Analysis
-
max time kernel
156s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:50
Behavioral task
behavioral1
Sample
5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe
Resource
win10v2004-en-20220113
General
-
Target
5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe
-
Size
1.3MB
-
MD5
df102e082f05670d78d31cfa673199ff
-
SHA1
5a1a74750b1042c74f0abe8194824ea46a6cad08
-
SHA256
5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602
-
SHA512
425008882b8f74e09e60610630501d5df6fa8d17c317a493da791026476c7d38785ff57706e74c9e04b25ef370188a818461a68315ea5750d8062830578cff92
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x00070000000125f3-55.dat netwire behavioral1/files/0x00070000000125f3-56.dat netwire behavioral1/files/0x00070000000125f3-57.dat netwire behavioral1/files/0x00070000000125f3-58.dat netwire behavioral1/files/0x00070000000125f3-59.dat netwire behavioral1/files/0x00070000000125f3-61.dat netwire behavioral1/files/0x000700000001263f-62.dat netwire behavioral1/files/0x000700000001263f-63.dat netwire behavioral1/files/0x000700000001263f-64.dat netwire behavioral1/files/0x0006000000013018-79.dat netwire behavioral1/files/0x0006000000013018-80.dat netwire behavioral1/files/0x00070000000125f3-82.dat netwire behavioral1/files/0x00070000000125f3-83.dat netwire behavioral1/files/0x00070000000125f3-86.dat netwire behavioral1/files/0x00070000000125f3-85.dat netwire behavioral1/files/0x00070000000125f3-84.dat netwire behavioral1/files/0x000700000001263f-88.dat netwire behavioral1/files/0x0006000000013018-97.dat netwire behavioral1/files/0x00070000000125f3-103.dat netwire behavioral1/files/0x0006000000013018-104.dat netwire behavioral1/files/0x00070000000125f3-106.dat netwire behavioral1/files/0x00070000000125f3-108.dat netwire behavioral1/files/0x00070000000125f3-107.dat netwire behavioral1/files/0x00070000000125f3-109.dat netwire behavioral1/files/0x0006000000013018-119.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral1/memory/1776-67-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1776-75-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 568 Blasthost.exe 1288 Host.exe 2036 RtDCpl64.exe 1500 Blasthost.exe 1076 RtDCpl64.exe 864 RtDCpl64.exe 1200 Blasthost.exe 1916 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 568 Blasthost.exe 568 Blasthost.exe 2036 RtDCpl64.exe 2036 RtDCpl64.exe 2036 RtDCpl64.exe 2036 RtDCpl64.exe 864 RtDCpl64.exe 864 RtDCpl64.exe 864 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 524 set thread context of 1776 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 29 PID 2036 set thread context of 1076 2036 RtDCpl64.exe 37 PID 864 set thread context of 1916 864 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0006000000013018-79.dat autoit_exe behavioral1/files/0x0006000000013018-80.dat autoit_exe behavioral1/files/0x0006000000013018-97.dat autoit_exe behavioral1/files/0x0006000000013018-104.dat autoit_exe behavioral1/files/0x0006000000013018-119.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 988 schtasks.exe 2028 schtasks.exe 1080 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 524 wrote to memory of 568 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 27 PID 524 wrote to memory of 568 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 27 PID 524 wrote to memory of 568 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 27 PID 524 wrote to memory of 568 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 27 PID 568 wrote to memory of 1288 568 Blasthost.exe 28 PID 568 wrote to memory of 1288 568 Blasthost.exe 28 PID 568 wrote to memory of 1288 568 Blasthost.exe 28 PID 568 wrote to memory of 1288 568 Blasthost.exe 28 PID 524 wrote to memory of 1776 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 29 PID 524 wrote to memory of 1776 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 29 PID 524 wrote to memory of 1776 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 29 PID 524 wrote to memory of 1776 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 29 PID 524 wrote to memory of 1776 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 29 PID 524 wrote to memory of 1776 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 29 PID 1776 wrote to memory of 396 1776 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 30 PID 1776 wrote to memory of 396 1776 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 30 PID 1776 wrote to memory of 396 1776 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 30 PID 1776 wrote to memory of 396 1776 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 30 PID 524 wrote to memory of 988 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 32 PID 524 wrote to memory of 988 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 32 PID 524 wrote to memory of 988 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 32 PID 524 wrote to memory of 988 524 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 32 PID 1776 wrote to memory of 396 1776 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 30 PID 1776 wrote to memory of 396 1776 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 30 PID 1004 wrote to memory of 2036 1004 taskeng.exe 35 PID 1004 wrote to memory of 2036 1004 taskeng.exe 35 PID 1004 wrote to memory of 2036 1004 taskeng.exe 35 PID 1004 wrote to memory of 2036 1004 taskeng.exe 35 PID 2036 wrote to memory of 1500 2036 RtDCpl64.exe 36 PID 2036 wrote to memory of 1500 2036 RtDCpl64.exe 36 PID 2036 wrote to memory of 1500 2036 RtDCpl64.exe 36 PID 2036 wrote to memory of 1500 2036 RtDCpl64.exe 36 PID 2036 wrote to memory of 1076 2036 RtDCpl64.exe 37 PID 2036 wrote to memory of 1076 2036 RtDCpl64.exe 37 PID 2036 wrote to memory of 1076 2036 RtDCpl64.exe 37 PID 2036 wrote to memory of 1076 2036 RtDCpl64.exe 37 PID 2036 wrote to memory of 1076 2036 RtDCpl64.exe 37 PID 2036 wrote to memory of 1076 2036 RtDCpl64.exe 37 PID 2036 wrote to memory of 2028 2036 RtDCpl64.exe 38 PID 2036 wrote to memory of 2028 2036 RtDCpl64.exe 38 PID 2036 wrote to memory of 2028 2036 RtDCpl64.exe 38 PID 2036 wrote to memory of 2028 2036 RtDCpl64.exe 38 PID 1076 wrote to memory of 1312 1076 RtDCpl64.exe 40 PID 1076 wrote to memory of 1312 1076 RtDCpl64.exe 40 PID 1076 wrote to memory of 1312 1076 RtDCpl64.exe 40 PID 1076 wrote to memory of 1312 1076 RtDCpl64.exe 40 PID 1076 wrote to memory of 1312 1076 RtDCpl64.exe 40 PID 1076 wrote to memory of 1312 1076 RtDCpl64.exe 40 PID 1004 wrote to memory of 864 1004 taskeng.exe 44 PID 1004 wrote to memory of 864 1004 taskeng.exe 44 PID 1004 wrote to memory of 864 1004 taskeng.exe 44 PID 1004 wrote to memory of 864 1004 taskeng.exe 44 PID 864 wrote to memory of 1200 864 RtDCpl64.exe 45 PID 864 wrote to memory of 1200 864 RtDCpl64.exe 45 PID 864 wrote to memory of 1200 864 RtDCpl64.exe 45 PID 864 wrote to memory of 1200 864 RtDCpl64.exe 45 PID 864 wrote to memory of 1916 864 RtDCpl64.exe 46 PID 864 wrote to memory of 1916 864 RtDCpl64.exe 46 PID 864 wrote to memory of 1916 864 RtDCpl64.exe 46 PID 864 wrote to memory of 1916 864 RtDCpl64.exe 46 PID 864 wrote to memory of 1916 864 RtDCpl64.exe 46 PID 864 wrote to memory of 1916 864 RtDCpl64.exe 46 PID 1916 wrote to memory of 1224 1916 RtDCpl64.exe 47 PID 1916 wrote to memory of 1224 1916 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe"C:\Users\Admin\AppData\Local\Temp\5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:1288
-
-
-
C:\Users\Admin\AppData\Local\Temp\5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe"C:\Users\Admin\AppData\Local\Temp\5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:396
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:988
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {1DBCAB8A-6442-4D5B-9801-FC7DCAF45104} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1500
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1312
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2028
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1200
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1224
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1080
-
-