Analysis
-
max time kernel
161s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 00:16
Behavioral task
behavioral1
Sample
7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe
Resource
win10v2004-en-20220113
General
-
Target
7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe
-
Size
1.3MB
-
MD5
fa107c336d9a6cde8d1912f45b6bd3c4
-
SHA1
22f7718351549e16726ab1467c9b8add7aa112d4
-
SHA256
7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3
-
SHA512
e0801ce2d38d0f8eafb68bab530b8a1e37cb3571d19ff11504cb745c81bc23d360c7d14f296e5c1b4e6b360e28ed52cdbd05d298bfc3dff7f1a721e700676298
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 12 IoCs
resource yara_rule behavioral2/files/0x000400000001e7ee-130.dat netwire behavioral2/files/0x000400000001e7ee-131.dat netwire behavioral2/files/0x000500000001e8ba-139.dat netwire behavioral2/files/0x000500000001e8ba-141.dat netwire behavioral2/files/0x000700000001e8c3-147.dat netwire behavioral2/files/0x000700000001e8c3-148.dat netwire behavioral2/files/0x000400000001e7ee-149.dat netwire behavioral2/files/0x000700000001e8c3-157.dat netwire behavioral2/files/0x000400000001e7ee-160.dat netwire behavioral2/files/0x000700000001e8c3-161.dat netwire behavioral2/files/0x000400000001e7ee-162.dat netwire behavioral2/files/0x000700000001e8c3-170.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral2/memory/2556-133-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/2556-142-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 3680 Blasthost.exe 3196 Host.exe 700 RtDCpl64.exe 1636 Blasthost.exe 1352 RtDCpl64.exe 1948 RtDCpl64.exe 980 Blasthost.exe 4272 RtDCpl64.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1300 set thread context of 2556 1300 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 83 PID 700 set thread context of 1352 700 RtDCpl64.exe 106 PID 1948 set thread context of 4272 1948 RtDCpl64.exe 118 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000700000001e8c3-147.dat autoit_exe behavioral2/files/0x000700000001e8c3-148.dat autoit_exe behavioral2/files/0x000700000001e8c3-157.dat autoit_exe behavioral2/files/0x000700000001e8c3-161.dat autoit_exe behavioral2/files/0x000700000001e8c3-170.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 368 schtasks.exe 3696 schtasks.exe 3512 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3020 svchost.exe Token: SeCreatePagefilePrivilege 3020 svchost.exe Token: SeShutdownPrivilege 3020 svchost.exe Token: SeCreatePagefilePrivilege 3020 svchost.exe Token: SeShutdownPrivilege 3020 svchost.exe Token: SeCreatePagefilePrivilege 3020 svchost.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe Token: SeRestorePrivilege 3224 TiWorker.exe Token: SeSecurityPrivilege 3224 TiWorker.exe Token: SeBackupPrivilege 3224 TiWorker.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 1300 wrote to memory of 3680 1300 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 81 PID 1300 wrote to memory of 3680 1300 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 81 PID 1300 wrote to memory of 3680 1300 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 81 PID 1300 wrote to memory of 2556 1300 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 83 PID 1300 wrote to memory of 2556 1300 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 83 PID 1300 wrote to memory of 2556 1300 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 83 PID 1300 wrote to memory of 2556 1300 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 83 PID 1300 wrote to memory of 2556 1300 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 83 PID 3680 wrote to memory of 3196 3680 Blasthost.exe 84 PID 3680 wrote to memory of 3196 3680 Blasthost.exe 84 PID 3680 wrote to memory of 3196 3680 Blasthost.exe 84 PID 1300 wrote to memory of 368 1300 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 85 PID 1300 wrote to memory of 368 1300 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 85 PID 1300 wrote to memory of 368 1300 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 85 PID 2556 wrote to memory of 4840 2556 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 87 PID 2556 wrote to memory of 4840 2556 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 87 PID 2556 wrote to memory of 4840 2556 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 87 PID 2556 wrote to memory of 4840 2556 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 87 PID 2556 wrote to memory of 4840 2556 7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe 87 PID 700 wrote to memory of 1636 700 RtDCpl64.exe 105 PID 700 wrote to memory of 1636 700 RtDCpl64.exe 105 PID 700 wrote to memory of 1636 700 RtDCpl64.exe 105 PID 700 wrote to memory of 1352 700 RtDCpl64.exe 106 PID 700 wrote to memory of 1352 700 RtDCpl64.exe 106 PID 700 wrote to memory of 1352 700 RtDCpl64.exe 106 PID 700 wrote to memory of 1352 700 RtDCpl64.exe 106 PID 700 wrote to memory of 1352 700 RtDCpl64.exe 106 PID 1352 wrote to memory of 2772 1352 RtDCpl64.exe 107 PID 1352 wrote to memory of 2772 1352 RtDCpl64.exe 107 PID 1352 wrote to memory of 2772 1352 RtDCpl64.exe 107 PID 700 wrote to memory of 3696 700 RtDCpl64.exe 109 PID 700 wrote to memory of 3696 700 RtDCpl64.exe 109 PID 700 wrote to memory of 3696 700 RtDCpl64.exe 109 PID 1352 wrote to memory of 2772 1352 RtDCpl64.exe 107 PID 1352 wrote to memory of 2772 1352 RtDCpl64.exe 107 PID 1948 wrote to memory of 980 1948 RtDCpl64.exe 117 PID 1948 wrote to memory of 980 1948 RtDCpl64.exe 117 PID 1948 wrote to memory of 980 1948 RtDCpl64.exe 117 PID 1948 wrote to memory of 4272 1948 RtDCpl64.exe 118 PID 1948 wrote to memory of 4272 1948 RtDCpl64.exe 118 PID 1948 wrote to memory of 4272 1948 RtDCpl64.exe 118 PID 1948 wrote to memory of 4272 1948 RtDCpl64.exe 118 PID 1948 wrote to memory of 4272 1948 RtDCpl64.exe 118 PID 4272 wrote to memory of 2164 4272 RtDCpl64.exe 119 PID 4272 wrote to memory of 2164 4272 RtDCpl64.exe 119 PID 4272 wrote to memory of 2164 4272 RtDCpl64.exe 119 PID 4272 wrote to memory of 2164 4272 RtDCpl64.exe 119 PID 4272 wrote to memory of 2164 4272 RtDCpl64.exe 119 PID 1948 wrote to memory of 3512 1948 RtDCpl64.exe 121 PID 1948 wrote to memory of 3512 1948 RtDCpl64.exe 121 PID 1948 wrote to memory of 3512 1948 RtDCpl64.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe"C:\Users\Admin\AppData\Local\Temp\7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:3196
-
-
-
C:\Users\Admin\AppData\Local\Temp\7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe"C:\Users\Admin\AppData\Local\Temp\7d853c8a8bb5ab2080e867e032b74833f6c3c7d9ed71ce2f485d8872798099b3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4840
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:368
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:1636
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2772
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3696
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:980
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2164
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3512
-