PID 4404 wrote to memory of 1256 4404 RtDCpl64.exe 127 PID 4404 wrote to memory of 1256 4404 RtDCpl64.exe 127
Processes
-
C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe"C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:1864
-
-
-
C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe"C:\Users\Admin\AppData\Local\Temp\80994bcb2e8378f0e78d31da572da3a858491e866293e0dcf4fc410f5e9136e3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2796
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2628
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:2508
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4252
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4504
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3936
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:2228
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2416
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1088
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:2892
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:5036
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1256
-