Analysis
-
max time kernel
165s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 00:11
Behavioral task
behavioral1
Sample
8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe
Resource
win10v2004-en-20220113
General
-
Target
8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe
-
Size
1.3MB
-
MD5
5f44db21a6564487f55827a6557c2b4c
-
SHA1
f26aa3fab52cf036f19f398b41abfb7b78168ce5
-
SHA256
8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287
-
SHA512
24af06cadb10d625375bfd513f29df5f3aaed293824da3e9908a45e18969aec45c7759c0655862d827123f356e05f5a9003675e3541b5f29cca35a4c8b457967
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 12 IoCs
resource yara_rule behavioral2/files/0x000400000001629a-130.dat netwire behavioral2/files/0x000400000001629a-131.dat netwire behavioral2/files/0x000700000001e8b6-141.dat netwire behavioral2/files/0x000700000001e8b6-142.dat netwire behavioral2/files/0x000800000001e8c3-147.dat netwire behavioral2/files/0x000800000001e8c3-148.dat netwire behavioral2/files/0x000400000001629a-149.dat netwire behavioral2/files/0x000800000001e8c3-157.dat netwire behavioral2/files/0x000400000001629a-160.dat netwire behavioral2/files/0x000800000001e8c3-161.dat netwire behavioral2/files/0x000400000001629a-162.dat netwire behavioral2/files/0x000800000001e8c3-170.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral2/memory/2852-133-0x0000000001280000-0x000000000129D000-memory.dmp warzonerat behavioral2/memory/2852-140-0x0000000001280000-0x000000000129D000-memory.dmp warzonerat behavioral2/memory/396-150-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/396-158-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 2848 Blasthost.exe 1316 Host.exe 4604 RtDCpl64.exe 4028 Blasthost.exe 396 RtDCpl64.exe 4748 RtDCpl64.exe 1056 Blasthost.exe 3188 RtDCpl64.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 812 set thread context of 2852 812 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 84 PID 4604 set thread context of 396 4604 RtDCpl64.exe 108 PID 4748 set thread context of 3188 4748 RtDCpl64.exe 121 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000800000001e8c3-147.dat autoit_exe behavioral2/files/0x000800000001e8c3-148.dat autoit_exe behavioral2/files/0x000800000001e8c3-157.dat autoit_exe behavioral2/files/0x000800000001e8c3-161.dat autoit_exe behavioral2/files/0x000800000001e8c3-170.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1164 schtasks.exe 4252 schtasks.exe 4780 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5044 svchost.exe Token: SeCreatePagefilePrivilege 5044 svchost.exe Token: SeShutdownPrivilege 5044 svchost.exe Token: SeCreatePagefilePrivilege 5044 svchost.exe Token: SeShutdownPrivilege 5044 svchost.exe Token: SeCreatePagefilePrivilege 5044 svchost.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe Token: SeRestorePrivilege 812 TiWorker.exe Token: SeSecurityPrivilege 812 TiWorker.exe Token: SeBackupPrivilege 812 TiWorker.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 812 wrote to memory of 2848 812 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 82 PID 812 wrote to memory of 2848 812 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 82 PID 812 wrote to memory of 2848 812 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 82 PID 812 wrote to memory of 2852 812 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 84 PID 812 wrote to memory of 2852 812 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 84 PID 812 wrote to memory of 2852 812 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 84 PID 812 wrote to memory of 2852 812 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 84 PID 812 wrote to memory of 2852 812 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 84 PID 2848 wrote to memory of 1316 2848 Blasthost.exe 85 PID 2848 wrote to memory of 1316 2848 Blasthost.exe 85 PID 2848 wrote to memory of 1316 2848 Blasthost.exe 85 PID 812 wrote to memory of 4780 812 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 86 PID 812 wrote to memory of 4780 812 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 86 PID 812 wrote to memory of 4780 812 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 86 PID 2852 wrote to memory of 4796 2852 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 87 PID 2852 wrote to memory of 4796 2852 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 87 PID 2852 wrote to memory of 4796 2852 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 87 PID 2852 wrote to memory of 4796 2852 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 87 PID 2852 wrote to memory of 4796 2852 8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe 87 PID 4604 wrote to memory of 4028 4604 RtDCpl64.exe 107 PID 4604 wrote to memory of 4028 4604 RtDCpl64.exe 107 PID 4604 wrote to memory of 4028 4604 RtDCpl64.exe 107 PID 4604 wrote to memory of 396 4604 RtDCpl64.exe 108 PID 4604 wrote to memory of 396 4604 RtDCpl64.exe 108 PID 4604 wrote to memory of 396 4604 RtDCpl64.exe 108 PID 4604 wrote to memory of 396 4604 RtDCpl64.exe 108 PID 4604 wrote to memory of 396 4604 RtDCpl64.exe 108 PID 396 wrote to memory of 3420 396 RtDCpl64.exe 109 PID 396 wrote to memory of 3420 396 RtDCpl64.exe 109 PID 396 wrote to memory of 3420 396 RtDCpl64.exe 109 PID 4604 wrote to memory of 1164 4604 RtDCpl64.exe 111 PID 4604 wrote to memory of 1164 4604 RtDCpl64.exe 111 PID 4604 wrote to memory of 1164 4604 RtDCpl64.exe 111 PID 396 wrote to memory of 3420 396 RtDCpl64.exe 109 PID 396 wrote to memory of 3420 396 RtDCpl64.exe 109 PID 4748 wrote to memory of 1056 4748 RtDCpl64.exe 120 PID 4748 wrote to memory of 1056 4748 RtDCpl64.exe 120 PID 4748 wrote to memory of 1056 4748 RtDCpl64.exe 120 PID 4748 wrote to memory of 3188 4748 RtDCpl64.exe 121 PID 4748 wrote to memory of 3188 4748 RtDCpl64.exe 121 PID 4748 wrote to memory of 3188 4748 RtDCpl64.exe 121 PID 4748 wrote to memory of 3188 4748 RtDCpl64.exe 121 PID 4748 wrote to memory of 3188 4748 RtDCpl64.exe 121 PID 4748 wrote to memory of 4252 4748 RtDCpl64.exe 122 PID 4748 wrote to memory of 4252 4748 RtDCpl64.exe 122 PID 4748 wrote to memory of 4252 4748 RtDCpl64.exe 122 PID 3188 wrote to memory of 4288 3188 RtDCpl64.exe 124 PID 3188 wrote to memory of 4288 3188 RtDCpl64.exe 124 PID 3188 wrote to memory of 4288 3188 RtDCpl64.exe 124 PID 3188 wrote to memory of 4288 3188 RtDCpl64.exe 124 PID 3188 wrote to memory of 4288 3188 RtDCpl64.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe"C:\Users\Admin\AppData\Local\Temp\8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:1316
-
-
-
C:\Users\Admin\AppData\Local\Temp\8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe"C:\Users\Admin\AppData\Local\Temp\8065cbe928b4854cad3081e2c57237a1cb915965893afca271514a3508bd8287.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4796
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4780
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:4028
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3420
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1164
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:812
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:1056
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4288
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4252
-