Analysis
-
max time kernel
160s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 02:50
Behavioral task
behavioral1
Sample
5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe
Resource
win10v2004-en-20220113
General
-
Target
5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe
-
Size
1.3MB
-
MD5
13ad8693b1dea3559d86f873b212d616
-
SHA1
4784d14625c71768036ab3fe19e0242f71558a9d
-
SHA256
5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4
-
SHA512
e073e5e2ca53fdde5a6f6f25cd090d90c6086773fda7ea206b49f18d47d861d0e4d092226e4a189abed00d1c919958b6f41ccbc1aefdeff879746d2f1f4fd4e8
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 12 IoCs
resource yara_rule behavioral2/files/0x000600000001e7ae-130.dat netwire behavioral2/files/0x000600000001e7ae-131.dat netwire behavioral2/files/0x000400000001e7c0-142.dat netwire behavioral2/files/0x000400000001e7c0-141.dat netwire behavioral2/files/0x000500000001e7bd-147.dat netwire behavioral2/files/0x000500000001e7bd-148.dat netwire behavioral2/files/0x000600000001e7ae-149.dat netwire behavioral2/files/0x000500000001e7bd-157.dat netwire behavioral2/files/0x000600000001e7ae-160.dat netwire behavioral2/files/0x000500000001e7bd-161.dat netwire behavioral2/files/0x000600000001e7ae-162.dat netwire behavioral2/files/0x000500000001e7bd-170.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral2/memory/3720-133-0x0000000000370000-0x000000000038D000-memory.dmp warzonerat behavioral2/memory/3720-140-0x0000000000370000-0x000000000038D000-memory.dmp warzonerat behavioral2/memory/4212-150-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/4212-158-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 2776 Blasthost.exe 816 Host.exe 4252 RtDCpl64.exe 4224 Blasthost.exe 4212 RtDCpl64.exe 3776 RtDCpl64.exe 3744 Blasthost.exe 3280 RtDCpl64.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2948 set thread context of 3720 2948 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 85 PID 4252 set thread context of 4212 4252 RtDCpl64.exe 105 PID 3776 set thread context of 3280 3776 RtDCpl64.exe 116 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000500000001e7bd-147.dat autoit_exe behavioral2/files/0x000500000001e7bd-148.dat autoit_exe behavioral2/files/0x000500000001e7bd-157.dat autoit_exe behavioral2/files/0x000500000001e7bd-161.dat autoit_exe behavioral2/files/0x000500000001e7bd-170.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4804 schtasks.exe 1536 schtasks.exe 1740 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4268 svchost.exe Token: SeCreatePagefilePrivilege 4268 svchost.exe Token: SeShutdownPrivilege 4268 svchost.exe Token: SeCreatePagefilePrivilege 4268 svchost.exe Token: SeShutdownPrivilege 4268 svchost.exe Token: SeCreatePagefilePrivilege 4268 svchost.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe Token: SeRestorePrivilege 2192 TiWorker.exe Token: SeSecurityPrivilege 2192 TiWorker.exe Token: SeBackupPrivilege 2192 TiWorker.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2948 wrote to memory of 2776 2948 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 82 PID 2948 wrote to memory of 2776 2948 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 82 PID 2948 wrote to memory of 2776 2948 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 82 PID 2948 wrote to memory of 3720 2948 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 85 PID 2948 wrote to memory of 3720 2948 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 85 PID 2948 wrote to memory of 3720 2948 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 85 PID 2948 wrote to memory of 3720 2948 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 85 PID 2948 wrote to memory of 3720 2948 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 85 PID 2776 wrote to memory of 816 2776 Blasthost.exe 87 PID 2776 wrote to memory of 816 2776 Blasthost.exe 87 PID 2776 wrote to memory of 816 2776 Blasthost.exe 87 PID 2948 wrote to memory of 4804 2948 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 88 PID 2948 wrote to memory of 4804 2948 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 88 PID 2948 wrote to memory of 4804 2948 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 88 PID 3720 wrote to memory of 1500 3720 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 92 PID 3720 wrote to memory of 1500 3720 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 92 PID 3720 wrote to memory of 1500 3720 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 92 PID 3720 wrote to memory of 1500 3720 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 92 PID 3720 wrote to memory of 1500 3720 5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe 92 PID 4252 wrote to memory of 4224 4252 RtDCpl64.exe 104 PID 4252 wrote to memory of 4224 4252 RtDCpl64.exe 104 PID 4252 wrote to memory of 4224 4252 RtDCpl64.exe 104 PID 4252 wrote to memory of 4212 4252 RtDCpl64.exe 105 PID 4252 wrote to memory of 4212 4252 RtDCpl64.exe 105 PID 4252 wrote to memory of 4212 4252 RtDCpl64.exe 105 PID 4252 wrote to memory of 4212 4252 RtDCpl64.exe 105 PID 4252 wrote to memory of 4212 4252 RtDCpl64.exe 105 PID 4252 wrote to memory of 1536 4252 RtDCpl64.exe 106 PID 4252 wrote to memory of 1536 4252 RtDCpl64.exe 106 PID 4252 wrote to memory of 1536 4252 RtDCpl64.exe 106 PID 4212 wrote to memory of 1636 4212 RtDCpl64.exe 108 PID 4212 wrote to memory of 1636 4212 RtDCpl64.exe 108 PID 4212 wrote to memory of 1636 4212 RtDCpl64.exe 108 PID 4212 wrote to memory of 1636 4212 RtDCpl64.exe 108 PID 4212 wrote to memory of 1636 4212 RtDCpl64.exe 108 PID 3776 wrote to memory of 3744 3776 RtDCpl64.exe 115 PID 3776 wrote to memory of 3744 3776 RtDCpl64.exe 115 PID 3776 wrote to memory of 3744 3776 RtDCpl64.exe 115 PID 3776 wrote to memory of 3280 3776 RtDCpl64.exe 116 PID 3776 wrote to memory of 3280 3776 RtDCpl64.exe 116 PID 3776 wrote to memory of 3280 3776 RtDCpl64.exe 116 PID 3776 wrote to memory of 3280 3776 RtDCpl64.exe 116 PID 3776 wrote to memory of 3280 3776 RtDCpl64.exe 116 PID 3280 wrote to memory of 1080 3280 RtDCpl64.exe 117 PID 3280 wrote to memory of 1080 3280 RtDCpl64.exe 117 PID 3280 wrote to memory of 1080 3280 RtDCpl64.exe 117 PID 3776 wrote to memory of 1740 3776 RtDCpl64.exe 119 PID 3776 wrote to memory of 1740 3776 RtDCpl64.exe 119 PID 3776 wrote to memory of 1740 3776 RtDCpl64.exe 119 PID 3280 wrote to memory of 1080 3280 RtDCpl64.exe 117 PID 3280 wrote to memory of 1080 3280 RtDCpl64.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe"C:\Users\Admin\AppData\Local\Temp\5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:816
-
-
-
C:\Users\Admin\AppData\Local\Temp\5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe"C:\Users\Admin\AppData\Local\Temp\5eb173576198a7a4c160b303f2257c1eef37e00e73c557fc68e5d01f12c251f4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1500
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4804
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:4224
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1636
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1536
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:3744
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1080
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1740
-