Analysis
-
max time kernel
166s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:51
Behavioral task
behavioral1
Sample
5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe
Resource
win10v2004-en-20220112
General
-
Target
5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe
-
Size
1.3MB
-
MD5
ca6993e72069dfdcf1313fc5478a646f
-
SHA1
9d4110d9d98a5e1c132d6c8b512925a8be193c93
-
SHA256
5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d
-
SHA512
2e17366278c3d99ad172bb463e6cd317cef8ef9ef26d707de3a604a1f0d6bafb8c27107e231cd906337c85308c511d73b0e2a8e037ba8449e9a19e2b83d1ed4d
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x0008000000012284-56.dat netwire behavioral1/files/0x0008000000012284-57.dat netwire behavioral1/files/0x0008000000012284-58.dat netwire behavioral1/files/0x0008000000012284-59.dat netwire behavioral1/files/0x0008000000012284-60.dat netwire behavioral1/files/0x0008000000012284-73.dat netwire behavioral1/files/0x0006000000012634-74.dat netwire behavioral1/files/0x0006000000012634-75.dat netwire behavioral1/files/0x0006000000012634-76.dat netwire behavioral1/files/0x00070000000125df-81.dat netwire behavioral1/files/0x00070000000125df-82.dat netwire behavioral1/files/0x0008000000012284-84.dat netwire behavioral1/files/0x0008000000012284-85.dat netwire behavioral1/files/0x0008000000012284-87.dat netwire behavioral1/files/0x0008000000012284-86.dat netwire behavioral1/files/0x0008000000012284-88.dat netwire behavioral1/files/0x0006000000012634-90.dat netwire behavioral1/files/0x00070000000125df-99.dat netwire behavioral1/files/0x0008000000012284-106.dat netwire behavioral1/files/0x00070000000125df-107.dat netwire behavioral1/files/0x0008000000012284-111.dat netwire behavioral1/files/0x0008000000012284-112.dat netwire behavioral1/files/0x0008000000012284-110.dat netwire behavioral1/files/0x0008000000012284-109.dat netwire behavioral1/files/0x00070000000125df-122.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/1216-63-0x00000000001E0000-0x00000000001FD000-memory.dmp warzonerat behavioral1/memory/1216-72-0x00000000001E0000-0x00000000001FD000-memory.dmp warzonerat behavioral1/memory/1912-92-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/1912-102-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 460 Blasthost.exe 1156 Host.exe 2036 RtDCpl64.exe 1148 Blasthost.exe 1912 RtDCpl64.exe 1188 RtDCpl64.exe 1172 Blasthost.exe 1964 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 460 Blasthost.exe 460 Blasthost.exe 2036 RtDCpl64.exe 2036 RtDCpl64.exe 2036 RtDCpl64.exe 2036 RtDCpl64.exe 1188 RtDCpl64.exe 1188 RtDCpl64.exe 1188 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1428 set thread context of 1216 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 28 PID 2036 set thread context of 1912 2036 RtDCpl64.exe 39 PID 1188 set thread context of 1964 1188 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00070000000125df-81.dat autoit_exe behavioral1/files/0x00070000000125df-82.dat autoit_exe behavioral1/files/0x00070000000125df-99.dat autoit_exe behavioral1/files/0x00070000000125df-107.dat autoit_exe behavioral1/files/0x00070000000125df-122.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 916 schtasks.exe 1744 schtasks.exe 916 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1428 wrote to memory of 460 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 27 PID 1428 wrote to memory of 460 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 27 PID 1428 wrote to memory of 460 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 27 PID 1428 wrote to memory of 460 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 27 PID 1428 wrote to memory of 1216 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 28 PID 1428 wrote to memory of 1216 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 28 PID 1428 wrote to memory of 1216 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 28 PID 1428 wrote to memory of 1216 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 28 PID 1428 wrote to memory of 1216 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 28 PID 1428 wrote to memory of 1216 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 28 PID 460 wrote to memory of 1156 460 Blasthost.exe 29 PID 460 wrote to memory of 1156 460 Blasthost.exe 29 PID 460 wrote to memory of 1156 460 Blasthost.exe 29 PID 460 wrote to memory of 1156 460 Blasthost.exe 29 PID 1428 wrote to memory of 916 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 30 PID 1428 wrote to memory of 916 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 30 PID 1428 wrote to memory of 916 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 30 PID 1428 wrote to memory of 916 1428 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 30 PID 1216 wrote to memory of 872 1216 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 32 PID 1216 wrote to memory of 872 1216 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 32 PID 1216 wrote to memory of 872 1216 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 32 PID 1216 wrote to memory of 872 1216 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 32 PID 1216 wrote to memory of 872 1216 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 32 PID 1216 wrote to memory of 872 1216 5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe 32 PID 360 wrote to memory of 2036 360 taskeng.exe 37 PID 360 wrote to memory of 2036 360 taskeng.exe 37 PID 360 wrote to memory of 2036 360 taskeng.exe 37 PID 360 wrote to memory of 2036 360 taskeng.exe 37 PID 2036 wrote to memory of 1148 2036 RtDCpl64.exe 38 PID 2036 wrote to memory of 1148 2036 RtDCpl64.exe 38 PID 2036 wrote to memory of 1148 2036 RtDCpl64.exe 38 PID 2036 wrote to memory of 1148 2036 RtDCpl64.exe 38 PID 2036 wrote to memory of 1912 2036 RtDCpl64.exe 39 PID 2036 wrote to memory of 1912 2036 RtDCpl64.exe 39 PID 2036 wrote to memory of 1912 2036 RtDCpl64.exe 39 PID 2036 wrote to memory of 1912 2036 RtDCpl64.exe 39 PID 2036 wrote to memory of 1912 2036 RtDCpl64.exe 39 PID 2036 wrote to memory of 1912 2036 RtDCpl64.exe 39 PID 2036 wrote to memory of 1744 2036 RtDCpl64.exe 41 PID 2036 wrote to memory of 1744 2036 RtDCpl64.exe 41 PID 2036 wrote to memory of 1744 2036 RtDCpl64.exe 41 PID 2036 wrote to memory of 1744 2036 RtDCpl64.exe 41 PID 1912 wrote to memory of 1668 1912 RtDCpl64.exe 42 PID 1912 wrote to memory of 1668 1912 RtDCpl64.exe 42 PID 1912 wrote to memory of 1668 1912 RtDCpl64.exe 42 PID 1912 wrote to memory of 1668 1912 RtDCpl64.exe 42 PID 1912 wrote to memory of 1668 1912 RtDCpl64.exe 42 PID 1912 wrote to memory of 1668 1912 RtDCpl64.exe 42 PID 360 wrote to memory of 1188 360 taskeng.exe 44 PID 360 wrote to memory of 1188 360 taskeng.exe 44 PID 360 wrote to memory of 1188 360 taskeng.exe 44 PID 360 wrote to memory of 1188 360 taskeng.exe 44 PID 1188 wrote to memory of 1172 1188 RtDCpl64.exe 45 PID 1188 wrote to memory of 1172 1188 RtDCpl64.exe 45 PID 1188 wrote to memory of 1172 1188 RtDCpl64.exe 45 PID 1188 wrote to memory of 1172 1188 RtDCpl64.exe 45 PID 1188 wrote to memory of 1964 1188 RtDCpl64.exe 46 PID 1188 wrote to memory of 1964 1188 RtDCpl64.exe 46 PID 1188 wrote to memory of 1964 1188 RtDCpl64.exe 46 PID 1188 wrote to memory of 1964 1188 RtDCpl64.exe 46 PID 1188 wrote to memory of 1964 1188 RtDCpl64.exe 46 PID 1188 wrote to memory of 1964 1188 RtDCpl64.exe 46 PID 1964 wrote to memory of 1052 1964 RtDCpl64.exe 47 PID 1964 wrote to memory of 1052 1964 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe"C:\Users\Admin\AppData\Local\Temp\5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:1156
-
-
-
C:\Users\Admin\AppData\Local\Temp\5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe"C:\Users\Admin\AppData\Local\Temp\5ea63c4a2c542c7b4ba62995a05ced17358b02728323365ec924c7d42e88e00d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:872
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:916
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {961FEB21-5EF7-44F0-94EF-90AA33219891} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1148
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1668
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1744
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1172
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1052
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:916
-
-