Analysis
-
max time kernel
153s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 00:15
Behavioral task
behavioral1
Sample
7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe
Resource
win10v2004-en-20220113
General
-
Target
7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe
-
Size
1.3MB
-
MD5
8e54c9582caae0e34113fd3733042a56
-
SHA1
353e7ea78e548d40a3d111f3fc62de4e87a966b9
-
SHA256
7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d
-
SHA512
630882a967702eafc291ce9d410c659814b15e47038299c26c5b8c9d20d14734cc6c4864c5a8b9c884ee97a807d2716c4f2f34385336f99d87d5f6de26d9b865
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x0006000000014073-55.dat netwire behavioral1/files/0x0006000000014073-56.dat netwire behavioral1/files/0x0006000000014073-57.dat netwire behavioral1/files/0x0006000000014073-58.dat netwire behavioral1/files/0x0006000000014073-59.dat netwire behavioral1/files/0x0006000000014073-61.dat netwire behavioral1/files/0x00060000000140a3-62.dat netwire behavioral1/files/0x00060000000140a3-63.dat netwire behavioral1/files/0x00060000000140a3-64.dat netwire behavioral1/files/0x0005000000014174-79.dat netwire behavioral1/files/0x0005000000014174-80.dat netwire behavioral1/files/0x0006000000014073-82.dat netwire behavioral1/files/0x0006000000014073-85.dat netwire behavioral1/files/0x0006000000014073-86.dat netwire behavioral1/files/0x0006000000014073-84.dat netwire behavioral1/files/0x0006000000014073-83.dat netwire behavioral1/files/0x00060000000140a3-88.dat netwire behavioral1/files/0x0005000000014174-97.dat netwire behavioral1/files/0x0006000000014073-103.dat netwire behavioral1/files/0x0005000000014174-104.dat netwire behavioral1/files/0x0006000000014073-108.dat netwire behavioral1/files/0x0006000000014073-107.dat netwire behavioral1/files/0x0006000000014073-109.dat netwire behavioral1/files/0x0006000000014073-106.dat netwire behavioral1/files/0x0005000000014174-119.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/1288-67-0x00000000000D0000-0x00000000000ED000-memory.dmp warzonerat behavioral1/memory/1288-75-0x00000000000D0000-0x00000000000ED000-memory.dmp warzonerat behavioral1/memory/1076-90-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1076-99-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 820 Blasthost.exe 1820 Host.exe 1896 RtDCpl64.exe 916 Blasthost.exe 1076 RtDCpl64.exe 628 RtDCpl64.exe 560 Blasthost.exe 460 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 820 Blasthost.exe 820 Blasthost.exe 1896 RtDCpl64.exe 1896 RtDCpl64.exe 1896 RtDCpl64.exe 1896 RtDCpl64.exe 628 RtDCpl64.exe 628 RtDCpl64.exe 628 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1156 set thread context of 1288 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 29 PID 1896 set thread context of 1076 1896 RtDCpl64.exe 37 PID 628 set thread context of 460 628 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0005000000014174-79.dat autoit_exe behavioral1/files/0x0005000000014174-80.dat autoit_exe behavioral1/files/0x0005000000014174-97.dat autoit_exe behavioral1/files/0x0005000000014174-104.dat autoit_exe behavioral1/files/0x0005000000014174-119.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1176 schtasks.exe 540 schtasks.exe 984 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1156 wrote to memory of 820 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 27 PID 1156 wrote to memory of 820 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 27 PID 1156 wrote to memory of 820 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 27 PID 1156 wrote to memory of 820 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 27 PID 820 wrote to memory of 1820 820 Blasthost.exe 28 PID 820 wrote to memory of 1820 820 Blasthost.exe 28 PID 820 wrote to memory of 1820 820 Blasthost.exe 28 PID 820 wrote to memory of 1820 820 Blasthost.exe 28 PID 1156 wrote to memory of 1288 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 29 PID 1156 wrote to memory of 1288 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 29 PID 1156 wrote to memory of 1288 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 29 PID 1156 wrote to memory of 1288 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 29 PID 1156 wrote to memory of 1288 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 29 PID 1156 wrote to memory of 1288 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 29 PID 1156 wrote to memory of 1176 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 31 PID 1156 wrote to memory of 1176 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 31 PID 1156 wrote to memory of 1176 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 31 PID 1156 wrote to memory of 1176 1156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 31 PID 1288 wrote to memory of 1188 1288 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 30 PID 1288 wrote to memory of 1188 1288 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 30 PID 1288 wrote to memory of 1188 1288 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 30 PID 1288 wrote to memory of 1188 1288 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 30 PID 1288 wrote to memory of 1188 1288 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 30 PID 1288 wrote to memory of 1188 1288 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 30 PID 884 wrote to memory of 1896 884 taskeng.exe 35 PID 884 wrote to memory of 1896 884 taskeng.exe 35 PID 884 wrote to memory of 1896 884 taskeng.exe 35 PID 884 wrote to memory of 1896 884 taskeng.exe 35 PID 1896 wrote to memory of 916 1896 RtDCpl64.exe 36 PID 1896 wrote to memory of 916 1896 RtDCpl64.exe 36 PID 1896 wrote to memory of 916 1896 RtDCpl64.exe 36 PID 1896 wrote to memory of 916 1896 RtDCpl64.exe 36 PID 1896 wrote to memory of 1076 1896 RtDCpl64.exe 37 PID 1896 wrote to memory of 1076 1896 RtDCpl64.exe 37 PID 1896 wrote to memory of 1076 1896 RtDCpl64.exe 37 PID 1896 wrote to memory of 1076 1896 RtDCpl64.exe 37 PID 1896 wrote to memory of 1076 1896 RtDCpl64.exe 37 PID 1896 wrote to memory of 1076 1896 RtDCpl64.exe 37 PID 1896 wrote to memory of 540 1896 RtDCpl64.exe 38 PID 1896 wrote to memory of 540 1896 RtDCpl64.exe 38 PID 1896 wrote to memory of 540 1896 RtDCpl64.exe 38 PID 1896 wrote to memory of 540 1896 RtDCpl64.exe 38 PID 1076 wrote to memory of 2028 1076 RtDCpl64.exe 40 PID 1076 wrote to memory of 2028 1076 RtDCpl64.exe 40 PID 1076 wrote to memory of 2028 1076 RtDCpl64.exe 40 PID 1076 wrote to memory of 2028 1076 RtDCpl64.exe 40 PID 1076 wrote to memory of 2028 1076 RtDCpl64.exe 40 PID 1076 wrote to memory of 2028 1076 RtDCpl64.exe 40 PID 884 wrote to memory of 628 884 taskeng.exe 44 PID 884 wrote to memory of 628 884 taskeng.exe 44 PID 884 wrote to memory of 628 884 taskeng.exe 44 PID 884 wrote to memory of 628 884 taskeng.exe 44 PID 628 wrote to memory of 560 628 RtDCpl64.exe 45 PID 628 wrote to memory of 560 628 RtDCpl64.exe 45 PID 628 wrote to memory of 560 628 RtDCpl64.exe 45 PID 628 wrote to memory of 560 628 RtDCpl64.exe 45 PID 628 wrote to memory of 460 628 RtDCpl64.exe 46 PID 628 wrote to memory of 460 628 RtDCpl64.exe 46 PID 628 wrote to memory of 460 628 RtDCpl64.exe 46 PID 628 wrote to memory of 460 628 RtDCpl64.exe 46 PID 628 wrote to memory of 460 628 RtDCpl64.exe 46 PID 628 wrote to memory of 460 628 RtDCpl64.exe 46 PID 460 wrote to memory of 1568 460 RtDCpl64.exe 47 PID 460 wrote to memory of 1568 460 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe"C:\Users\Admin\AppData\Local\Temp\7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:1820
-
-
-
C:\Users\Admin\AppData\Local\Temp\7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe"C:\Users\Admin\AppData\Local\Temp\7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1188
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1176
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {F29C0549-B0E2-44AE-9B88-C12A58EFD381} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:916
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2028
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:540
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:560
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1568
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:984
-
-