Analysis
-
max time kernel
159s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:47
Behavioral task
behavioral1
Sample
5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe
Resource
win10v2004-en-20220112
General
-
Target
5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe
-
Size
1.3MB
-
MD5
b8d87571145ad6044e6ec160d0dbca25
-
SHA1
81043a93d8f1dafd596fd703cd9952c9a8a6f3f5
-
SHA256
5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3
-
SHA512
0f1fd803c85525993cc750d47a3da1d00202eca5539699036c0d923aa7deedbc8983ae0ee698ad846be7f0641f9b81c53e4ec0c786b4c7739a00167e073a0a7d
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 31 IoCs
resource yara_rule behavioral1/files/0x000800000001224b-55.dat netwire behavioral1/files/0x000800000001224b-56.dat netwire behavioral1/files/0x000800000001224b-57.dat netwire behavioral1/files/0x000800000001224b-58.dat netwire behavioral1/files/0x000800000001224b-59.dat netwire behavioral1/files/0x000800000001224b-61.dat netwire behavioral1/files/0x000800000001227a-62.dat netwire behavioral1/files/0x000800000001227a-63.dat netwire behavioral1/files/0x000800000001227a-64.dat netwire behavioral1/files/0x00060000000125e4-79.dat netwire behavioral1/files/0x00060000000125e4-80.dat netwire behavioral1/files/0x000800000001224b-82.dat netwire behavioral1/files/0x000800000001224b-83.dat netwire behavioral1/files/0x000800000001224b-85.dat netwire behavioral1/files/0x000800000001224b-84.dat netwire behavioral1/files/0x000800000001224b-86.dat netwire behavioral1/files/0x000800000001227a-88.dat netwire behavioral1/files/0x00060000000125e4-97.dat netwire behavioral1/files/0x000800000001224b-104.dat netwire behavioral1/files/0x00060000000125e4-105.dat netwire behavioral1/files/0x000800000001224b-107.dat netwire behavioral1/files/0x000800000001224b-109.dat netwire behavioral1/files/0x000800000001224b-108.dat netwire behavioral1/files/0x000800000001224b-110.dat netwire behavioral1/files/0x00060000000125e4-120.dat netwire behavioral1/files/0x00060000000125e4-127.dat netwire behavioral1/files/0x000800000001224b-129.dat netwire behavioral1/files/0x000800000001224b-131.dat netwire behavioral1/files/0x000800000001224b-130.dat netwire behavioral1/files/0x000800000001224b-132.dat netwire behavioral1/files/0x00060000000125e4-142.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/528-67-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/528-75-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1744-90-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/1744-100-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 11 IoCs
pid Process 1872 Blasthost.exe 760 Host.exe 1296 RtDCpl64.exe 1896 Blasthost.exe 1744 RtDCpl64.exe 548 RtDCpl64.exe 1084 Blasthost.exe 876 RtDCpl64.exe 1276 RtDCpl64.exe 1988 Blasthost.exe 2028 RtDCpl64.exe -
Loads dropped DLL 16 IoCs
pid Process 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 1872 Blasthost.exe 1872 Blasthost.exe 1296 RtDCpl64.exe 1296 RtDCpl64.exe 1296 RtDCpl64.exe 1296 RtDCpl64.exe 548 RtDCpl64.exe 548 RtDCpl64.exe 548 RtDCpl64.exe 1276 RtDCpl64.exe 1276 RtDCpl64.exe 1276 RtDCpl64.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1612 set thread context of 528 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 29 PID 1296 set thread context of 1744 1296 RtDCpl64.exe 37 PID 548 set thread context of 876 548 RtDCpl64.exe 46 PID 1276 set thread context of 2028 1276 RtDCpl64.exe 53 -
autoit_exe 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00060000000125e4-79.dat autoit_exe behavioral1/files/0x00060000000125e4-80.dat autoit_exe behavioral1/files/0x00060000000125e4-97.dat autoit_exe behavioral1/files/0x00060000000125e4-105.dat autoit_exe behavioral1/files/0x00060000000125e4-120.dat autoit_exe behavioral1/files/0x00060000000125e4-127.dat autoit_exe behavioral1/files/0x00060000000125e4-142.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1688 schtasks.exe 1892 schtasks.exe 1180 schtasks.exe 1724 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1612 wrote to memory of 1872 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 27 PID 1612 wrote to memory of 1872 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 27 PID 1612 wrote to memory of 1872 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 27 PID 1612 wrote to memory of 1872 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 27 PID 1872 wrote to memory of 760 1872 Blasthost.exe 28 PID 1872 wrote to memory of 760 1872 Blasthost.exe 28 PID 1872 wrote to memory of 760 1872 Blasthost.exe 28 PID 1872 wrote to memory of 760 1872 Blasthost.exe 28 PID 1612 wrote to memory of 528 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 29 PID 1612 wrote to memory of 528 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 29 PID 1612 wrote to memory of 528 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 29 PID 1612 wrote to memory of 528 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 29 PID 1612 wrote to memory of 528 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 29 PID 1612 wrote to memory of 528 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 29 PID 528 wrote to memory of 1792 528 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 30 PID 528 wrote to memory of 1792 528 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 30 PID 528 wrote to memory of 1792 528 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 30 PID 528 wrote to memory of 1792 528 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 30 PID 1612 wrote to memory of 1688 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 31 PID 1612 wrote to memory of 1688 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 31 PID 1612 wrote to memory of 1688 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 31 PID 1612 wrote to memory of 1688 1612 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 31 PID 528 wrote to memory of 1792 528 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 30 PID 528 wrote to memory of 1792 528 5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe 30 PID 1512 wrote to memory of 1296 1512 taskeng.exe 35 PID 1512 wrote to memory of 1296 1512 taskeng.exe 35 PID 1512 wrote to memory of 1296 1512 taskeng.exe 35 PID 1512 wrote to memory of 1296 1512 taskeng.exe 35 PID 1296 wrote to memory of 1896 1296 RtDCpl64.exe 36 PID 1296 wrote to memory of 1896 1296 RtDCpl64.exe 36 PID 1296 wrote to memory of 1896 1296 RtDCpl64.exe 36 PID 1296 wrote to memory of 1896 1296 RtDCpl64.exe 36 PID 1296 wrote to memory of 1744 1296 RtDCpl64.exe 37 PID 1296 wrote to memory of 1744 1296 RtDCpl64.exe 37 PID 1296 wrote to memory of 1744 1296 RtDCpl64.exe 37 PID 1296 wrote to memory of 1744 1296 RtDCpl64.exe 37 PID 1296 wrote to memory of 1744 1296 RtDCpl64.exe 37 PID 1296 wrote to memory of 1744 1296 RtDCpl64.exe 37 PID 1296 wrote to memory of 1892 1296 RtDCpl64.exe 38 PID 1296 wrote to memory of 1892 1296 RtDCpl64.exe 38 PID 1296 wrote to memory of 1892 1296 RtDCpl64.exe 38 PID 1296 wrote to memory of 1892 1296 RtDCpl64.exe 38 PID 1744 wrote to memory of 684 1744 RtDCpl64.exe 40 PID 1744 wrote to memory of 684 1744 RtDCpl64.exe 40 PID 1744 wrote to memory of 684 1744 RtDCpl64.exe 40 PID 1744 wrote to memory of 684 1744 RtDCpl64.exe 40 PID 1744 wrote to memory of 684 1744 RtDCpl64.exe 40 PID 1744 wrote to memory of 684 1744 RtDCpl64.exe 40 PID 1512 wrote to memory of 548 1512 taskeng.exe 44 PID 1512 wrote to memory of 548 1512 taskeng.exe 44 PID 1512 wrote to memory of 548 1512 taskeng.exe 44 PID 1512 wrote to memory of 548 1512 taskeng.exe 44 PID 548 wrote to memory of 1084 548 RtDCpl64.exe 45 PID 548 wrote to memory of 1084 548 RtDCpl64.exe 45 PID 548 wrote to memory of 1084 548 RtDCpl64.exe 45 PID 548 wrote to memory of 1084 548 RtDCpl64.exe 45 PID 548 wrote to memory of 876 548 RtDCpl64.exe 46 PID 548 wrote to memory of 876 548 RtDCpl64.exe 46 PID 548 wrote to memory of 876 548 RtDCpl64.exe 46 PID 548 wrote to memory of 876 548 RtDCpl64.exe 46 PID 548 wrote to memory of 876 548 RtDCpl64.exe 46 PID 548 wrote to memory of 876 548 RtDCpl64.exe 46 PID 876 wrote to memory of 1748 876 RtDCpl64.exe 47 PID 876 wrote to memory of 1748 876 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe"C:\Users\Admin\AppData\Local\Temp\5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:760
-
-
-
C:\Users\Admin\AppData\Local\Temp\5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe"C:\Users\Admin\AppData\Local\Temp\5f295056312c29a827c5b6d97d98d7d7330931ad6a7b6697763a6954314a08d3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1792
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1688
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E1027CB4-F827-46D3-B4A8-974D784AD200} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1896
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:684
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1892
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1084
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1748
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1180
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1276 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1988
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1804
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1724
-
-