Analysis
-
max time kernel
170s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 00:16
Behavioral task
behavioral1
Sample
7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe
Resource
win10v2004-en-20220113
General
-
Target
7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe
-
Size
1.3MB
-
MD5
9d45a405d720493aa873c0ec32653a52
-
SHA1
ffa5183c9f7f82f6a8bc52ca6723603c7d95ecb0
-
SHA256
7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056
-
SHA512
19874a921ac13fcd40f9a83831304105c365d949c34f994e6a51b65cb0ced231e2708ed89476759f40d425b87dc8513095814957b4950d2831fdc18bc3a88f71
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 15 IoCs
resource yara_rule behavioral2/files/0x000300000000072f-130.dat netwire behavioral2/files/0x000300000000072f-131.dat netwire behavioral2/files/0x0004000000016298-132.dat netwire behavioral2/files/0x0004000000016298-133.dat netwire behavioral2/files/0x000200000001e463-147.dat netwire behavioral2/files/0x000200000001e463-148.dat netwire behavioral2/files/0x000300000000072f-149.dat netwire behavioral2/files/0x000200000001e463-157.dat netwire behavioral2/files/0x000300000000072f-160.dat netwire behavioral2/files/0x000200000001e463-161.dat netwire behavioral2/files/0x000300000000072f-162.dat netwire behavioral2/files/0x000200000001e463-170.dat netwire behavioral2/files/0x000200000001e463-174.dat netwire behavioral2/files/0x000300000000072f-175.dat netwire behavioral2/files/0x000200000001e463-183.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral2/memory/4576-135-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/4576-142-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 11 IoCs
pid Process 3480 Blasthost.exe 4580 Host.exe 1052 RtDCpl64.exe 2224 Blasthost.exe 2528 RtDCpl64.exe 4932 RtDCpl64.exe 4224 Blasthost.exe 2956 RtDCpl64.exe 4104 RtDCpl64.exe 1120 Blasthost.exe 4496 RtDCpl64.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4884 set thread context of 4576 4884 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 85 PID 1052 set thread context of 2528 1052 RtDCpl64.exe 103 PID 4932 set thread context of 2956 4932 RtDCpl64.exe 117 PID 4104 set thread context of 4496 4104 RtDCpl64.exe 124 -
autoit_exe 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000200000001e463-147.dat autoit_exe behavioral2/files/0x000200000001e463-148.dat autoit_exe behavioral2/files/0x000200000001e463-157.dat autoit_exe behavioral2/files/0x000200000001e463-161.dat autoit_exe behavioral2/files/0x000200000001e463-170.dat autoit_exe behavioral2/files/0x000200000001e463-174.dat autoit_exe behavioral2/files/0x000200000001e463-183.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4788 schtasks.exe 1824 schtasks.exe 2652 schtasks.exe 3864 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4916 svchost.exe Token: SeCreatePagefilePrivilege 4916 svchost.exe Token: SeShutdownPrivilege 4916 svchost.exe Token: SeCreatePagefilePrivilege 4916 svchost.exe Token: SeShutdownPrivilege 4916 svchost.exe Token: SeCreatePagefilePrivilege 4916 svchost.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4884 wrote to memory of 3480 4884 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 82 PID 4884 wrote to memory of 3480 4884 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 82 PID 4884 wrote to memory of 3480 4884 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 82 PID 3480 wrote to memory of 4580 3480 Blasthost.exe 84 PID 3480 wrote to memory of 4580 3480 Blasthost.exe 84 PID 3480 wrote to memory of 4580 3480 Blasthost.exe 84 PID 4884 wrote to memory of 4576 4884 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 85 PID 4884 wrote to memory of 4576 4884 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 85 PID 4884 wrote to memory of 4576 4884 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 85 PID 4884 wrote to memory of 4576 4884 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 85 PID 4884 wrote to memory of 4576 4884 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 85 PID 4884 wrote to memory of 4788 4884 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 86 PID 4884 wrote to memory of 4788 4884 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 86 PID 4884 wrote to memory of 4788 4884 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 86 PID 4576 wrote to memory of 4820 4576 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 88 PID 4576 wrote to memory of 4820 4576 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 88 PID 4576 wrote to memory of 4820 4576 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 88 PID 4576 wrote to memory of 4820 4576 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 88 PID 4576 wrote to memory of 4820 4576 7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe 88 PID 1052 wrote to memory of 2224 1052 RtDCpl64.exe 102 PID 1052 wrote to memory of 2224 1052 RtDCpl64.exe 102 PID 1052 wrote to memory of 2224 1052 RtDCpl64.exe 102 PID 1052 wrote to memory of 2528 1052 RtDCpl64.exe 103 PID 1052 wrote to memory of 2528 1052 RtDCpl64.exe 103 PID 1052 wrote to memory of 2528 1052 RtDCpl64.exe 103 PID 1052 wrote to memory of 2528 1052 RtDCpl64.exe 103 PID 1052 wrote to memory of 2528 1052 RtDCpl64.exe 103 PID 2528 wrote to memory of 3108 2528 RtDCpl64.exe 104 PID 2528 wrote to memory of 3108 2528 RtDCpl64.exe 104 PID 2528 wrote to memory of 3108 2528 RtDCpl64.exe 104 PID 1052 wrote to memory of 1824 1052 RtDCpl64.exe 106 PID 1052 wrote to memory of 1824 1052 RtDCpl64.exe 106 PID 1052 wrote to memory of 1824 1052 RtDCpl64.exe 106 PID 2528 wrote to memory of 3108 2528 RtDCpl64.exe 104 PID 2528 wrote to memory of 3108 2528 RtDCpl64.exe 104 PID 4932 wrote to memory of 4224 4932 RtDCpl64.exe 116 PID 4932 wrote to memory of 4224 4932 RtDCpl64.exe 116 PID 4932 wrote to memory of 4224 4932 RtDCpl64.exe 116 PID 4932 wrote to memory of 2956 4932 RtDCpl64.exe 117 PID 4932 wrote to memory of 2956 4932 RtDCpl64.exe 117 PID 4932 wrote to memory of 2956 4932 RtDCpl64.exe 117 PID 4932 wrote to memory of 2956 4932 RtDCpl64.exe 117 PID 4932 wrote to memory of 2956 4932 RtDCpl64.exe 117 PID 4932 wrote to memory of 2652 4932 RtDCpl64.exe 118 PID 4932 wrote to memory of 2652 4932 RtDCpl64.exe 118 PID 4932 wrote to memory of 2652 4932 RtDCpl64.exe 118 PID 2956 wrote to memory of 3772 2956 RtDCpl64.exe 119 PID 2956 wrote to memory of 3772 2956 RtDCpl64.exe 119 PID 2956 wrote to memory of 3772 2956 RtDCpl64.exe 119 PID 2956 wrote to memory of 3772 2956 RtDCpl64.exe 119 PID 2956 wrote to memory of 3772 2956 RtDCpl64.exe 119 PID 4104 wrote to memory of 1120 4104 RtDCpl64.exe 123 PID 4104 wrote to memory of 1120 4104 RtDCpl64.exe 123 PID 4104 wrote to memory of 1120 4104 RtDCpl64.exe 123 PID 4104 wrote to memory of 4496 4104 RtDCpl64.exe 124 PID 4104 wrote to memory of 4496 4104 RtDCpl64.exe 124 PID 4104 wrote to memory of 4496 4104 RtDCpl64.exe 124 PID 4104 wrote to memory of 4496 4104 RtDCpl64.exe 124 PID 4104 wrote to memory of 4496 4104 RtDCpl64.exe 124 PID 4496 wrote to memory of 2184 4496 RtDCpl64.exe 125 PID 4496 wrote to memory of 2184 4496 RtDCpl64.exe 125 PID 4496 wrote to memory of 2184 4496 RtDCpl64.exe 125 PID 4104 wrote to memory of 3864 4104 RtDCpl64.exe 127 PID 4104 wrote to memory of 3864 4104 RtDCpl64.exe 127
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe"C:\Users\Admin\AppData\Local\Temp\7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:4580
-
-
-
C:\Users\Admin\AppData\Local\Temp\7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe"C:\Users\Admin\AppData\Local\Temp\7d7a07f319a3ca6ca2c4c484f1739113b398bb1e986fdb342837c20fc4f1d056.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4820
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4788
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:2224
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3108
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1824
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:4224
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3772
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2652
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:1120
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2184
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3864
-