Analysis
-
max time kernel
160s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 00:11
Behavioral task
behavioral1
Sample
8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe
Resource
win10v2004-en-20220113
General
-
Target
8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe
-
Size
1.3MB
-
MD5
5f44db21a6564487f55827a6557c2b4c
-
SHA1
f26aa3fab52cf036f19f398b41abfb7b78168ce5
-
SHA256
8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287
-
SHA512
24af06cadb10d625375bfd513f29df5f3aaed293824da3e9908a45e18969aec45c7759c0655862d827123f356e05f5a9003675e3541b5f29cca35a4c8b457967
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x000800000001225c-55.dat netwire behavioral1/files/0x000800000001225c-56.dat netwire behavioral1/files/0x000800000001225c-58.dat netwire behavioral1/files/0x000800000001225c-57.dat netwire behavioral1/files/0x000800000001225c-59.dat netwire behavioral1/files/0x000800000001225c-61.dat netwire behavioral1/files/0x00070000000125a3-63.dat netwire behavioral1/files/0x00070000000125a3-62.dat netwire behavioral1/files/0x00070000000125a3-64.dat netwire behavioral1/files/0x0006000000012608-79.dat netwire behavioral1/files/0x0006000000012608-80.dat netwire behavioral1/files/0x000800000001225c-82.dat netwire behavioral1/files/0x000800000001225c-85.dat netwire behavioral1/files/0x000800000001225c-84.dat netwire behavioral1/files/0x000800000001225c-83.dat netwire behavioral1/files/0x000800000001225c-86.dat netwire behavioral1/files/0x00070000000125a3-88.dat netwire behavioral1/files/0x0006000000012608-97.dat netwire behavioral1/files/0x000800000001225c-103.dat netwire behavioral1/files/0x0006000000012608-104.dat netwire behavioral1/files/0x000800000001225c-108.dat netwire behavioral1/files/0x000800000001225c-107.dat netwire behavioral1/files/0x000800000001225c-106.dat netwire behavioral1/files/0x000800000001225c-109.dat netwire behavioral1/files/0x0006000000012608-119.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/1368-67-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1368-75-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/396-112-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/396-121-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 472 Blasthost.exe 1388 Host.exe 1572 RtDCpl64.exe 1492 Blasthost.exe 956 RtDCpl64.exe 1372 RtDCpl64.exe 1860 Blasthost.exe 396 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 472 Blasthost.exe 472 Blasthost.exe 1572 RtDCpl64.exe 1572 RtDCpl64.exe 1572 RtDCpl64.exe 1572 RtDCpl64.exe 1372 RtDCpl64.exe 1372 RtDCpl64.exe 1372 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1848 set thread context of 1368 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 29 PID 1572 set thread context of 956 1572 RtDCpl64.exe 37 PID 1372 set thread context of 396 1372 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0006000000012608-79.dat autoit_exe behavioral1/files/0x0006000000012608-80.dat autoit_exe behavioral1/files/0x0006000000012608-97.dat autoit_exe behavioral1/files/0x0006000000012608-104.dat autoit_exe behavioral1/files/0x0006000000012608-119.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 364 schtasks.exe 1752 schtasks.exe 1300 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1848 wrote to memory of 472 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 27 PID 1848 wrote to memory of 472 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 27 PID 1848 wrote to memory of 472 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 27 PID 1848 wrote to memory of 472 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 27 PID 472 wrote to memory of 1388 472 Blasthost.exe 28 PID 472 wrote to memory of 1388 472 Blasthost.exe 28 PID 472 wrote to memory of 1388 472 Blasthost.exe 28 PID 472 wrote to memory of 1388 472 Blasthost.exe 28 PID 1848 wrote to memory of 1368 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 29 PID 1848 wrote to memory of 1368 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 29 PID 1848 wrote to memory of 1368 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 29 PID 1848 wrote to memory of 1368 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 29 PID 1848 wrote to memory of 1368 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 29 PID 1848 wrote to memory of 1368 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 29 PID 1368 wrote to memory of 1640 1368 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 30 PID 1368 wrote to memory of 1640 1368 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 30 PID 1368 wrote to memory of 1640 1368 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 30 PID 1368 wrote to memory of 1640 1368 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 30 PID 1848 wrote to memory of 364 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 32 PID 1848 wrote to memory of 364 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 32 PID 1848 wrote to memory of 364 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 32 PID 1848 wrote to memory of 364 1848 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 32 PID 1368 wrote to memory of 1640 1368 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 30 PID 1368 wrote to memory of 1640 1368 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 30 PID 992 wrote to memory of 1572 992 taskeng.exe 35 PID 992 wrote to memory of 1572 992 taskeng.exe 35 PID 992 wrote to memory of 1572 992 taskeng.exe 35 PID 992 wrote to memory of 1572 992 taskeng.exe 35 PID 1572 wrote to memory of 1492 1572 RtDCpl64.exe 36 PID 1572 wrote to memory of 1492 1572 RtDCpl64.exe 36 PID 1572 wrote to memory of 1492 1572 RtDCpl64.exe 36 PID 1572 wrote to memory of 1492 1572 RtDCpl64.exe 36 PID 1572 wrote to memory of 956 1572 RtDCpl64.exe 37 PID 1572 wrote to memory of 956 1572 RtDCpl64.exe 37 PID 1572 wrote to memory of 956 1572 RtDCpl64.exe 37 PID 1572 wrote to memory of 956 1572 RtDCpl64.exe 37 PID 1572 wrote to memory of 956 1572 RtDCpl64.exe 37 PID 1572 wrote to memory of 956 1572 RtDCpl64.exe 37 PID 956 wrote to memory of 544 956 RtDCpl64.exe 38 PID 956 wrote to memory of 544 956 RtDCpl64.exe 38 PID 956 wrote to memory of 544 956 RtDCpl64.exe 38 PID 956 wrote to memory of 544 956 RtDCpl64.exe 38 PID 1572 wrote to memory of 1752 1572 RtDCpl64.exe 40 PID 1572 wrote to memory of 1752 1572 RtDCpl64.exe 40 PID 1572 wrote to memory of 1752 1572 RtDCpl64.exe 40 PID 1572 wrote to memory of 1752 1572 RtDCpl64.exe 40 PID 956 wrote to memory of 544 956 RtDCpl64.exe 38 PID 956 wrote to memory of 544 956 RtDCpl64.exe 38 PID 992 wrote to memory of 1372 992 taskeng.exe 44 PID 992 wrote to memory of 1372 992 taskeng.exe 44 PID 992 wrote to memory of 1372 992 taskeng.exe 44 PID 992 wrote to memory of 1372 992 taskeng.exe 44 PID 1372 wrote to memory of 1860 1372 RtDCpl64.exe 45 PID 1372 wrote to memory of 1860 1372 RtDCpl64.exe 45 PID 1372 wrote to memory of 1860 1372 RtDCpl64.exe 45 PID 1372 wrote to memory of 1860 1372 RtDCpl64.exe 45 PID 1372 wrote to memory of 396 1372 RtDCpl64.exe 46 PID 1372 wrote to memory of 396 1372 RtDCpl64.exe 46 PID 1372 wrote to memory of 396 1372 RtDCpl64.exe 46 PID 1372 wrote to memory of 396 1372 RtDCpl64.exe 46 PID 1372 wrote to memory of 396 1372 RtDCpl64.exe 46 PID 1372 wrote to memory of 396 1372 RtDCpl64.exe 46 PID 1372 wrote to memory of 1300 1372 RtDCpl64.exe 47 PID 1372 wrote to memory of 1300 1372 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe"C:\Users\Admin\AppData\Local\Temp\8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:1388
-
-
-
C:\Users\Admin\AppData\Local\Temp\8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe"C:\Users\Admin\AppData\Local\Temp\8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1640
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:364
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {87AAC2CF-B813-43E8-8CB1-390F82CD473F} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1492
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:544
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1752
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1860
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1364
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1300
-
-