Analysis
-
max time kernel
163s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:50
Behavioral task
behavioral1
Sample
5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe
Resource
win10v2004-en-20220112
General
-
Target
5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe
-
Size
1.3MB
-
MD5
3cb0236969a2ff8768a00c408f607b92
-
SHA1
2ad7048a2242149a632aa30f4ab21faca74330ab
-
SHA256
5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e
-
SHA512
c0a3d01a45ece6012721fb6dd4a3c7e158cb964cd1b263072a33d64eff2e9983134eb3f49280e0a56e1428e56b21e8cf20af65494d9d135581ddb7b40380788e
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x00070000000133dd-56.dat netwire behavioral1/files/0x00070000000133dd-57.dat netwire behavioral1/files/0x00070000000133dd-58.dat netwire behavioral1/files/0x00070000000133dd-59.dat netwire behavioral1/files/0x00070000000133dd-60.dat netwire behavioral1/files/0x00070000000133dd-73.dat netwire behavioral1/files/0x0006000000013902-74.dat netwire behavioral1/files/0x0006000000013902-75.dat netwire behavioral1/files/0x0006000000013902-76.dat netwire behavioral1/files/0x00070000000138e6-81.dat netwire behavioral1/files/0x00070000000138e6-82.dat netwire behavioral1/files/0x00070000000133dd-87.dat netwire behavioral1/files/0x00070000000133dd-86.dat netwire behavioral1/files/0x00070000000133dd-85.dat netwire behavioral1/files/0x00070000000133dd-84.dat netwire behavioral1/files/0x00070000000133dd-88.dat netwire behavioral1/files/0x00070000000138e6-97.dat netwire behavioral1/files/0x0006000000013902-101.dat netwire behavioral1/files/0x00070000000133dd-105.dat netwire behavioral1/files/0x00070000000138e6-106.dat netwire behavioral1/files/0x00070000000133dd-110.dat netwire behavioral1/files/0x00070000000133dd-109.dat netwire behavioral1/files/0x00070000000133dd-108.dat netwire behavioral1/files/0x00070000000133dd-111.dat netwire behavioral1/files/0x00070000000138e6-120.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral1/memory/996-63-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/996-72-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 1608 Blasthost.exe 240 Host.exe 1724 RtDCpl64.exe 1948 Blasthost.exe 1164 RtDCpl64.exe 1600 RtDCpl64.exe 960 Blasthost.exe 968 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 1608 Blasthost.exe 1608 Blasthost.exe 1724 RtDCpl64.exe 1724 RtDCpl64.exe 1724 RtDCpl64.exe 1724 RtDCpl64.exe 1600 RtDCpl64.exe 1600 RtDCpl64.exe 1600 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1632 set thread context of 996 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 28 PID 1724 set thread context of 1164 1724 RtDCpl64.exe 39 PID 1600 set thread context of 968 1600 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00070000000138e6-81.dat autoit_exe behavioral1/files/0x00070000000138e6-82.dat autoit_exe behavioral1/files/0x00070000000138e6-97.dat autoit_exe behavioral1/files/0x00070000000138e6-106.dat autoit_exe behavioral1/files/0x00070000000138e6-120.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1984 schtasks.exe 1916 schtasks.exe 1552 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1632 wrote to memory of 1608 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 27 PID 1632 wrote to memory of 1608 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 27 PID 1632 wrote to memory of 1608 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 27 PID 1632 wrote to memory of 1608 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 27 PID 1632 wrote to memory of 996 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 28 PID 1632 wrote to memory of 996 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 28 PID 1632 wrote to memory of 996 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 28 PID 1632 wrote to memory of 996 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 28 PID 1632 wrote to memory of 996 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 28 PID 1632 wrote to memory of 996 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 28 PID 1608 wrote to memory of 240 1608 Blasthost.exe 29 PID 1608 wrote to memory of 240 1608 Blasthost.exe 29 PID 1608 wrote to memory of 240 1608 Blasthost.exe 29 PID 1608 wrote to memory of 240 1608 Blasthost.exe 29 PID 996 wrote to memory of 1380 996 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 30 PID 996 wrote to memory of 1380 996 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 30 PID 996 wrote to memory of 1380 996 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 30 PID 996 wrote to memory of 1380 996 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 30 PID 1632 wrote to memory of 1984 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 32 PID 1632 wrote to memory of 1984 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 32 PID 1632 wrote to memory of 1984 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 32 PID 1632 wrote to memory of 1984 1632 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 32 PID 996 wrote to memory of 1380 996 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 30 PID 996 wrote to memory of 1380 996 5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe 30 PID 1736 wrote to memory of 1724 1736 taskeng.exe 37 PID 1736 wrote to memory of 1724 1736 taskeng.exe 37 PID 1736 wrote to memory of 1724 1736 taskeng.exe 37 PID 1736 wrote to memory of 1724 1736 taskeng.exe 37 PID 1724 wrote to memory of 1948 1724 RtDCpl64.exe 38 PID 1724 wrote to memory of 1948 1724 RtDCpl64.exe 38 PID 1724 wrote to memory of 1948 1724 RtDCpl64.exe 38 PID 1724 wrote to memory of 1948 1724 RtDCpl64.exe 38 PID 1724 wrote to memory of 1164 1724 RtDCpl64.exe 39 PID 1724 wrote to memory of 1164 1724 RtDCpl64.exe 39 PID 1724 wrote to memory of 1164 1724 RtDCpl64.exe 39 PID 1724 wrote to memory of 1164 1724 RtDCpl64.exe 39 PID 1724 wrote to memory of 1164 1724 RtDCpl64.exe 39 PID 1724 wrote to memory of 1164 1724 RtDCpl64.exe 39 PID 1164 wrote to memory of 1964 1164 RtDCpl64.exe 40 PID 1164 wrote to memory of 1964 1164 RtDCpl64.exe 40 PID 1164 wrote to memory of 1964 1164 RtDCpl64.exe 40 PID 1164 wrote to memory of 1964 1164 RtDCpl64.exe 40 PID 1724 wrote to memory of 1916 1724 RtDCpl64.exe 42 PID 1724 wrote to memory of 1916 1724 RtDCpl64.exe 42 PID 1724 wrote to memory of 1916 1724 RtDCpl64.exe 42 PID 1724 wrote to memory of 1916 1724 RtDCpl64.exe 42 PID 1164 wrote to memory of 1964 1164 RtDCpl64.exe 40 PID 1164 wrote to memory of 1964 1164 RtDCpl64.exe 40 PID 1736 wrote to memory of 1600 1736 taskeng.exe 44 PID 1736 wrote to memory of 1600 1736 taskeng.exe 44 PID 1736 wrote to memory of 1600 1736 taskeng.exe 44 PID 1736 wrote to memory of 1600 1736 taskeng.exe 44 PID 1600 wrote to memory of 960 1600 RtDCpl64.exe 45 PID 1600 wrote to memory of 960 1600 RtDCpl64.exe 45 PID 1600 wrote to memory of 960 1600 RtDCpl64.exe 45 PID 1600 wrote to memory of 960 1600 RtDCpl64.exe 45 PID 1600 wrote to memory of 968 1600 RtDCpl64.exe 46 PID 1600 wrote to memory of 968 1600 RtDCpl64.exe 46 PID 1600 wrote to memory of 968 1600 RtDCpl64.exe 46 PID 1600 wrote to memory of 968 1600 RtDCpl64.exe 46 PID 1600 wrote to memory of 968 1600 RtDCpl64.exe 46 PID 1600 wrote to memory of 968 1600 RtDCpl64.exe 46 PID 968 wrote to memory of 420 968 RtDCpl64.exe 47 PID 968 wrote to memory of 420 968 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe"C:\Users\Admin\AppData\Local\Temp\5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:240
-
-
-
C:\Users\Admin\AppData\Local\Temp\5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe"C:\Users\Admin\AppData\Local\Temp\5eaea71b3861fe7127ac68929b357587d1f29a5a9f8d4cc1b184ef142308dd4e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1380
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1984
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4696E8DB-F86F-443E-8C32-D3CCE292D8AB} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1948
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1964
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1916
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:960
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:420
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1552
-
-