Analysis
-
max time kernel
158s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:47
Behavioral task
behavioral1
Sample
5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe
Resource
win10v2004-en-20220113
General
-
Target
5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe
-
Size
1.3MB
-
MD5
7c3278d2f3fd0e64b11c58d092c42ea6
-
SHA1
5accd7b5987e3e938bf945a18b6f74f2171facc0
-
SHA256
5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d
-
SHA512
fd9d220a78b789049697fff553a65e07d9e6ac340277b03dbb05ef6e48cbe28e8553f6e18dac34fafe07de67612bdf56863a8bca362591bcbee3735232190499
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x000700000001321e-55.dat netwire behavioral1/files/0x000700000001321e-56.dat netwire behavioral1/files/0x000700000001321e-58.dat netwire behavioral1/files/0x000700000001321e-57.dat netwire behavioral1/files/0x000700000001321e-59.dat netwire behavioral1/files/0x000700000001321e-61.dat netwire behavioral1/files/0x0006000000013327-62.dat netwire behavioral1/files/0x0006000000013327-63.dat netwire behavioral1/files/0x0006000000013327-64.dat netwire behavioral1/files/0x00060000000133c1-80.dat netwire behavioral1/files/0x00060000000133c1-81.dat netwire behavioral1/files/0x000700000001321e-83.dat netwire behavioral1/files/0x000700000001321e-84.dat netwire behavioral1/files/0x000700000001321e-85.dat netwire behavioral1/files/0x000700000001321e-86.dat netwire behavioral1/files/0x000700000001321e-87.dat netwire behavioral1/files/0x0006000000013327-89.dat netwire behavioral1/files/0x00060000000133c1-98.dat netwire behavioral1/files/0x000700000001321e-104.dat netwire behavioral1/files/0x00060000000133c1-105.dat netwire behavioral1/files/0x000700000001321e-107.dat netwire behavioral1/files/0x000700000001321e-109.dat netwire behavioral1/files/0x000700000001321e-108.dat netwire behavioral1/files/0x000700000001321e-110.dat netwire behavioral1/files/0x00060000000133c1-120.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/1496-67-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/1496-75-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/1772-91-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1772-100-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 524 Blasthost.exe 884 Host.exe 1768 RtDCpl64.exe 1932 Blasthost.exe 1772 RtDCpl64.exe 636 RtDCpl64.exe 1792 Blasthost.exe 320 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 524 Blasthost.exe 524 Blasthost.exe 1768 RtDCpl64.exe 1768 RtDCpl64.exe 1768 RtDCpl64.exe 1768 RtDCpl64.exe 636 RtDCpl64.exe 636 RtDCpl64.exe 636 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1564 set thread context of 1496 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 29 PID 1768 set thread context of 1772 1768 RtDCpl64.exe 39 PID 636 set thread context of 320 636 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00060000000133c1-80.dat autoit_exe behavioral1/files/0x00060000000133c1-81.dat autoit_exe behavioral1/files/0x00060000000133c1-98.dat autoit_exe behavioral1/files/0x00060000000133c1-105.dat autoit_exe behavioral1/files/0x00060000000133c1-120.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1076 schtasks.exe 1324 schtasks.exe 1584 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1564 wrote to memory of 524 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 27 PID 1564 wrote to memory of 524 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 27 PID 1564 wrote to memory of 524 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 27 PID 1564 wrote to memory of 524 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 27 PID 524 wrote to memory of 884 524 Blasthost.exe 28 PID 524 wrote to memory of 884 524 Blasthost.exe 28 PID 524 wrote to memory of 884 524 Blasthost.exe 28 PID 524 wrote to memory of 884 524 Blasthost.exe 28 PID 1564 wrote to memory of 1496 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 29 PID 1564 wrote to memory of 1496 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 29 PID 1564 wrote to memory of 1496 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 29 PID 1564 wrote to memory of 1496 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 29 PID 1564 wrote to memory of 1496 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 29 PID 1564 wrote to memory of 1496 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 29 PID 1564 wrote to memory of 1324 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 30 PID 1564 wrote to memory of 1324 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 30 PID 1564 wrote to memory of 1324 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 30 PID 1564 wrote to memory of 1324 1564 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 30 PID 1496 wrote to memory of 860 1496 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 31 PID 1496 wrote to memory of 860 1496 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 31 PID 1496 wrote to memory of 860 1496 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 31 PID 1496 wrote to memory of 860 1496 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 31 PID 1496 wrote to memory of 860 1496 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 31 PID 1496 wrote to memory of 860 1496 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 31 PID 1384 wrote to memory of 1768 1384 taskeng.exe 37 PID 1384 wrote to memory of 1768 1384 taskeng.exe 37 PID 1384 wrote to memory of 1768 1384 taskeng.exe 37 PID 1384 wrote to memory of 1768 1384 taskeng.exe 37 PID 1768 wrote to memory of 1932 1768 RtDCpl64.exe 38 PID 1768 wrote to memory of 1932 1768 RtDCpl64.exe 38 PID 1768 wrote to memory of 1932 1768 RtDCpl64.exe 38 PID 1768 wrote to memory of 1932 1768 RtDCpl64.exe 38 PID 1768 wrote to memory of 1772 1768 RtDCpl64.exe 39 PID 1768 wrote to memory of 1772 1768 RtDCpl64.exe 39 PID 1768 wrote to memory of 1772 1768 RtDCpl64.exe 39 PID 1768 wrote to memory of 1772 1768 RtDCpl64.exe 39 PID 1768 wrote to memory of 1772 1768 RtDCpl64.exe 39 PID 1768 wrote to memory of 1772 1768 RtDCpl64.exe 39 PID 1772 wrote to memory of 936 1772 RtDCpl64.exe 40 PID 1772 wrote to memory of 936 1772 RtDCpl64.exe 40 PID 1772 wrote to memory of 936 1772 RtDCpl64.exe 40 PID 1772 wrote to memory of 936 1772 RtDCpl64.exe 40 PID 1768 wrote to memory of 1584 1768 RtDCpl64.exe 42 PID 1768 wrote to memory of 1584 1768 RtDCpl64.exe 42 PID 1768 wrote to memory of 1584 1768 RtDCpl64.exe 42 PID 1768 wrote to memory of 1584 1768 RtDCpl64.exe 42 PID 1772 wrote to memory of 936 1772 RtDCpl64.exe 40 PID 1772 wrote to memory of 936 1772 RtDCpl64.exe 40 PID 1384 wrote to memory of 636 1384 taskeng.exe 44 PID 1384 wrote to memory of 636 1384 taskeng.exe 44 PID 1384 wrote to memory of 636 1384 taskeng.exe 44 PID 1384 wrote to memory of 636 1384 taskeng.exe 44 PID 636 wrote to memory of 1792 636 RtDCpl64.exe 45 PID 636 wrote to memory of 1792 636 RtDCpl64.exe 45 PID 636 wrote to memory of 1792 636 RtDCpl64.exe 45 PID 636 wrote to memory of 1792 636 RtDCpl64.exe 45 PID 636 wrote to memory of 320 636 RtDCpl64.exe 46 PID 636 wrote to memory of 320 636 RtDCpl64.exe 46 PID 636 wrote to memory of 320 636 RtDCpl64.exe 46 PID 636 wrote to memory of 320 636 RtDCpl64.exe 46 PID 636 wrote to memory of 320 636 RtDCpl64.exe 46 PID 636 wrote to memory of 320 636 RtDCpl64.exe 46 PID 636 wrote to memory of 1076 636 RtDCpl64.exe 47 PID 636 wrote to memory of 1076 636 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe"C:\Users\Admin\AppData\Local\Temp\5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:884
-
-
-
C:\Users\Admin\AppData\Local\Temp\5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe"C:\Users\Admin\AppData\Local\Temp\5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:860
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1324
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {17CA02F6-97D1-4956-91C1-07CF03853AF0} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1932
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:936
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1584
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1792
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1056
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1076
-
-