Analysis
-
max time kernel
155s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:46
Behavioral task
behavioral1
Sample
5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe
Resource
win10v2004-en-20220112
General
-
Target
5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe
-
Size
1.3MB
-
MD5
9b7c60b50abf060b8e2482d82401e9db
-
SHA1
bd5f1345ff5d15b0fbc7514cce9b4455bdc0bfb9
-
SHA256
5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208
-
SHA512
06024fbdb67babc0c499ab6dcd8739cd46e20abf62f3bd984293c6569b1d9e01bd32db5e13952fa1fbc59857ed4f596981293f3803456469bba8f61007a55fef
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 31 IoCs
resource yara_rule behavioral1/files/0x0008000000012284-55.dat netwire behavioral1/files/0x0008000000012284-56.dat netwire behavioral1/files/0x0008000000012284-57.dat netwire behavioral1/files/0x0008000000012284-58.dat netwire behavioral1/files/0x0008000000012284-59.dat netwire behavioral1/files/0x0008000000012284-61.dat netwire behavioral1/files/0x00070000000125e4-62.dat netwire behavioral1/files/0x00070000000125e4-64.dat netwire behavioral1/files/0x00070000000125e4-63.dat netwire behavioral1/files/0x000600000001263f-79.dat netwire behavioral1/files/0x000600000001263f-80.dat netwire behavioral1/files/0x0008000000012284-82.dat netwire behavioral1/files/0x0008000000012284-83.dat netwire behavioral1/files/0x0008000000012284-85.dat netwire behavioral1/files/0x0008000000012284-84.dat netwire behavioral1/files/0x0008000000012284-86.dat netwire behavioral1/files/0x00070000000125e4-88.dat netwire behavioral1/files/0x000600000001263f-97.dat netwire behavioral1/files/0x0008000000012284-103.dat netwire behavioral1/files/0x000600000001263f-104.dat netwire behavioral1/files/0x0008000000012284-106.dat netwire behavioral1/files/0x0008000000012284-107.dat netwire behavioral1/files/0x0008000000012284-108.dat netwire behavioral1/files/0x0008000000012284-109.dat netwire behavioral1/files/0x000600000001263f-119.dat netwire behavioral1/files/0x000600000001263f-125.dat netwire behavioral1/files/0x0008000000012284-127.dat netwire behavioral1/files/0x0008000000012284-129.dat netwire behavioral1/files/0x0008000000012284-128.dat netwire behavioral1/files/0x0008000000012284-130.dat netwire behavioral1/files/0x000600000001263f-140.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/876-67-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/876-75-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1656-133-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/1656-142-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 11 IoCs
pid Process 664 Blasthost.exe 1740 Host.exe 1652 RtDCpl64.exe 1876 Blasthost.exe 1772 RtDCpl64.exe 272 RtDCpl64.exe 828 Blasthost.exe 1576 RtDCpl64.exe 1440 RtDCpl64.exe 688 Blasthost.exe 1656 RtDCpl64.exe -
Loads dropped DLL 16 IoCs
pid Process 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 664 Blasthost.exe 664 Blasthost.exe 1652 RtDCpl64.exe 1652 RtDCpl64.exe 1652 RtDCpl64.exe 1652 RtDCpl64.exe 272 RtDCpl64.exe 272 RtDCpl64.exe 272 RtDCpl64.exe 1440 RtDCpl64.exe 1440 RtDCpl64.exe 1440 RtDCpl64.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1576 set thread context of 876 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 29 PID 1652 set thread context of 1772 1652 RtDCpl64.exe 37 PID 272 set thread context of 1576 272 RtDCpl64.exe 46 PID 1440 set thread context of 1656 1440 RtDCpl64.exe 53 -
autoit_exe 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000600000001263f-79.dat autoit_exe behavioral1/files/0x000600000001263f-80.dat autoit_exe behavioral1/files/0x000600000001263f-97.dat autoit_exe behavioral1/files/0x000600000001263f-104.dat autoit_exe behavioral1/files/0x000600000001263f-119.dat autoit_exe behavioral1/files/0x000600000001263f-125.dat autoit_exe behavioral1/files/0x000600000001263f-140.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1524 schtasks.exe 1620 schtasks.exe 1312 schtasks.exe 1568 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1576 wrote to memory of 664 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 27 PID 1576 wrote to memory of 664 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 27 PID 1576 wrote to memory of 664 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 27 PID 1576 wrote to memory of 664 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 27 PID 664 wrote to memory of 1740 664 Blasthost.exe 28 PID 664 wrote to memory of 1740 664 Blasthost.exe 28 PID 664 wrote to memory of 1740 664 Blasthost.exe 28 PID 664 wrote to memory of 1740 664 Blasthost.exe 28 PID 1576 wrote to memory of 876 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 29 PID 1576 wrote to memory of 876 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 29 PID 1576 wrote to memory of 876 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 29 PID 1576 wrote to memory of 876 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 29 PID 1576 wrote to memory of 876 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 29 PID 1576 wrote to memory of 876 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 29 PID 876 wrote to memory of 1064 876 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 30 PID 876 wrote to memory of 1064 876 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 30 PID 876 wrote to memory of 1064 876 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 30 PID 876 wrote to memory of 1064 876 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 30 PID 1576 wrote to memory of 1620 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 32 PID 1576 wrote to memory of 1620 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 32 PID 1576 wrote to memory of 1620 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 32 PID 1576 wrote to memory of 1620 1576 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 32 PID 876 wrote to memory of 1064 876 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 30 PID 876 wrote to memory of 1064 876 5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe 30 PID 1988 wrote to memory of 1652 1988 taskeng.exe 35 PID 1988 wrote to memory of 1652 1988 taskeng.exe 35 PID 1988 wrote to memory of 1652 1988 taskeng.exe 35 PID 1988 wrote to memory of 1652 1988 taskeng.exe 35 PID 1652 wrote to memory of 1876 1652 RtDCpl64.exe 36 PID 1652 wrote to memory of 1876 1652 RtDCpl64.exe 36 PID 1652 wrote to memory of 1876 1652 RtDCpl64.exe 36 PID 1652 wrote to memory of 1876 1652 RtDCpl64.exe 36 PID 1652 wrote to memory of 1772 1652 RtDCpl64.exe 37 PID 1652 wrote to memory of 1772 1652 RtDCpl64.exe 37 PID 1652 wrote to memory of 1772 1652 RtDCpl64.exe 37 PID 1652 wrote to memory of 1772 1652 RtDCpl64.exe 37 PID 1652 wrote to memory of 1772 1652 RtDCpl64.exe 37 PID 1652 wrote to memory of 1772 1652 RtDCpl64.exe 37 PID 1772 wrote to memory of 1644 1772 RtDCpl64.exe 38 PID 1772 wrote to memory of 1644 1772 RtDCpl64.exe 38 PID 1772 wrote to memory of 1644 1772 RtDCpl64.exe 38 PID 1772 wrote to memory of 1644 1772 RtDCpl64.exe 38 PID 1652 wrote to memory of 1312 1652 RtDCpl64.exe 40 PID 1652 wrote to memory of 1312 1652 RtDCpl64.exe 40 PID 1652 wrote to memory of 1312 1652 RtDCpl64.exe 40 PID 1652 wrote to memory of 1312 1652 RtDCpl64.exe 40 PID 1772 wrote to memory of 1644 1772 RtDCpl64.exe 38 PID 1772 wrote to memory of 1644 1772 RtDCpl64.exe 38 PID 1988 wrote to memory of 272 1988 taskeng.exe 44 PID 1988 wrote to memory of 272 1988 taskeng.exe 44 PID 1988 wrote to memory of 272 1988 taskeng.exe 44 PID 1988 wrote to memory of 272 1988 taskeng.exe 44 PID 272 wrote to memory of 828 272 RtDCpl64.exe 45 PID 272 wrote to memory of 828 272 RtDCpl64.exe 45 PID 272 wrote to memory of 828 272 RtDCpl64.exe 45 PID 272 wrote to memory of 828 272 RtDCpl64.exe 45 PID 272 wrote to memory of 1576 272 RtDCpl64.exe 46 PID 272 wrote to memory of 1576 272 RtDCpl64.exe 46 PID 272 wrote to memory of 1576 272 RtDCpl64.exe 46 PID 272 wrote to memory of 1576 272 RtDCpl64.exe 46 PID 272 wrote to memory of 1576 272 RtDCpl64.exe 46 PID 272 wrote to memory of 1576 272 RtDCpl64.exe 46 PID 272 wrote to memory of 1568 272 RtDCpl64.exe 47 PID 272 wrote to memory of 1568 272 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe"C:\Users\Admin\AppData\Local\Temp\5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:1740
-
-
-
C:\Users\Admin\AppData\Local\Temp\5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe"C:\Users\Admin\AppData\Local\Temp\5f5bfd261fb8b5be1aa90117fa084b63159968ff0004d737b67cb37b48e5f208.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1064
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1620
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0E78834C-8646-4069-90D0-CFCF80627FF9} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1876
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1644
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1312
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:828
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1956
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1568
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1440 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:688
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1928
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1524
-
-