Analysis
-
max time kernel
166s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 02:50
Behavioral task
behavioral1
Sample
5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe
Resource
win10v2004-en-20220113
General
-
Target
5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe
-
Size
1.3MB
-
MD5
df102e082f05670d78d31cfa673199ff
-
SHA1
5a1a74750b1042c74f0abe8194824ea46a6cad08
-
SHA256
5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602
-
SHA512
425008882b8f74e09e60610630501d5df6fa8d17c317a493da791026476c7d38785ff57706e74c9e04b25ef370188a818461a68315ea5750d8062830578cff92
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 15 IoCs
resource yara_rule behavioral2/files/0x000300000000072f-130.dat netwire behavioral2/files/0x000300000000072f-131.dat netwire behavioral2/files/0x0004000000016298-141.dat netwire behavioral2/files/0x0004000000016298-142.dat netwire behavioral2/files/0x00070000000162aa-147.dat netwire behavioral2/files/0x00070000000162aa-148.dat netwire behavioral2/files/0x000300000000072f-149.dat netwire behavioral2/files/0x00070000000162aa-157.dat netwire behavioral2/files/0x000300000000072f-161.dat netwire behavioral2/files/0x00070000000162aa-162.dat netwire behavioral2/files/0x000300000000072f-163.dat netwire behavioral2/files/0x00070000000162aa-171.dat netwire behavioral2/files/0x00070000000162aa-175.dat netwire behavioral2/files/0x000300000000072f-176.dat netwire behavioral2/files/0x00070000000162aa-184.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral2/memory/2624-132-0x00000000002D0000-0x00000000002ED000-memory.dmp warzonerat behavioral2/memory/2624-140-0x00000000002D0000-0x00000000002ED000-memory.dmp warzonerat behavioral2/memory/5084-150-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/5084-158-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 11 IoCs
pid Process 3468 Blasthost.exe 4708 Host.exe 1092 RtDCpl64.exe 1136 Blasthost.exe 5084 RtDCpl64.exe 3916 RtDCpl64.exe 3804 Blasthost.exe 3400 RtDCpl64.exe 1792 RtDCpl64.exe 2192 Blasthost.exe 4908 RtDCpl64.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4892 set thread context of 2624 4892 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 83 PID 1092 set thread context of 5084 1092 RtDCpl64.exe 103 PID 3916 set thread context of 3400 3916 RtDCpl64.exe 115 PID 1792 set thread context of 4908 1792 RtDCpl64.exe 127 -
autoit_exe 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00070000000162aa-147.dat autoit_exe behavioral2/files/0x00070000000162aa-148.dat autoit_exe behavioral2/files/0x00070000000162aa-157.dat autoit_exe behavioral2/files/0x00070000000162aa-162.dat autoit_exe behavioral2/files/0x00070000000162aa-171.dat autoit_exe behavioral2/files/0x00070000000162aa-175.dat autoit_exe behavioral2/files/0x00070000000162aa-184.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4632 schtasks.exe 3052 schtasks.exe 1444 schtasks.exe 4704 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4248 svchost.exe Token: SeCreatePagefilePrivilege 4248 svchost.exe Token: SeShutdownPrivilege 4248 svchost.exe Token: SeCreatePagefilePrivilege 4248 svchost.exe Token: SeShutdownPrivilege 4248 svchost.exe Token: SeCreatePagefilePrivilege 4248 svchost.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe Token: SeRestorePrivilege 4748 TiWorker.exe Token: SeSecurityPrivilege 4748 TiWorker.exe Token: SeBackupPrivilege 4748 TiWorker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4892 wrote to memory of 3468 4892 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 81 PID 4892 wrote to memory of 3468 4892 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 81 PID 4892 wrote to memory of 3468 4892 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 81 PID 4892 wrote to memory of 2624 4892 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 83 PID 4892 wrote to memory of 2624 4892 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 83 PID 4892 wrote to memory of 2624 4892 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 83 PID 4892 wrote to memory of 2624 4892 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 83 PID 4892 wrote to memory of 2624 4892 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 83 PID 3468 wrote to memory of 4708 3468 Blasthost.exe 84 PID 3468 wrote to memory of 4708 3468 Blasthost.exe 84 PID 3468 wrote to memory of 4708 3468 Blasthost.exe 84 PID 4892 wrote to memory of 4632 4892 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 85 PID 4892 wrote to memory of 4632 4892 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 85 PID 4892 wrote to memory of 4632 4892 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 85 PID 2624 wrote to memory of 4880 2624 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 87 PID 2624 wrote to memory of 4880 2624 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 87 PID 2624 wrote to memory of 4880 2624 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 87 PID 2624 wrote to memory of 4880 2624 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 87 PID 2624 wrote to memory of 4880 2624 5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe 87 PID 1092 wrote to memory of 1136 1092 RtDCpl64.exe 102 PID 1092 wrote to memory of 1136 1092 RtDCpl64.exe 102 PID 1092 wrote to memory of 1136 1092 RtDCpl64.exe 102 PID 1092 wrote to memory of 5084 1092 RtDCpl64.exe 103 PID 1092 wrote to memory of 5084 1092 RtDCpl64.exe 103 PID 1092 wrote to memory of 5084 1092 RtDCpl64.exe 103 PID 1092 wrote to memory of 5084 1092 RtDCpl64.exe 103 PID 1092 wrote to memory of 5084 1092 RtDCpl64.exe 103 PID 5084 wrote to memory of 1996 5084 RtDCpl64.exe 104 PID 5084 wrote to memory of 1996 5084 RtDCpl64.exe 104 PID 5084 wrote to memory of 1996 5084 RtDCpl64.exe 104 PID 1092 wrote to memory of 3052 1092 RtDCpl64.exe 107 PID 1092 wrote to memory of 3052 1092 RtDCpl64.exe 107 PID 1092 wrote to memory of 3052 1092 RtDCpl64.exe 107 PID 5084 wrote to memory of 1996 5084 RtDCpl64.exe 104 PID 5084 wrote to memory of 1996 5084 RtDCpl64.exe 104 PID 3916 wrote to memory of 3804 3916 RtDCpl64.exe 114 PID 3916 wrote to memory of 3804 3916 RtDCpl64.exe 114 PID 3916 wrote to memory of 3804 3916 RtDCpl64.exe 114 PID 3916 wrote to memory of 3400 3916 RtDCpl64.exe 115 PID 3916 wrote to memory of 3400 3916 RtDCpl64.exe 115 PID 3916 wrote to memory of 3400 3916 RtDCpl64.exe 115 PID 3916 wrote to memory of 3400 3916 RtDCpl64.exe 115 PID 3916 wrote to memory of 3400 3916 RtDCpl64.exe 115 PID 3400 wrote to memory of 4652 3400 RtDCpl64.exe 116 PID 3400 wrote to memory of 4652 3400 RtDCpl64.exe 116 PID 3400 wrote to memory of 4652 3400 RtDCpl64.exe 116 PID 3916 wrote to memory of 1444 3916 RtDCpl64.exe 118 PID 3916 wrote to memory of 1444 3916 RtDCpl64.exe 118 PID 3916 wrote to memory of 1444 3916 RtDCpl64.exe 118 PID 3400 wrote to memory of 4652 3400 RtDCpl64.exe 116 PID 3400 wrote to memory of 4652 3400 RtDCpl64.exe 116 PID 1792 wrote to memory of 2192 1792 RtDCpl64.exe 126 PID 1792 wrote to memory of 2192 1792 RtDCpl64.exe 126 PID 1792 wrote to memory of 2192 1792 RtDCpl64.exe 126 PID 1792 wrote to memory of 4908 1792 RtDCpl64.exe 127 PID 1792 wrote to memory of 4908 1792 RtDCpl64.exe 127 PID 1792 wrote to memory of 4908 1792 RtDCpl64.exe 127 PID 1792 wrote to memory of 4908 1792 RtDCpl64.exe 127 PID 1792 wrote to memory of 4908 1792 RtDCpl64.exe 127 PID 4908 wrote to memory of 1020 4908 RtDCpl64.exe 128 PID 4908 wrote to memory of 1020 4908 RtDCpl64.exe 128 PID 4908 wrote to memory of 1020 4908 RtDCpl64.exe 128 PID 1792 wrote to memory of 4704 1792 RtDCpl64.exe 130 PID 1792 wrote to memory of 4704 1792 RtDCpl64.exe 130
Processes
-
C:\Users\Admin\AppData\Local\Temp\5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe"C:\Users\Admin\AppData\Local\Temp\5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:4708
-
-
-
C:\Users\Admin\AppData\Local\Temp\5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe"C:\Users\Admin\AppData\Local\Temp\5eba7a145c12b469668b7241b085fc773db33dd32843f77391d23e909bb58602.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4880
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4632
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:1136
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1996
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3052
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:3804
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4652
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1444
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:2192
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1020
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4704
-