Analysis
-
max time kernel
163s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 02:46
Behavioral task
behavioral1
Sample
5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe
Resource
win10v2004-en-20220113
General
-
Target
5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe
-
Size
1.3MB
-
MD5
fff796bd5d04916872fe40de84ea0036
-
SHA1
3b53f142f7bc96dd556e49ae3a8aecae81257c8a
-
SHA256
5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea
-
SHA512
7fcbcfee6235bd635faac91906c31f1a3d949743944aa06d8a4d1c64881cb73fcfdab1821f67dd9bd621d81ce913ffbfaea5874eb694d897937f78dc0e6fe87d
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 15 IoCs
resource yara_rule behavioral2/files/0x000400000001e7bf-130.dat netwire behavioral2/files/0x000400000001e7bf-131.dat netwire behavioral2/files/0x000500000001e7c6-133.dat netwire behavioral2/files/0x000500000001e7c6-134.dat netwire behavioral2/files/0x000400000001e7c8-147.dat netwire behavioral2/files/0x000400000001e7c8-148.dat netwire behavioral2/files/0x000400000001e7bf-149.dat netwire behavioral2/files/0x000400000001e7c8-157.dat netwire behavioral2/files/0x000400000001e7bf-161.dat netwire behavioral2/files/0x000400000001e7c8-162.dat netwire behavioral2/files/0x000400000001e7bf-163.dat netwire behavioral2/files/0x000400000001e7c8-171.dat netwire behavioral2/files/0x000400000001e7c8-175.dat netwire behavioral2/files/0x000400000001e7bf-176.dat netwire behavioral2/files/0x000400000001e7c8-184.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral2/memory/1068-135-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/1068-142-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 11 IoCs
pid Process 3368 Blasthost.exe 4468 Host.exe 4788 RtDCpl64.exe 1344 Blasthost.exe 3984 RtDCpl64.exe 4776 RtDCpl64.exe 4356 Blasthost.exe 988 RtDCpl64.exe 3880 RtDCpl64.exe 4408 Blasthost.exe 4352 RtDCpl64.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3484 set thread context of 1068 3484 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 83 PID 4788 set thread context of 3984 4788 RtDCpl64.exe 101 PID 4776 set thread context of 988 4776 RtDCpl64.exe 116 PID 3880 set thread context of 4352 3880 RtDCpl64.exe 126 -
autoit_exe 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000400000001e7c8-147.dat autoit_exe behavioral2/files/0x000400000001e7c8-148.dat autoit_exe behavioral2/files/0x000400000001e7c8-157.dat autoit_exe behavioral2/files/0x000400000001e7c8-162.dat autoit_exe behavioral2/files/0x000400000001e7c8-171.dat autoit_exe behavioral2/files/0x000400000001e7c8-175.dat autoit_exe behavioral2/files/0x000400000001e7c8-184.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4048 schtasks.exe 752 schtasks.exe 1496 schtasks.exe 3884 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3624 svchost.exe Token: SeCreatePagefilePrivilege 3624 svchost.exe Token: SeShutdownPrivilege 3624 svchost.exe Token: SeCreatePagefilePrivilege 3624 svchost.exe Token: SeShutdownPrivilege 3624 svchost.exe Token: SeCreatePagefilePrivilege 3624 svchost.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe Token: SeRestorePrivilege 1712 TiWorker.exe Token: SeSecurityPrivilege 1712 TiWorker.exe Token: SeBackupPrivilege 1712 TiWorker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3484 wrote to memory of 3368 3484 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 81 PID 3484 wrote to memory of 3368 3484 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 81 PID 3484 wrote to memory of 3368 3484 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 81 PID 3484 wrote to memory of 1068 3484 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 83 PID 3484 wrote to memory of 1068 3484 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 83 PID 3484 wrote to memory of 1068 3484 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 83 PID 3368 wrote to memory of 4468 3368 Blasthost.exe 84 PID 3368 wrote to memory of 4468 3368 Blasthost.exe 84 PID 3368 wrote to memory of 4468 3368 Blasthost.exe 84 PID 3484 wrote to memory of 1068 3484 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 83 PID 3484 wrote to memory of 1068 3484 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 83 PID 3484 wrote to memory of 1496 3484 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 86 PID 3484 wrote to memory of 1496 3484 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 86 PID 3484 wrote to memory of 1496 3484 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 86 PID 1068 wrote to memory of 4064 1068 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 88 PID 1068 wrote to memory of 4064 1068 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 88 PID 1068 wrote to memory of 4064 1068 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 88 PID 1068 wrote to memory of 4064 1068 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 88 PID 1068 wrote to memory of 4064 1068 5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe 88 PID 4788 wrote to memory of 1344 4788 RtDCpl64.exe 100 PID 4788 wrote to memory of 1344 4788 RtDCpl64.exe 100 PID 4788 wrote to memory of 1344 4788 RtDCpl64.exe 100 PID 4788 wrote to memory of 3984 4788 RtDCpl64.exe 101 PID 4788 wrote to memory of 3984 4788 RtDCpl64.exe 101 PID 4788 wrote to memory of 3984 4788 RtDCpl64.exe 101 PID 4788 wrote to memory of 3984 4788 RtDCpl64.exe 101 PID 4788 wrote to memory of 3984 4788 RtDCpl64.exe 101 PID 3984 wrote to memory of 3092 3984 RtDCpl64.exe 102 PID 3984 wrote to memory of 3092 3984 RtDCpl64.exe 102 PID 3984 wrote to memory of 3092 3984 RtDCpl64.exe 102 PID 4788 wrote to memory of 3884 4788 RtDCpl64.exe 104 PID 4788 wrote to memory of 3884 4788 RtDCpl64.exe 104 PID 4788 wrote to memory of 3884 4788 RtDCpl64.exe 104 PID 3984 wrote to memory of 3092 3984 RtDCpl64.exe 102 PID 3984 wrote to memory of 3092 3984 RtDCpl64.exe 102 PID 4776 wrote to memory of 4356 4776 RtDCpl64.exe 115 PID 4776 wrote to memory of 4356 4776 RtDCpl64.exe 115 PID 4776 wrote to memory of 4356 4776 RtDCpl64.exe 115 PID 4776 wrote to memory of 988 4776 RtDCpl64.exe 116 PID 4776 wrote to memory of 988 4776 RtDCpl64.exe 116 PID 4776 wrote to memory of 988 4776 RtDCpl64.exe 116 PID 4776 wrote to memory of 988 4776 RtDCpl64.exe 116 PID 4776 wrote to memory of 988 4776 RtDCpl64.exe 116 PID 988 wrote to memory of 4884 988 RtDCpl64.exe 117 PID 988 wrote to memory of 4884 988 RtDCpl64.exe 117 PID 988 wrote to memory of 4884 988 RtDCpl64.exe 117 PID 4776 wrote to memory of 4048 4776 RtDCpl64.exe 118 PID 4776 wrote to memory of 4048 4776 RtDCpl64.exe 118 PID 4776 wrote to memory of 4048 4776 RtDCpl64.exe 118 PID 988 wrote to memory of 4884 988 RtDCpl64.exe 117 PID 988 wrote to memory of 4884 988 RtDCpl64.exe 117 PID 3880 wrote to memory of 4408 3880 RtDCpl64.exe 125 PID 3880 wrote to memory of 4408 3880 RtDCpl64.exe 125 PID 3880 wrote to memory of 4408 3880 RtDCpl64.exe 125 PID 3880 wrote to memory of 4352 3880 RtDCpl64.exe 126 PID 3880 wrote to memory of 4352 3880 RtDCpl64.exe 126 PID 3880 wrote to memory of 4352 3880 RtDCpl64.exe 126 PID 3880 wrote to memory of 4352 3880 RtDCpl64.exe 126 PID 3880 wrote to memory of 4352 3880 RtDCpl64.exe 126 PID 4352 wrote to memory of 1952 4352 RtDCpl64.exe 127 PID 4352 wrote to memory of 1952 4352 RtDCpl64.exe 127 PID 4352 wrote to memory of 1952 4352 RtDCpl64.exe 127 PID 3880 wrote to memory of 752 3880 RtDCpl64.exe 129 PID 3880 wrote to memory of 752 3880 RtDCpl64.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe"C:\Users\Admin\AppData\Local\Temp\5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:4468
-
-
-
C:\Users\Admin\AppData\Local\Temp\5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe"C:\Users\Admin\AppData\Local\Temp\5f51066d76383c9127a2c188177a8da845679ec60ffdc38fe9f8f116e40e4aea.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4064
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1496
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:1344
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3092
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3884
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:4356
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4884
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4048
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:4408
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1952
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:752
-