Analysis
-
max time kernel
157s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 00:16
Behavioral task
behavioral1
Sample
7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe
Resource
win10v2004-en-20220113
General
-
Target
7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe
-
Size
1.3MB
-
MD5
85b6847f5041bf6ec099d28e065a05ef
-
SHA1
1af13c06fcd5ae62ab0ed09f2f7bb845c8269612
-
SHA256
7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff
-
SHA512
3c9355e2ba93e04223182dfd0ec430f1f22ef57e1f7c6dbec529b1eaaf6872c7b356ff0857a5e78618bda844e7d820e2ac246e1b232bd2e933d41d3437e1ebce
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 8 IoCs
resource yara_rule behavioral2/files/0x000400000001e7ce-130.dat netwire behavioral2/files/0x000400000001e7ce-131.dat netwire behavioral2/files/0x000500000001e7cc-132.dat netwire behavioral2/files/0x000500000001e7cc-134.dat netwire behavioral2/files/0x000500000001e7d4-147.dat netwire behavioral2/files/0x000500000001e7d4-148.dat netwire behavioral2/files/0x000400000001e7ce-149.dat netwire behavioral2/files/0x000500000001e7d4-157.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral2/memory/2544-133-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/2544-141-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/2020-150-0x0000000000800000-0x000000000081D000-memory.dmp warzonerat behavioral2/memory/2020-158-0x0000000000800000-0x000000000081D000-memory.dmp warzonerat -
Executes dropped EXE 5 IoCs
pid Process 2420 Blasthost.exe 4360 Host.exe 4624 RtDCpl64.exe 2296 Blasthost.exe 2020 RtDCpl64.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1396 set thread context of 2544 1396 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 84 PID 4624 set thread context of 2020 4624 RtDCpl64.exe 108 -
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000500000001e7d4-147.dat autoit_exe behavioral2/files/0x000500000001e7d4-148.dat autoit_exe behavioral2/files/0x000500000001e7d4-157.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3520 schtasks.exe 2604 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3460 svchost.exe Token: SeCreatePagefilePrivilege 3460 svchost.exe Token: SeShutdownPrivilege 3460 svchost.exe Token: SeCreatePagefilePrivilege 3460 svchost.exe Token: SeShutdownPrivilege 3460 svchost.exe Token: SeCreatePagefilePrivilege 3460 svchost.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe Token: SeRestorePrivilege 3952 TiWorker.exe Token: SeSecurityPrivilege 3952 TiWorker.exe Token: SeBackupPrivilege 3952 TiWorker.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1396 wrote to memory of 2420 1396 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 82 PID 1396 wrote to memory of 2420 1396 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 82 PID 1396 wrote to memory of 2420 1396 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 82 PID 1396 wrote to memory of 2544 1396 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 84 PID 1396 wrote to memory of 2544 1396 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 84 PID 1396 wrote to memory of 2544 1396 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 84 PID 2420 wrote to memory of 4360 2420 Blasthost.exe 85 PID 2420 wrote to memory of 4360 2420 Blasthost.exe 85 PID 2420 wrote to memory of 4360 2420 Blasthost.exe 85 PID 1396 wrote to memory of 2544 1396 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 84 PID 1396 wrote to memory of 2544 1396 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 84 PID 1396 wrote to memory of 3520 1396 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 86 PID 1396 wrote to memory of 3520 1396 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 86 PID 1396 wrote to memory of 3520 1396 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 86 PID 2544 wrote to memory of 4700 2544 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 87 PID 2544 wrote to memory of 4700 2544 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 87 PID 2544 wrote to memory of 4700 2544 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 87 PID 2544 wrote to memory of 4700 2544 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 87 PID 2544 wrote to memory of 4700 2544 7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe 87 PID 4624 wrote to memory of 2296 4624 RtDCpl64.exe 107 PID 4624 wrote to memory of 2296 4624 RtDCpl64.exe 107 PID 4624 wrote to memory of 2296 4624 RtDCpl64.exe 107 PID 4624 wrote to memory of 2020 4624 RtDCpl64.exe 108 PID 4624 wrote to memory of 2020 4624 RtDCpl64.exe 108 PID 4624 wrote to memory of 2020 4624 RtDCpl64.exe 108 PID 4624 wrote to memory of 2020 4624 RtDCpl64.exe 108 PID 4624 wrote to memory of 2020 4624 RtDCpl64.exe 108 PID 2020 wrote to memory of 4320 2020 RtDCpl64.exe 109 PID 2020 wrote to memory of 4320 2020 RtDCpl64.exe 109 PID 2020 wrote to memory of 4320 2020 RtDCpl64.exe 109 PID 4624 wrote to memory of 2604 4624 RtDCpl64.exe 111 PID 4624 wrote to memory of 2604 4624 RtDCpl64.exe 111 PID 4624 wrote to memory of 2604 4624 RtDCpl64.exe 111 PID 2020 wrote to memory of 4320 2020 RtDCpl64.exe 109 PID 2020 wrote to memory of 4320 2020 RtDCpl64.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe"C:\Users\Admin\AppData\Local\Temp\7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:4360
-
-
-
C:\Users\Admin\AppData\Local\Temp\7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe"C:\Users\Admin\AppData\Local\Temp\7d9bc00760199d3e0169f6c20a36ebff33d7b60d9d6d306a52858c3017eb4eff.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4700
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3520
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3952
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:2296
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4320
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2604
-