Analysis
-
max time kernel
156s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 00:16
Behavioral task
behavioral1
Sample
7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe
Resource
win10v2004-en-20220112
General
-
Target
7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe
-
Size
1.3MB
-
MD5
f675eebc9a0a053e54f7f4fe965c003c
-
SHA1
6de3a992f4b73ecc864a5da15e623cae6a2e031a
-
SHA256
7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09
-
SHA512
2c42d42f7d6aaaca5ce77944fdb7a5a03e5965ccf4067578380efdd026189a6cb455f8e8cbb9a1409d05aef9a644b4306f304ec21caa4ca601db255c0fa8d860
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 26 IoCs
resource yara_rule behavioral1/files/0x0008000000012235-55.dat netwire behavioral1/files/0x0008000000012235-56.dat netwire behavioral1/files/0x0008000000012235-57.dat netwire behavioral1/files/0x0008000000012235-58.dat netwire behavioral1/files/0x0008000000012235-59.dat netwire behavioral1/files/0x0008000000012235-61.dat netwire behavioral1/files/0x0008000000012243-62.dat netwire behavioral1/files/0x0008000000012243-64.dat netwire behavioral1/files/0x0008000000012243-63.dat netwire behavioral1/files/0x000700000001226a-79.dat netwire behavioral1/files/0x000700000001226a-80.dat netwire behavioral1/files/0x0008000000012235-82.dat netwire behavioral1/files/0x0008000000012235-85.dat netwire behavioral1/files/0x0008000000012235-84.dat netwire behavioral1/files/0x0008000000012235-83.dat netwire behavioral1/files/0x0008000000012235-86.dat netwire behavioral1/files/0x0008000000012243-88.dat netwire behavioral1/files/0x000700000001226a-97.dat netwire behavioral1/files/0x0008000000012235-103.dat netwire behavioral1/files/0x000700000001226a-104.dat netwire behavioral1/files/0x0008000000012235-106.dat netwire behavioral1/files/0x0008000000012235-108.dat netwire behavioral1/files/0x0008000000012235-107.dat netwire behavioral1/files/0x0008000000012235-109.dat netwire behavioral1/files/0x000700000001226a-119.dat netwire behavioral1/files/0x000700000001226a-125.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/536-67-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/536-75-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/1820-112-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/1820-121-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 9 IoCs
pid Process 1468 Blasthost.exe 768 Host.exe 1288 RtDCpl64.exe 1548 Blasthost.exe 1124 RtDCpl64.exe 600 RtDCpl64.exe 1064 Blasthost.exe 1820 RtDCpl64.exe 908 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 1468 Blasthost.exe 1468 Blasthost.exe 1288 RtDCpl64.exe 1288 RtDCpl64.exe 1288 RtDCpl64.exe 1288 RtDCpl64.exe 600 RtDCpl64.exe 600 RtDCpl64.exe 600 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1720 set thread context of 536 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 29 PID 1288 set thread context of 1124 1288 RtDCpl64.exe 37 PID 600 set thread context of 1820 600 RtDCpl64.exe 46 -
autoit_exe 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000700000001226a-79.dat autoit_exe behavioral1/files/0x000700000001226a-80.dat autoit_exe behavioral1/files/0x000700000001226a-97.dat autoit_exe behavioral1/files/0x000700000001226a-104.dat autoit_exe behavioral1/files/0x000700000001226a-119.dat autoit_exe behavioral1/files/0x000700000001226a-125.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1752 schtasks.exe 552 schtasks.exe 1736 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1720 wrote to memory of 1468 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 27 PID 1720 wrote to memory of 1468 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 27 PID 1720 wrote to memory of 1468 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 27 PID 1720 wrote to memory of 1468 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 27 PID 1468 wrote to memory of 768 1468 Blasthost.exe 28 PID 1468 wrote to memory of 768 1468 Blasthost.exe 28 PID 1468 wrote to memory of 768 1468 Blasthost.exe 28 PID 1468 wrote to memory of 768 1468 Blasthost.exe 28 PID 1720 wrote to memory of 536 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 29 PID 1720 wrote to memory of 536 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 29 PID 1720 wrote to memory of 536 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 29 PID 1720 wrote to memory of 536 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 29 PID 1720 wrote to memory of 536 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 29 PID 1720 wrote to memory of 536 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 29 PID 1720 wrote to memory of 1752 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 30 PID 1720 wrote to memory of 1752 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 30 PID 1720 wrote to memory of 1752 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 30 PID 1720 wrote to memory of 1752 1720 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 30 PID 536 wrote to memory of 1108 536 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 31 PID 536 wrote to memory of 1108 536 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 31 PID 536 wrote to memory of 1108 536 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 31 PID 536 wrote to memory of 1108 536 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 31 PID 536 wrote to memory of 1108 536 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 31 PID 536 wrote to memory of 1108 536 7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe 31 PID 1540 wrote to memory of 1288 1540 taskeng.exe 35 PID 1540 wrote to memory of 1288 1540 taskeng.exe 35 PID 1540 wrote to memory of 1288 1540 taskeng.exe 35 PID 1540 wrote to memory of 1288 1540 taskeng.exe 35 PID 1288 wrote to memory of 1548 1288 RtDCpl64.exe 36 PID 1288 wrote to memory of 1548 1288 RtDCpl64.exe 36 PID 1288 wrote to memory of 1548 1288 RtDCpl64.exe 36 PID 1288 wrote to memory of 1548 1288 RtDCpl64.exe 36 PID 1288 wrote to memory of 1124 1288 RtDCpl64.exe 37 PID 1288 wrote to memory of 1124 1288 RtDCpl64.exe 37 PID 1288 wrote to memory of 1124 1288 RtDCpl64.exe 37 PID 1288 wrote to memory of 1124 1288 RtDCpl64.exe 37 PID 1288 wrote to memory of 1124 1288 RtDCpl64.exe 37 PID 1288 wrote to memory of 1124 1288 RtDCpl64.exe 37 PID 1288 wrote to memory of 552 1288 RtDCpl64.exe 38 PID 1288 wrote to memory of 552 1288 RtDCpl64.exe 38 PID 1288 wrote to memory of 552 1288 RtDCpl64.exe 38 PID 1288 wrote to memory of 552 1288 RtDCpl64.exe 38 PID 1124 wrote to memory of 1912 1124 RtDCpl64.exe 40 PID 1124 wrote to memory of 1912 1124 RtDCpl64.exe 40 PID 1124 wrote to memory of 1912 1124 RtDCpl64.exe 40 PID 1124 wrote to memory of 1912 1124 RtDCpl64.exe 40 PID 1124 wrote to memory of 1912 1124 RtDCpl64.exe 40 PID 1124 wrote to memory of 1912 1124 RtDCpl64.exe 40 PID 1540 wrote to memory of 600 1540 taskeng.exe 44 PID 1540 wrote to memory of 600 1540 taskeng.exe 44 PID 1540 wrote to memory of 600 1540 taskeng.exe 44 PID 1540 wrote to memory of 600 1540 taskeng.exe 44 PID 600 wrote to memory of 1064 600 RtDCpl64.exe 45 PID 600 wrote to memory of 1064 600 RtDCpl64.exe 45 PID 600 wrote to memory of 1064 600 RtDCpl64.exe 45 PID 600 wrote to memory of 1064 600 RtDCpl64.exe 45 PID 600 wrote to memory of 1820 600 RtDCpl64.exe 46 PID 600 wrote to memory of 1820 600 RtDCpl64.exe 46 PID 600 wrote to memory of 1820 600 RtDCpl64.exe 46 PID 600 wrote to memory of 1820 600 RtDCpl64.exe 46 PID 600 wrote to memory of 1820 600 RtDCpl64.exe 46 PID 600 wrote to memory of 1820 600 RtDCpl64.exe 46 PID 1820 wrote to memory of 1760 1820 RtDCpl64.exe 47 PID 1820 wrote to memory of 1760 1820 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe"C:\Users\Admin\AppData\Local\Temp\7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:768
-
-
-
C:\Users\Admin\AppData\Local\Temp\7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe"C:\Users\Admin\AppData\Local\Temp\7db6499404854573881b19b337e53adaab84423f163deb5c482a7724de6faf09.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1108
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1752
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4D5A960B-625F-44E6-96ED-854D5D6B6754} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1548
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1912
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:552
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1064
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1760
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1736
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
PID:908
-