Analysis
-
max time kernel
158s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:50
Behavioral task
behavioral1
Sample
5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe
Resource
win10v2004-en-20220113
General
-
Target
5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe
-
Size
1.3MB
-
MD5
13ad8693b1dea3559d86f873b212d616
-
SHA1
4784d14625c71768036ab3fe19e0242f71558a9d
-
SHA256
5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4
-
SHA512
e073e5e2ca53fdde5a6f6f25cd090d90c6086773fda7ea206b49f18d47d861d0e4d092226e4a189abed00d1c919958b6f41ccbc1aefdeff879746d2f1f4fd4e8
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x0008000000012284-55.dat netwire behavioral1/files/0x0008000000012284-56.dat netwire behavioral1/files/0x0008000000012284-57.dat netwire behavioral1/files/0x0008000000012284-58.dat netwire behavioral1/files/0x0008000000012284-59.dat netwire behavioral1/files/0x0008000000012284-61.dat netwire behavioral1/files/0x00070000000125e4-62.dat netwire behavioral1/files/0x00070000000125e4-63.dat netwire behavioral1/files/0x00070000000125e4-64.dat netwire behavioral1/files/0x000600000001263f-80.dat netwire behavioral1/files/0x000600000001263f-81.dat netwire behavioral1/files/0x0008000000012284-83.dat netwire behavioral1/files/0x0008000000012284-86.dat netwire behavioral1/files/0x0008000000012284-85.dat netwire behavioral1/files/0x0008000000012284-84.dat netwire behavioral1/files/0x0008000000012284-87.dat netwire behavioral1/files/0x00070000000125e4-89.dat netwire behavioral1/files/0x000600000001263f-98.dat netwire behavioral1/files/0x0008000000012284-104.dat netwire behavioral1/files/0x000600000001263f-105.dat netwire behavioral1/files/0x0008000000012284-109.dat netwire behavioral1/files/0x0008000000012284-108.dat netwire behavioral1/files/0x0008000000012284-107.dat netwire behavioral1/files/0x0008000000012284-110.dat netwire behavioral1/files/0x000600000001263f-120.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral1/memory/1740-67-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1740-75-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 588 Blasthost.exe 1308 Host.exe 1964 RtDCpl64.exe 552 Blasthost.exe 688 RtDCpl64.exe 876 RtDCpl64.exe 1544 Blasthost.exe 1112 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 588 Blasthost.exe 588 Blasthost.exe 1964 RtDCpl64.exe 1964 RtDCpl64.exe 1964 RtDCpl64.exe 1964 RtDCpl64.exe 876 RtDCpl64.exe 876 RtDCpl64.exe 876 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1792 set thread context of 1740 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 29 PID 1964 set thread context of 688 1964 RtDCpl64.exe 38 PID 876 set thread context of 1112 876 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000600000001263f-80.dat autoit_exe behavioral1/files/0x000600000001263f-81.dat autoit_exe behavioral1/files/0x000600000001263f-98.dat autoit_exe behavioral1/files/0x000600000001263f-105.dat autoit_exe behavioral1/files/0x000600000001263f-120.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 928 schtasks.exe 632 schtasks.exe 1536 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1792 wrote to memory of 588 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 27 PID 1792 wrote to memory of 588 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 27 PID 1792 wrote to memory of 588 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 27 PID 1792 wrote to memory of 588 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 27 PID 588 wrote to memory of 1308 588 Blasthost.exe 28 PID 588 wrote to memory of 1308 588 Blasthost.exe 28 PID 588 wrote to memory of 1308 588 Blasthost.exe 28 PID 588 wrote to memory of 1308 588 Blasthost.exe 28 PID 1792 wrote to memory of 1740 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 29 PID 1792 wrote to memory of 1740 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 29 PID 1792 wrote to memory of 1740 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 29 PID 1792 wrote to memory of 1740 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 29 PID 1792 wrote to memory of 1740 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 29 PID 1792 wrote to memory of 1740 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 29 PID 1740 wrote to memory of 1160 1740 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 30 PID 1740 wrote to memory of 1160 1740 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 30 PID 1740 wrote to memory of 1160 1740 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 30 PID 1740 wrote to memory of 1160 1740 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 30 PID 1792 wrote to memory of 1536 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 32 PID 1792 wrote to memory of 1536 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 32 PID 1792 wrote to memory of 1536 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 32 PID 1792 wrote to memory of 1536 1792 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 32 PID 1740 wrote to memory of 1160 1740 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 30 PID 1740 wrote to memory of 1160 1740 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 30 PID 1560 wrote to memory of 1964 1560 taskeng.exe 36 PID 1560 wrote to memory of 1964 1560 taskeng.exe 36 PID 1560 wrote to memory of 1964 1560 taskeng.exe 36 PID 1560 wrote to memory of 1964 1560 taskeng.exe 36 PID 1964 wrote to memory of 552 1964 RtDCpl64.exe 37 PID 1964 wrote to memory of 552 1964 RtDCpl64.exe 37 PID 1964 wrote to memory of 552 1964 RtDCpl64.exe 37 PID 1964 wrote to memory of 552 1964 RtDCpl64.exe 37 PID 1964 wrote to memory of 688 1964 RtDCpl64.exe 38 PID 1964 wrote to memory of 688 1964 RtDCpl64.exe 38 PID 1964 wrote to memory of 688 1964 RtDCpl64.exe 38 PID 1964 wrote to memory of 688 1964 RtDCpl64.exe 38 PID 1964 wrote to memory of 688 1964 RtDCpl64.exe 38 PID 1964 wrote to memory of 688 1964 RtDCpl64.exe 38 PID 1964 wrote to memory of 928 1964 RtDCpl64.exe 39 PID 1964 wrote to memory of 928 1964 RtDCpl64.exe 39 PID 1964 wrote to memory of 928 1964 RtDCpl64.exe 39 PID 1964 wrote to memory of 928 1964 RtDCpl64.exe 39 PID 688 wrote to memory of 1512 688 RtDCpl64.exe 41 PID 688 wrote to memory of 1512 688 RtDCpl64.exe 41 PID 688 wrote to memory of 1512 688 RtDCpl64.exe 41 PID 688 wrote to memory of 1512 688 RtDCpl64.exe 41 PID 688 wrote to memory of 1512 688 RtDCpl64.exe 41 PID 688 wrote to memory of 1512 688 RtDCpl64.exe 41 PID 1560 wrote to memory of 876 1560 taskeng.exe 44 PID 1560 wrote to memory of 876 1560 taskeng.exe 44 PID 1560 wrote to memory of 876 1560 taskeng.exe 44 PID 1560 wrote to memory of 876 1560 taskeng.exe 44 PID 876 wrote to memory of 1544 876 RtDCpl64.exe 45 PID 876 wrote to memory of 1544 876 RtDCpl64.exe 45 PID 876 wrote to memory of 1544 876 RtDCpl64.exe 45 PID 876 wrote to memory of 1544 876 RtDCpl64.exe 45 PID 876 wrote to memory of 1112 876 RtDCpl64.exe 46 PID 876 wrote to memory of 1112 876 RtDCpl64.exe 46 PID 876 wrote to memory of 1112 876 RtDCpl64.exe 46 PID 876 wrote to memory of 1112 876 RtDCpl64.exe 46 PID 876 wrote to memory of 1112 876 RtDCpl64.exe 46 PID 876 wrote to memory of 1112 876 RtDCpl64.exe 46 PID 1112 wrote to memory of 1704 1112 RtDCpl64.exe 47 PID 1112 wrote to memory of 1704 1112 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe"C:\Users\Admin\AppData\Local\Temp\5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:1308
-
-
-
C:\Users\Admin\AppData\Local\Temp\5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe"C:\Users\Admin\AppData\Local\Temp\5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1160
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1536
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {84FBEE06-C17D-43B4-A454-DEBCB6A4B60C} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:552
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1512
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:928
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1544
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1704
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:632
-
-