Analysis
-
max time kernel
160s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:45
Behavioral task
behavioral1
Sample
5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe
Resource
win10v2004-en-20220112
General
-
Target
5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe
-
Size
1.3MB
-
MD5
c516283658ab631b3bd24dc68b606811
-
SHA1
4bf37a237aa5131c3df0399131f3f166a9bdc722
-
SHA256
5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046
-
SHA512
c96e51232d22fd5b497a10ca2ca54bd011822e16622190253b78d693833ebf258579ade14ec465df63f0718ba48a450a54796bf32f1242e7e9dbb7519b3413bb
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x0008000000012284-55.dat netwire behavioral1/files/0x0008000000012284-56.dat netwire behavioral1/files/0x0008000000012284-57.dat netwire behavioral1/files/0x0008000000012284-58.dat netwire behavioral1/files/0x0008000000012284-59.dat netwire behavioral1/files/0x0008000000012284-61.dat netwire behavioral1/files/0x00070000000125e4-64.dat netwire behavioral1/files/0x00070000000125e4-65.dat netwire behavioral1/files/0x00070000000125e4-62.dat netwire behavioral1/files/0x000600000001263f-79.dat netwire behavioral1/files/0x000600000001263f-80.dat netwire behavioral1/files/0x0008000000012284-82.dat netwire behavioral1/files/0x0008000000012284-83.dat netwire behavioral1/files/0x0008000000012284-84.dat netwire behavioral1/files/0x0008000000012284-85.dat netwire behavioral1/files/0x0008000000012284-86.dat netwire behavioral1/files/0x00070000000125e4-88.dat netwire behavioral1/files/0x000600000001263f-97.dat netwire behavioral1/files/0x0008000000012284-103.dat netwire behavioral1/files/0x000600000001263f-104.dat netwire behavioral1/files/0x0008000000012284-106.dat netwire behavioral1/files/0x0008000000012284-107.dat netwire behavioral1/files/0x0008000000012284-108.dat netwire behavioral1/files/0x0008000000012284-109.dat netwire behavioral1/files/0x000600000001263f-119.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/1088-67-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1088-75-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/568-112-0x00000000000D0000-0x00000000000ED000-memory.dmp warzonerat behavioral1/memory/568-122-0x00000000000D0000-0x00000000000ED000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 560 Blasthost.exe 1864 Host.exe 1524 RtDCpl64.exe 1948 Blasthost.exe 1892 RtDCpl64.exe 1188 RtDCpl64.exe 1828 Blasthost.exe 568 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 560 Blasthost.exe 560 Blasthost.exe 1524 RtDCpl64.exe 1524 RtDCpl64.exe 1524 RtDCpl64.exe 1524 RtDCpl64.exe 1188 RtDCpl64.exe 1188 RtDCpl64.exe 1188 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1384 set thread context of 1088 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 28 PID 1524 set thread context of 1892 1524 RtDCpl64.exe 37 PID 1188 set thread context of 568 1188 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000600000001263f-79.dat autoit_exe behavioral1/files/0x000600000001263f-80.dat autoit_exe behavioral1/files/0x000600000001263f-97.dat autoit_exe behavioral1/files/0x000600000001263f-104.dat autoit_exe behavioral1/files/0x000600000001263f-119.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 428 schtasks.exe 1676 schtasks.exe 964 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1384 wrote to memory of 560 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 27 PID 1384 wrote to memory of 560 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 27 PID 1384 wrote to memory of 560 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 27 PID 1384 wrote to memory of 560 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 27 PID 1384 wrote to memory of 1088 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 28 PID 1384 wrote to memory of 1088 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 28 PID 1384 wrote to memory of 1088 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 28 PID 1384 wrote to memory of 1088 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 28 PID 560 wrote to memory of 1864 560 Blasthost.exe 29 PID 560 wrote to memory of 1864 560 Blasthost.exe 29 PID 560 wrote to memory of 1864 560 Blasthost.exe 29 PID 560 wrote to memory of 1864 560 Blasthost.exe 29 PID 1384 wrote to memory of 1088 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 28 PID 1384 wrote to memory of 1088 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 28 PID 1384 wrote to memory of 428 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 30 PID 1384 wrote to memory of 428 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 30 PID 1384 wrote to memory of 428 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 30 PID 1384 wrote to memory of 428 1384 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 30 PID 1088 wrote to memory of 1584 1088 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 31 PID 1088 wrote to memory of 1584 1088 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 31 PID 1088 wrote to memory of 1584 1088 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 31 PID 1088 wrote to memory of 1584 1088 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 31 PID 1088 wrote to memory of 1584 1088 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 31 PID 1088 wrote to memory of 1584 1088 5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe 31 PID 616 wrote to memory of 1524 616 taskeng.exe 35 PID 616 wrote to memory of 1524 616 taskeng.exe 35 PID 616 wrote to memory of 1524 616 taskeng.exe 35 PID 616 wrote to memory of 1524 616 taskeng.exe 35 PID 1524 wrote to memory of 1948 1524 RtDCpl64.exe 36 PID 1524 wrote to memory of 1948 1524 RtDCpl64.exe 36 PID 1524 wrote to memory of 1948 1524 RtDCpl64.exe 36 PID 1524 wrote to memory of 1948 1524 RtDCpl64.exe 36 PID 1524 wrote to memory of 1892 1524 RtDCpl64.exe 37 PID 1524 wrote to memory of 1892 1524 RtDCpl64.exe 37 PID 1524 wrote to memory of 1892 1524 RtDCpl64.exe 37 PID 1524 wrote to memory of 1892 1524 RtDCpl64.exe 37 PID 1524 wrote to memory of 1892 1524 RtDCpl64.exe 37 PID 1524 wrote to memory of 1892 1524 RtDCpl64.exe 37 PID 1892 wrote to memory of 2036 1892 RtDCpl64.exe 38 PID 1892 wrote to memory of 2036 1892 RtDCpl64.exe 38 PID 1892 wrote to memory of 2036 1892 RtDCpl64.exe 38 PID 1892 wrote to memory of 2036 1892 RtDCpl64.exe 38 PID 1524 wrote to memory of 1676 1524 RtDCpl64.exe 40 PID 1524 wrote to memory of 1676 1524 RtDCpl64.exe 40 PID 1524 wrote to memory of 1676 1524 RtDCpl64.exe 40 PID 1524 wrote to memory of 1676 1524 RtDCpl64.exe 40 PID 1892 wrote to memory of 2036 1892 RtDCpl64.exe 38 PID 1892 wrote to memory of 2036 1892 RtDCpl64.exe 38 PID 616 wrote to memory of 1188 616 taskeng.exe 44 PID 616 wrote to memory of 1188 616 taskeng.exe 44 PID 616 wrote to memory of 1188 616 taskeng.exe 44 PID 616 wrote to memory of 1188 616 taskeng.exe 44 PID 1188 wrote to memory of 1828 1188 RtDCpl64.exe 45 PID 1188 wrote to memory of 1828 1188 RtDCpl64.exe 45 PID 1188 wrote to memory of 1828 1188 RtDCpl64.exe 45 PID 1188 wrote to memory of 1828 1188 RtDCpl64.exe 45 PID 1188 wrote to memory of 568 1188 RtDCpl64.exe 46 PID 1188 wrote to memory of 568 1188 RtDCpl64.exe 46 PID 1188 wrote to memory of 568 1188 RtDCpl64.exe 46 PID 1188 wrote to memory of 568 1188 RtDCpl64.exe 46 PID 1188 wrote to memory of 568 1188 RtDCpl64.exe 46 PID 1188 wrote to memory of 568 1188 RtDCpl64.exe 46 PID 1188 wrote to memory of 964 1188 RtDCpl64.exe 47 PID 1188 wrote to memory of 964 1188 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe"C:\Users\Admin\AppData\Local\Temp\5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:1864
-
-
-
C:\Users\Admin\AppData\Local\Temp\5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe"C:\Users\Admin\AppData\Local\Temp\5f6fd6b8ae41e46e4a565f30a9c34d3dc1207d5ceeac710105b8aac653b73046.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1584
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:428
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {CF623915-7610-4869-8BDC-8212625D0FCD} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1948
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2036
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1676
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1828
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:860
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:964
-
-