Analysis
-
max time kernel
168s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 02:47
Behavioral task
behavioral1
Sample
5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe
Resource
win10v2004-en-20220113
General
-
Target
5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe
-
Size
1.3MB
-
MD5
7c3278d2f3fd0e64b11c58d092c42ea6
-
SHA1
5accd7b5987e3e938bf945a18b6f74f2171facc0
-
SHA256
5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d
-
SHA512
fd9d220a78b789049697fff553a65e07d9e6ac340277b03dbb05ef6e48cbe28e8553f6e18dac34fafe07de67612bdf56863a8bca362591bcbee3735232190499
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 15 IoCs
resource yara_rule behavioral2/files/0x0004000000000731-130.dat netwire behavioral2/files/0x0004000000000731-131.dat netwire behavioral2/files/0x000900000001e793-132.dat netwire behavioral2/files/0x000900000001e793-133.dat netwire behavioral2/files/0x000400000001e79b-147.dat netwire behavioral2/files/0x000400000001e79b-148.dat netwire behavioral2/files/0x0004000000000731-149.dat netwire behavioral2/files/0x000400000001e79b-157.dat netwire behavioral2/files/0x0004000000000731-160.dat netwire behavioral2/files/0x000400000001e79b-161.dat netwire behavioral2/files/0x0004000000000731-162.dat netwire behavioral2/files/0x000400000001e79b-170.dat netwire behavioral2/files/0x000400000001e79b-173.dat netwire behavioral2/files/0x0004000000000731-174.dat netwire behavioral2/files/0x000400000001e79b-182.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 6 IoCs
resource yara_rule behavioral2/memory/4592-135-0x0000000000A30000-0x0000000000A4D000-memory.dmp warzonerat behavioral2/memory/4592-142-0x0000000000A30000-0x0000000000A4D000-memory.dmp warzonerat behavioral2/memory/5052-150-0x0000000000A50000-0x0000000000A6D000-memory.dmp warzonerat behavioral2/memory/5052-158-0x0000000000A50000-0x0000000000A6D000-memory.dmp warzonerat behavioral2/memory/4964-163-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/4964-171-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 11 IoCs
pid Process 544 Blasthost.exe 3792 Host.exe 1912 RtDCpl64.exe 5108 Blasthost.exe 5052 RtDCpl64.exe 4144 RtDCpl64.exe 5032 Blasthost.exe 4964 RtDCpl64.exe 3372 RtDCpl64.exe 3404 Blasthost.exe 2628 RtDCpl64.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3184 set thread context of 4592 3184 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 85 PID 1912 set thread context of 5052 1912 RtDCpl64.exe 105 PID 4144 set thread context of 4964 4144 RtDCpl64.exe 120 PID 3372 set thread context of 2628 3372 RtDCpl64.exe 128 -
autoit_exe 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000400000001e79b-147.dat autoit_exe behavioral2/files/0x000400000001e79b-148.dat autoit_exe behavioral2/files/0x000400000001e79b-157.dat autoit_exe behavioral2/files/0x000400000001e79b-161.dat autoit_exe behavioral2/files/0x000400000001e79b-170.dat autoit_exe behavioral2/files/0x000400000001e79b-173.dat autoit_exe behavioral2/files/0x000400000001e79b-182.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3436 schtasks.exe 4780 schtasks.exe 2864 schtasks.exe 3272 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3080 svchost.exe Token: SeCreatePagefilePrivilege 3080 svchost.exe Token: SeShutdownPrivilege 3080 svchost.exe Token: SeCreatePagefilePrivilege 3080 svchost.exe Token: SeShutdownPrivilege 3080 svchost.exe Token: SeCreatePagefilePrivilege 3080 svchost.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe Token: SeRestorePrivilege 4820 TiWorker.exe Token: SeSecurityPrivilege 4820 TiWorker.exe Token: SeBackupPrivilege 4820 TiWorker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3184 wrote to memory of 544 3184 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 82 PID 3184 wrote to memory of 544 3184 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 82 PID 3184 wrote to memory of 544 3184 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 82 PID 544 wrote to memory of 3792 544 Blasthost.exe 84 PID 544 wrote to memory of 3792 544 Blasthost.exe 84 PID 544 wrote to memory of 3792 544 Blasthost.exe 84 PID 3184 wrote to memory of 4592 3184 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 85 PID 3184 wrote to memory of 4592 3184 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 85 PID 3184 wrote to memory of 4592 3184 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 85 PID 3184 wrote to memory of 4592 3184 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 85 PID 3184 wrote to memory of 4592 3184 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 85 PID 4592 wrote to memory of 2624 4592 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 86 PID 4592 wrote to memory of 2624 4592 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 86 PID 4592 wrote to memory of 2624 4592 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 86 PID 3184 wrote to memory of 4780 3184 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 88 PID 3184 wrote to memory of 4780 3184 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 88 PID 3184 wrote to memory of 4780 3184 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 88 PID 4592 wrote to memory of 2624 4592 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 86 PID 4592 wrote to memory of 2624 4592 5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe 86 PID 1912 wrote to memory of 5108 1912 RtDCpl64.exe 104 PID 1912 wrote to memory of 5108 1912 RtDCpl64.exe 104 PID 1912 wrote to memory of 5108 1912 RtDCpl64.exe 104 PID 1912 wrote to memory of 5052 1912 RtDCpl64.exe 105 PID 1912 wrote to memory of 5052 1912 RtDCpl64.exe 105 PID 1912 wrote to memory of 5052 1912 RtDCpl64.exe 105 PID 1912 wrote to memory of 5052 1912 RtDCpl64.exe 105 PID 1912 wrote to memory of 5052 1912 RtDCpl64.exe 105 PID 5052 wrote to memory of 1040 5052 RtDCpl64.exe 106 PID 5052 wrote to memory of 1040 5052 RtDCpl64.exe 106 PID 5052 wrote to memory of 1040 5052 RtDCpl64.exe 106 PID 1912 wrote to memory of 2864 1912 RtDCpl64.exe 108 PID 1912 wrote to memory of 2864 1912 RtDCpl64.exe 108 PID 1912 wrote to memory of 2864 1912 RtDCpl64.exe 108 PID 5052 wrote to memory of 1040 5052 RtDCpl64.exe 106 PID 5052 wrote to memory of 1040 5052 RtDCpl64.exe 106 PID 4144 wrote to memory of 5032 4144 RtDCpl64.exe 119 PID 4144 wrote to memory of 5032 4144 RtDCpl64.exe 119 PID 4144 wrote to memory of 5032 4144 RtDCpl64.exe 119 PID 4144 wrote to memory of 4964 4144 RtDCpl64.exe 120 PID 4144 wrote to memory of 4964 4144 RtDCpl64.exe 120 PID 4144 wrote to memory of 4964 4144 RtDCpl64.exe 120 PID 4144 wrote to memory of 4964 4144 RtDCpl64.exe 120 PID 4144 wrote to memory of 4964 4144 RtDCpl64.exe 120 PID 4964 wrote to memory of 4076 4964 RtDCpl64.exe 121 PID 4964 wrote to memory of 4076 4964 RtDCpl64.exe 121 PID 4964 wrote to memory of 4076 4964 RtDCpl64.exe 121 PID 4144 wrote to memory of 3272 4144 RtDCpl64.exe 123 PID 4144 wrote to memory of 3272 4144 RtDCpl64.exe 123 PID 4144 wrote to memory of 3272 4144 RtDCpl64.exe 123 PID 4964 wrote to memory of 4076 4964 RtDCpl64.exe 121 PID 4964 wrote to memory of 4076 4964 RtDCpl64.exe 121 PID 3372 wrote to memory of 3404 3372 RtDCpl64.exe 127 PID 3372 wrote to memory of 3404 3372 RtDCpl64.exe 127 PID 3372 wrote to memory of 3404 3372 RtDCpl64.exe 127 PID 3372 wrote to memory of 2628 3372 RtDCpl64.exe 128 PID 3372 wrote to memory of 2628 3372 RtDCpl64.exe 128 PID 3372 wrote to memory of 2628 3372 RtDCpl64.exe 128 PID 3372 wrote to memory of 2628 3372 RtDCpl64.exe 128 PID 3372 wrote to memory of 2628 3372 RtDCpl64.exe 128 PID 2628 wrote to memory of 2172 2628 RtDCpl64.exe 129 PID 2628 wrote to memory of 2172 2628 RtDCpl64.exe 129 PID 2628 wrote to memory of 2172 2628 RtDCpl64.exe 129 PID 3372 wrote to memory of 3436 3372 RtDCpl64.exe 131 PID 3372 wrote to memory of 3436 3372 RtDCpl64.exe 131
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe"C:\Users\Admin\AppData\Local\Temp\5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:3792
-
-
-
C:\Users\Admin\AppData\Local\Temp\5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe"C:\Users\Admin\AppData\Local\Temp\5f4c62213de41ddb6e12a7cdc8027d08efe62a7861713ced24eeb37a2bc3879d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2624
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4780
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3080
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:5108
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1040
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2864
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:5032
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4076
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3272
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:3404
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2172
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3436
-