Analysis
-
max time kernel
161s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 00:15
Behavioral task
behavioral1
Sample
7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe
Resource
win10v2004-en-20220113
General
-
Target
7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe
-
Size
1.3MB
-
MD5
8e54c9582caae0e34113fd3733042a56
-
SHA1
353e7ea78e548d40a3d111f3fc62de4e87a966b9
-
SHA256
7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d
-
SHA512
630882a967702eafc291ce9d410c659814b15e47038299c26c5b8c9d20d14734cc6c4864c5a8b9c884ee97a807d2716c4f2f34385336f99d87d5f6de26d9b865
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 12 IoCs
resource yara_rule behavioral2/files/0x000300000000072f-130.dat netwire behavioral2/files/0x000300000000072f-131.dat netwire behavioral2/files/0x0004000000016298-141.dat netwire behavioral2/files/0x0004000000016298-140.dat netwire behavioral2/files/0x000300000001e465-147.dat netwire behavioral2/files/0x000300000001e465-148.dat netwire behavioral2/files/0x000300000000072f-149.dat netwire behavioral2/files/0x000300000001e465-157.dat netwire behavioral2/files/0x000300000000072f-161.dat netwire behavioral2/files/0x000300000001e465-162.dat netwire behavioral2/files/0x000300000000072f-163.dat netwire behavioral2/files/0x000300000001e465-171.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral2/memory/2156-132-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/2156-139-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 4484 Blasthost.exe 2624 Host.exe 4816 RtDCpl64.exe 1440 Blasthost.exe 2464 RtDCpl64.exe 3500 RtDCpl64.exe 2424 Blasthost.exe 3324 RtDCpl64.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4644 set thread context of 2156 4644 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 83 PID 4816 set thread context of 2464 4816 RtDCpl64.exe 106 PID 3500 set thread context of 3324 3500 RtDCpl64.exe 118 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000300000001e465-147.dat autoit_exe behavioral2/files/0x000300000001e465-148.dat autoit_exe behavioral2/files/0x000300000001e465-157.dat autoit_exe behavioral2/files/0x000300000001e465-162.dat autoit_exe behavioral2/files/0x000300000001e465-171.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4636 schtasks.exe 4692 schtasks.exe 648 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4544 svchost.exe Token: SeCreatePagefilePrivilege 4544 svchost.exe Token: SeShutdownPrivilege 4544 svchost.exe Token: SeCreatePagefilePrivilege 4544 svchost.exe Token: SeShutdownPrivilege 4544 svchost.exe Token: SeCreatePagefilePrivilege 4544 svchost.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe Token: SeRestorePrivilege 2388 TiWorker.exe Token: SeSecurityPrivilege 2388 TiWorker.exe Token: SeBackupPrivilege 2388 TiWorker.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 4644 wrote to memory of 4484 4644 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 81 PID 4644 wrote to memory of 4484 4644 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 81 PID 4644 wrote to memory of 4484 4644 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 81 PID 4644 wrote to memory of 2156 4644 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 83 PID 4644 wrote to memory of 2156 4644 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 83 PID 4644 wrote to memory of 2156 4644 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 83 PID 4644 wrote to memory of 2156 4644 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 83 PID 4644 wrote to memory of 2156 4644 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 83 PID 4484 wrote to memory of 2624 4484 Blasthost.exe 84 PID 4484 wrote to memory of 2624 4484 Blasthost.exe 84 PID 4484 wrote to memory of 2624 4484 Blasthost.exe 84 PID 2156 wrote to memory of 1500 2156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 85 PID 2156 wrote to memory of 1500 2156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 85 PID 2156 wrote to memory of 1500 2156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 85 PID 4644 wrote to memory of 4636 4644 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 87 PID 4644 wrote to memory of 4636 4644 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 87 PID 4644 wrote to memory of 4636 4644 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 87 PID 2156 wrote to memory of 1500 2156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 85 PID 2156 wrote to memory of 1500 2156 7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe 85 PID 4816 wrote to memory of 1440 4816 RtDCpl64.exe 105 PID 4816 wrote to memory of 1440 4816 RtDCpl64.exe 105 PID 4816 wrote to memory of 1440 4816 RtDCpl64.exe 105 PID 4816 wrote to memory of 2464 4816 RtDCpl64.exe 106 PID 4816 wrote to memory of 2464 4816 RtDCpl64.exe 106 PID 4816 wrote to memory of 2464 4816 RtDCpl64.exe 106 PID 4816 wrote to memory of 2464 4816 RtDCpl64.exe 106 PID 4816 wrote to memory of 2464 4816 RtDCpl64.exe 106 PID 2464 wrote to memory of 3836 2464 RtDCpl64.exe 107 PID 2464 wrote to memory of 3836 2464 RtDCpl64.exe 107 PID 2464 wrote to memory of 3836 2464 RtDCpl64.exe 107 PID 4816 wrote to memory of 4692 4816 RtDCpl64.exe 109 PID 4816 wrote to memory of 4692 4816 RtDCpl64.exe 109 PID 4816 wrote to memory of 4692 4816 RtDCpl64.exe 109 PID 2464 wrote to memory of 3836 2464 RtDCpl64.exe 107 PID 2464 wrote to memory of 3836 2464 RtDCpl64.exe 107 PID 3500 wrote to memory of 2424 3500 RtDCpl64.exe 117 PID 3500 wrote to memory of 2424 3500 RtDCpl64.exe 117 PID 3500 wrote to memory of 2424 3500 RtDCpl64.exe 117 PID 3500 wrote to memory of 3324 3500 RtDCpl64.exe 118 PID 3500 wrote to memory of 3324 3500 RtDCpl64.exe 118 PID 3500 wrote to memory of 3324 3500 RtDCpl64.exe 118 PID 3500 wrote to memory of 3324 3500 RtDCpl64.exe 118 PID 3500 wrote to memory of 3324 3500 RtDCpl64.exe 118 PID 3324 wrote to memory of 3280 3324 RtDCpl64.exe 119 PID 3324 wrote to memory of 3280 3324 RtDCpl64.exe 119 PID 3324 wrote to memory of 3280 3324 RtDCpl64.exe 119 PID 3500 wrote to memory of 648 3500 RtDCpl64.exe 121 PID 3500 wrote to memory of 648 3500 RtDCpl64.exe 121 PID 3500 wrote to memory of 648 3500 RtDCpl64.exe 121 PID 3324 wrote to memory of 3280 3324 RtDCpl64.exe 119 PID 3324 wrote to memory of 3280 3324 RtDCpl64.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe"C:\Users\Admin\AppData\Local\Temp\7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:2624
-
-
-
C:\Users\Admin\AppData\Local\Temp\7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe"C:\Users\Admin\AppData\Local\Temp\7df8e15b6fbbae0fd551e8de7e67277862a5c6c005b8f048d254289e2ceab90d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1500
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4636
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:1440
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3836
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4692
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:2424
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3280
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:648
-