Analysis
-
max time kernel
161s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 00:16
Behavioral task
behavioral1
Sample
7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe
Resource
win10v2004-en-20220113
General
-
Target
7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe
-
Size
1.3MB
-
MD5
85b6847f5041bf6ec099d28e065a05ef
-
SHA1
1af13c06fcd5ae62ab0ed09f2f7bb845c8269612
-
SHA256
7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff
-
SHA512
3c9355e2ba93e04223182dfd0ec430f1f22ef57e1f7c6dbec529b1eaaf6872c7b356ff0857a5e78618bda844e7d820e2ac246e1b232bd2e933d41d3437e1ebce
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x000800000001225c-55.dat netwire behavioral1/files/0x000800000001225c-56.dat netwire behavioral1/files/0x000800000001225c-57.dat netwire behavioral1/files/0x000800000001225c-58.dat netwire behavioral1/files/0x000800000001225c-59.dat netwire behavioral1/files/0x000800000001225c-61.dat netwire behavioral1/files/0x00060000000125f3-67.dat netwire behavioral1/files/0x00060000000125f3-66.dat netwire behavioral1/files/0x00060000000125f3-68.dat netwire behavioral1/files/0x000600000001262d-79.dat netwire behavioral1/files/0x000600000001262d-80.dat netwire behavioral1/files/0x000800000001225c-82.dat netwire behavioral1/files/0x000800000001225c-86.dat netwire behavioral1/files/0x000800000001225c-85.dat netwire behavioral1/files/0x000800000001225c-84.dat netwire behavioral1/files/0x000800000001225c-83.dat netwire behavioral1/files/0x00060000000125f3-88.dat netwire behavioral1/files/0x000600000001262d-97.dat netwire behavioral1/files/0x000800000001225c-103.dat netwire behavioral1/files/0x000600000001262d-104.dat netwire behavioral1/files/0x000800000001225c-106.dat netwire behavioral1/files/0x000800000001225c-108.dat netwire behavioral1/files/0x000800000001225c-107.dat netwire behavioral1/files/0x000800000001225c-109.dat netwire behavioral1/files/0x000600000001262d-119.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/1208-63-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1208-75-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1812-112-0x00000000000D0000-0x00000000000ED000-memory.dmp warzonerat behavioral1/memory/1812-121-0x00000000000D0000-0x00000000000ED000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 524 Blasthost.exe 672 Host.exe 1480 RtDCpl64.exe 1776 Blasthost.exe 1296 RtDCpl64.exe 1368 RtDCpl64.exe 880 Blasthost.exe 1812 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 524 Blasthost.exe 524 Blasthost.exe 1480 RtDCpl64.exe 1480 RtDCpl64.exe 1480 RtDCpl64.exe 1480 RtDCpl64.exe 1368 RtDCpl64.exe 1368 RtDCpl64.exe 1368 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 880 set thread context of 1208 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 28 PID 1480 set thread context of 1296 1480 RtDCpl64.exe 37 PID 1368 set thread context of 1812 1368 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000600000001262d-79.dat autoit_exe behavioral1/files/0x000600000001262d-80.dat autoit_exe behavioral1/files/0x000600000001262d-97.dat autoit_exe behavioral1/files/0x000600000001262d-104.dat autoit_exe behavioral1/files/0x000600000001262d-119.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1812 schtasks.exe 1744 schtasks.exe 544 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 880 wrote to memory of 524 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 27 PID 880 wrote to memory of 524 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 27 PID 880 wrote to memory of 524 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 27 PID 880 wrote to memory of 524 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 27 PID 880 wrote to memory of 1208 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 28 PID 880 wrote to memory of 1208 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 28 PID 880 wrote to memory of 1208 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 28 PID 880 wrote to memory of 1208 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 28 PID 880 wrote to memory of 1208 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 28 PID 524 wrote to memory of 672 524 Blasthost.exe 29 PID 524 wrote to memory of 672 524 Blasthost.exe 29 PID 524 wrote to memory of 672 524 Blasthost.exe 29 PID 524 wrote to memory of 672 524 Blasthost.exe 29 PID 880 wrote to memory of 1208 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 28 PID 1208 wrote to memory of 1704 1208 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 30 PID 1208 wrote to memory of 1704 1208 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 30 PID 1208 wrote to memory of 1704 1208 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 30 PID 1208 wrote to memory of 1704 1208 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 30 PID 880 wrote to memory of 1812 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 32 PID 880 wrote to memory of 1812 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 32 PID 880 wrote to memory of 1812 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 32 PID 880 wrote to memory of 1812 880 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 32 PID 1208 wrote to memory of 1704 1208 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 30 PID 1208 wrote to memory of 1704 1208 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 30 PID 1548 wrote to memory of 1480 1548 taskeng.exe 35 PID 1548 wrote to memory of 1480 1548 taskeng.exe 35 PID 1548 wrote to memory of 1480 1548 taskeng.exe 35 PID 1548 wrote to memory of 1480 1548 taskeng.exe 35 PID 1480 wrote to memory of 1776 1480 RtDCpl64.exe 36 PID 1480 wrote to memory of 1776 1480 RtDCpl64.exe 36 PID 1480 wrote to memory of 1776 1480 RtDCpl64.exe 36 PID 1480 wrote to memory of 1776 1480 RtDCpl64.exe 36 PID 1480 wrote to memory of 1296 1480 RtDCpl64.exe 37 PID 1480 wrote to memory of 1296 1480 RtDCpl64.exe 37 PID 1480 wrote to memory of 1296 1480 RtDCpl64.exe 37 PID 1480 wrote to memory of 1296 1480 RtDCpl64.exe 37 PID 1480 wrote to memory of 1296 1480 RtDCpl64.exe 37 PID 1480 wrote to memory of 1296 1480 RtDCpl64.exe 37 PID 1296 wrote to memory of 864 1296 RtDCpl64.exe 38 PID 1296 wrote to memory of 864 1296 RtDCpl64.exe 38 PID 1296 wrote to memory of 864 1296 RtDCpl64.exe 38 PID 1296 wrote to memory of 864 1296 RtDCpl64.exe 38 PID 1480 wrote to memory of 1744 1480 RtDCpl64.exe 39 PID 1480 wrote to memory of 1744 1480 RtDCpl64.exe 39 PID 1480 wrote to memory of 1744 1480 RtDCpl64.exe 39 PID 1480 wrote to memory of 1744 1480 RtDCpl64.exe 39 PID 1296 wrote to memory of 864 1296 RtDCpl64.exe 38 PID 1296 wrote to memory of 864 1296 RtDCpl64.exe 38 PID 1548 wrote to memory of 1368 1548 taskeng.exe 44 PID 1548 wrote to memory of 1368 1548 taskeng.exe 44 PID 1548 wrote to memory of 1368 1548 taskeng.exe 44 PID 1548 wrote to memory of 1368 1548 taskeng.exe 44 PID 1368 wrote to memory of 880 1368 RtDCpl64.exe 45 PID 1368 wrote to memory of 880 1368 RtDCpl64.exe 45 PID 1368 wrote to memory of 880 1368 RtDCpl64.exe 45 PID 1368 wrote to memory of 880 1368 RtDCpl64.exe 45 PID 1368 wrote to memory of 1812 1368 RtDCpl64.exe 46 PID 1368 wrote to memory of 1812 1368 RtDCpl64.exe 46 PID 1368 wrote to memory of 1812 1368 RtDCpl64.exe 46 PID 1368 wrote to memory of 1812 1368 RtDCpl64.exe 46 PID 1368 wrote to memory of 1812 1368 RtDCpl64.exe 46 PID 1368 wrote to memory of 1812 1368 RtDCpl64.exe 46 PID 1812 wrote to memory of 1104 1812 RtDCpl64.exe 47 PID 1812 wrote to memory of 1104 1812 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe"C:\Users\Admin\AppData\Local\Temp\7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:672
-
-
-
C:\Users\Admin\AppData\Local\Temp\7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe"C:\Users\Admin\AppData\Local\Temp\7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1704
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1812
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {F85A2DCE-2300-4138-A195-1586130B44AC} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1776
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:864
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1744
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:880
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1104
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:544
-
-