Analysis
-
max time kernel
153s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 00:16
Behavioral task
behavioral1
Sample
7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe
Resource
win10v2004-en-20220113
General
-
Target
7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe
-
Size
1.3MB
-
MD5
9d45a405d720493aa873c0ec32653a52
-
SHA1
ffa5183c9f7f82f6a8bc52ca6723603c7d95ecb0
-
SHA256
7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056
-
SHA512
19874a921ac13fcd40f9a83831304105c365d949c34f994e6a51b65cb0ced231e2708ed89476759f40d425b87dc8513095814957b4950d2831fdc18bc3a88f71
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x0007000000013413-55.dat netwire behavioral1/files/0x0007000000013413-56.dat netwire behavioral1/files/0x0007000000013413-57.dat netwire behavioral1/files/0x0007000000013413-58.dat netwire behavioral1/files/0x0007000000013413-59.dat netwire behavioral1/files/0x0007000000013413-71.dat netwire behavioral1/files/0x000600000001393d-72.dat netwire behavioral1/files/0x000600000001393d-73.dat netwire behavioral1/files/0x000600000001393d-74.dat netwire behavioral1/files/0x0007000000013919-80.dat netwire behavioral1/files/0x0007000000013919-81.dat netwire behavioral1/files/0x0007000000013413-83.dat netwire behavioral1/files/0x0007000000013413-84.dat netwire behavioral1/files/0x0007000000013413-85.dat netwire behavioral1/files/0x0007000000013413-86.dat netwire behavioral1/files/0x0007000000013413-87.dat netwire behavioral1/files/0x000600000001393d-89.dat netwire behavioral1/files/0x0007000000013919-98.dat netwire behavioral1/files/0x0007000000013413-105.dat netwire behavioral1/files/0x0007000000013919-106.dat netwire behavioral1/files/0x0007000000013413-108.dat netwire behavioral1/files/0x0007000000013413-110.dat netwire behavioral1/files/0x0007000000013413-109.dat netwire behavioral1/files/0x0007000000013413-111.dat netwire behavioral1/files/0x0007000000013919-121.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/268-61-0x00000000000D0000-0x00000000000ED000-memory.dmp warzonerat behavioral1/memory/268-70-0x00000000000D0000-0x00000000000ED000-memory.dmp warzonerat behavioral1/memory/1740-91-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1740-100-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 952 Blasthost.exe 852 Host.exe 1000 RtDCpl64.exe 1908 Blasthost.exe 1740 RtDCpl64.exe 456 RtDCpl64.exe 924 Blasthost.exe 432 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 952 Blasthost.exe 952 Blasthost.exe 1000 RtDCpl64.exe 1000 RtDCpl64.exe 1000 RtDCpl64.exe 1000 RtDCpl64.exe 456 RtDCpl64.exe 456 RtDCpl64.exe 456 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1636 set thread context of 268 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 28 PID 1000 set thread context of 1740 1000 RtDCpl64.exe 37 PID 456 set thread context of 432 456 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000013919-80.dat autoit_exe behavioral1/files/0x0007000000013919-81.dat autoit_exe behavioral1/files/0x0007000000013919-98.dat autoit_exe behavioral1/files/0x0007000000013919-106.dat autoit_exe behavioral1/files/0x0007000000013919-121.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 336 schtasks.exe 804 schtasks.exe 964 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1636 wrote to memory of 952 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 27 PID 1636 wrote to memory of 952 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 27 PID 1636 wrote to memory of 952 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 27 PID 1636 wrote to memory of 952 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 27 PID 1636 wrote to memory of 268 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 28 PID 1636 wrote to memory of 268 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 28 PID 1636 wrote to memory of 268 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 28 PID 1636 wrote to memory of 268 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 28 PID 1636 wrote to memory of 268 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 28 PID 1636 wrote to memory of 268 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 28 PID 952 wrote to memory of 852 952 Blasthost.exe 29 PID 952 wrote to memory of 852 952 Blasthost.exe 29 PID 952 wrote to memory of 852 952 Blasthost.exe 29 PID 952 wrote to memory of 852 952 Blasthost.exe 29 PID 1636 wrote to memory of 336 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 30 PID 1636 wrote to memory of 336 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 30 PID 1636 wrote to memory of 336 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 30 PID 1636 wrote to memory of 336 1636 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 30 PID 268 wrote to memory of 1944 268 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 32 PID 268 wrote to memory of 1944 268 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 32 PID 268 wrote to memory of 1944 268 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 32 PID 268 wrote to memory of 1944 268 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 32 PID 268 wrote to memory of 1944 268 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 32 PID 268 wrote to memory of 1944 268 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 32 PID 1196 wrote to memory of 1000 1196 taskeng.exe 35 PID 1196 wrote to memory of 1000 1196 taskeng.exe 35 PID 1196 wrote to memory of 1000 1196 taskeng.exe 35 PID 1196 wrote to memory of 1000 1196 taskeng.exe 35 PID 1000 wrote to memory of 1908 1000 RtDCpl64.exe 36 PID 1000 wrote to memory of 1908 1000 RtDCpl64.exe 36 PID 1000 wrote to memory of 1908 1000 RtDCpl64.exe 36 PID 1000 wrote to memory of 1908 1000 RtDCpl64.exe 36 PID 1000 wrote to memory of 1740 1000 RtDCpl64.exe 37 PID 1000 wrote to memory of 1740 1000 RtDCpl64.exe 37 PID 1000 wrote to memory of 1740 1000 RtDCpl64.exe 37 PID 1000 wrote to memory of 1740 1000 RtDCpl64.exe 37 PID 1000 wrote to memory of 1740 1000 RtDCpl64.exe 37 PID 1000 wrote to memory of 1740 1000 RtDCpl64.exe 37 PID 1000 wrote to memory of 804 1000 RtDCpl64.exe 38 PID 1000 wrote to memory of 804 1000 RtDCpl64.exe 38 PID 1000 wrote to memory of 804 1000 RtDCpl64.exe 38 PID 1000 wrote to memory of 804 1000 RtDCpl64.exe 38 PID 1740 wrote to memory of 1068 1740 RtDCpl64.exe 39 PID 1740 wrote to memory of 1068 1740 RtDCpl64.exe 39 PID 1740 wrote to memory of 1068 1740 RtDCpl64.exe 39 PID 1740 wrote to memory of 1068 1740 RtDCpl64.exe 39 PID 1740 wrote to memory of 1068 1740 RtDCpl64.exe 39 PID 1740 wrote to memory of 1068 1740 RtDCpl64.exe 39 PID 1196 wrote to memory of 456 1196 taskeng.exe 44 PID 1196 wrote to memory of 456 1196 taskeng.exe 44 PID 1196 wrote to memory of 456 1196 taskeng.exe 44 PID 1196 wrote to memory of 456 1196 taskeng.exe 44 PID 456 wrote to memory of 924 456 RtDCpl64.exe 45 PID 456 wrote to memory of 924 456 RtDCpl64.exe 45 PID 456 wrote to memory of 924 456 RtDCpl64.exe 45 PID 456 wrote to memory of 924 456 RtDCpl64.exe 45 PID 456 wrote to memory of 432 456 RtDCpl64.exe 46 PID 456 wrote to memory of 432 456 RtDCpl64.exe 46 PID 456 wrote to memory of 432 456 RtDCpl64.exe 46 PID 456 wrote to memory of 432 456 RtDCpl64.exe 46 PID 456 wrote to memory of 432 456 RtDCpl64.exe 46 PID 456 wrote to memory of 432 456 RtDCpl64.exe 46 PID 432 wrote to memory of 540 432 RtDCpl64.exe 47 PID 432 wrote to memory of 540 432 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe"C:\Users\Admin\AppData\Local\Temp\7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:852
-
-
-
C:\Users\Admin\AppData\Local\Temp\7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe"C:\Users\Admin\AppData\Local\Temp\7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1944
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:336
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DDC434BF-3CFD-4EC6-BB23-EC820E01598B} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1908
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1068
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:804
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:924
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:540
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:964
-
-