Analysis
-
max time kernel
159s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 00:16
Behavioral task
behavioral1
Sample
7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe
Resource
win10v2004-en-20220113
General
-
Target
7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe
-
Size
1.3MB
-
MD5
fa107c336d9a6cde8d1912f45b6bd3c4
-
SHA1
22f7718351549e16726ab1467c9b8add7aa112d4
-
SHA256
7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3
-
SHA512
e0801ce2d38d0f8eafb68bab530b8a1e37cb3571d19ff11504cb745c81bc23d360c7d14f296e5c1b4e6b360e28ed52cdbd05d298bfc3dff7f1a721e700676298
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x0008000000012284-55.dat netwire behavioral1/files/0x0008000000012284-56.dat netwire behavioral1/files/0x0008000000012284-58.dat netwire behavioral1/files/0x0008000000012284-57.dat netwire behavioral1/files/0x0008000000012284-59.dat netwire behavioral1/files/0x0008000000012284-61.dat netwire behavioral1/files/0x00070000000125e4-74.dat netwire behavioral1/files/0x00070000000125e4-73.dat netwire behavioral1/files/0x00070000000125e4-72.dat netwire behavioral1/files/0x000600000001263f-79.dat netwire behavioral1/files/0x000600000001263f-80.dat netwire behavioral1/files/0x0008000000012284-82.dat netwire behavioral1/files/0x0008000000012284-83.dat netwire behavioral1/files/0x0008000000012284-84.dat netwire behavioral1/files/0x0008000000012284-85.dat netwire behavioral1/files/0x0008000000012284-86.dat netwire behavioral1/files/0x00070000000125e4-88.dat netwire behavioral1/files/0x000600000001263f-97.dat netwire behavioral1/files/0x0008000000012284-103.dat netwire behavioral1/files/0x000600000001263f-104.dat netwire behavioral1/files/0x0008000000012284-106.dat netwire behavioral1/files/0x0008000000012284-107.dat netwire behavioral1/files/0x0008000000012284-108.dat netwire behavioral1/files/0x0008000000012284-109.dat netwire behavioral1/files/0x000600000001263f-119.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/1620-63-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1620-71-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1952-90-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/1952-99-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 520 Blasthost.exe 820 Host.exe 1340 RtDCpl64.exe 1948 Blasthost.exe 1952 RtDCpl64.exe 364 RtDCpl64.exe 1384 Blasthost.exe 1624 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 520 Blasthost.exe 520 Blasthost.exe 1340 RtDCpl64.exe 1340 RtDCpl64.exe 1340 RtDCpl64.exe 1340 RtDCpl64.exe 364 RtDCpl64.exe 364 RtDCpl64.exe 364 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1288 set thread context of 1620 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 28 PID 1340 set thread context of 1952 1340 RtDCpl64.exe 37 PID 364 set thread context of 1624 364 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000600000001263f-79.dat autoit_exe behavioral1/files/0x000600000001263f-80.dat autoit_exe behavioral1/files/0x000600000001263f-97.dat autoit_exe behavioral1/files/0x000600000001263f-104.dat autoit_exe behavioral1/files/0x000600000001263f-119.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 624 schtasks.exe 2036 schtasks.exe 976 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1288 wrote to memory of 520 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 27 PID 1288 wrote to memory of 520 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 27 PID 1288 wrote to memory of 520 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 27 PID 1288 wrote to memory of 520 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 27 PID 1288 wrote to memory of 1620 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 28 PID 1288 wrote to memory of 1620 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 28 PID 1288 wrote to memory of 1620 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 28 PID 1288 wrote to memory of 1620 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 28 PID 1288 wrote to memory of 1620 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 28 PID 1288 wrote to memory of 1620 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 28 PID 520 wrote to memory of 820 520 Blasthost.exe 29 PID 520 wrote to memory of 820 520 Blasthost.exe 29 PID 520 wrote to memory of 820 520 Blasthost.exe 29 PID 520 wrote to memory of 820 520 Blasthost.exe 29 PID 1620 wrote to memory of 1512 1620 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 30 PID 1620 wrote to memory of 1512 1620 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 30 PID 1620 wrote to memory of 1512 1620 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 30 PID 1620 wrote to memory of 1512 1620 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 30 PID 1288 wrote to memory of 624 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 32 PID 1288 wrote to memory of 624 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 32 PID 1288 wrote to memory of 624 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 32 PID 1288 wrote to memory of 624 1288 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 32 PID 1620 wrote to memory of 1512 1620 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 30 PID 1620 wrote to memory of 1512 1620 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 30 PID 968 wrote to memory of 1340 968 taskeng.exe 35 PID 968 wrote to memory of 1340 968 taskeng.exe 35 PID 968 wrote to memory of 1340 968 taskeng.exe 35 PID 968 wrote to memory of 1340 968 taskeng.exe 35 PID 1340 wrote to memory of 1948 1340 RtDCpl64.exe 36 PID 1340 wrote to memory of 1948 1340 RtDCpl64.exe 36 PID 1340 wrote to memory of 1948 1340 RtDCpl64.exe 36 PID 1340 wrote to memory of 1948 1340 RtDCpl64.exe 36 PID 1340 wrote to memory of 1952 1340 RtDCpl64.exe 37 PID 1340 wrote to memory of 1952 1340 RtDCpl64.exe 37 PID 1340 wrote to memory of 1952 1340 RtDCpl64.exe 37 PID 1340 wrote to memory of 1952 1340 RtDCpl64.exe 37 PID 1340 wrote to memory of 1952 1340 RtDCpl64.exe 37 PID 1340 wrote to memory of 1952 1340 RtDCpl64.exe 37 PID 1952 wrote to memory of 1772 1952 RtDCpl64.exe 38 PID 1952 wrote to memory of 1772 1952 RtDCpl64.exe 38 PID 1952 wrote to memory of 1772 1952 RtDCpl64.exe 38 PID 1952 wrote to memory of 1772 1952 RtDCpl64.exe 38 PID 1340 wrote to memory of 2036 1340 RtDCpl64.exe 40 PID 1340 wrote to memory of 2036 1340 RtDCpl64.exe 40 PID 1340 wrote to memory of 2036 1340 RtDCpl64.exe 40 PID 1340 wrote to memory of 2036 1340 RtDCpl64.exe 40 PID 1952 wrote to memory of 1772 1952 RtDCpl64.exe 38 PID 1952 wrote to memory of 1772 1952 RtDCpl64.exe 38 PID 968 wrote to memory of 364 968 taskeng.exe 44 PID 968 wrote to memory of 364 968 taskeng.exe 44 PID 968 wrote to memory of 364 968 taskeng.exe 44 PID 968 wrote to memory of 364 968 taskeng.exe 44 PID 364 wrote to memory of 1384 364 RtDCpl64.exe 45 PID 364 wrote to memory of 1384 364 RtDCpl64.exe 45 PID 364 wrote to memory of 1384 364 RtDCpl64.exe 45 PID 364 wrote to memory of 1384 364 RtDCpl64.exe 45 PID 364 wrote to memory of 1624 364 RtDCpl64.exe 46 PID 364 wrote to memory of 1624 364 RtDCpl64.exe 46 PID 364 wrote to memory of 1624 364 RtDCpl64.exe 46 PID 364 wrote to memory of 1624 364 RtDCpl64.exe 46 PID 364 wrote to memory of 1624 364 RtDCpl64.exe 46 PID 364 wrote to memory of 1624 364 RtDCpl64.exe 46 PID 1624 wrote to memory of 1228 1624 RtDCpl64.exe 47 PID 1624 wrote to memory of 1228 1624 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe"C:\Users\Admin\AppData\Local\Temp\7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:820
-
-
-
C:\Users\Admin\AppData\Local\Temp\7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe"C:\Users\Admin\AppData\Local\Temp\7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1512
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:624
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DA4A1EC3-7A9F-4684-AEF2-46E96706F06B} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1948
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1772
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2036
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1384
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1228
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:976
-
-