Analysis
-
max time kernel
158s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:52
Behavioral task
behavioral1
Sample
5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe
Resource
win10v2004-en-20220113
General
-
Target
5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe
-
Size
1.3MB
-
MD5
3e7104680f97799c4b4ce6fed9c37887
-
SHA1
6c7b28fdc2abf04aafca9afe7fbbbb0c28a53a1e
-
SHA256
5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2
-
SHA512
a37e3015d86b9201fa4bc3917114a94d5e7c56ab23999c37b1240b18d62dab8f81e6fddb86d72cad7679e187a1d4a742eec40e608caca59c13a5bde9a3d190c0
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 31 IoCs
resource yara_rule behavioral1/files/0x0008000000012229-55.dat netwire behavioral1/files/0x0008000000012229-56.dat netwire behavioral1/files/0x0008000000012229-57.dat netwire behavioral1/files/0x0008000000012229-58.dat netwire behavioral1/files/0x0008000000012229-59.dat netwire behavioral1/files/0x0008000000012229-71.dat netwire behavioral1/files/0x0007000000012243-72.dat netwire behavioral1/files/0x0007000000012243-73.dat netwire behavioral1/files/0x0007000000012243-74.dat netwire behavioral1/files/0x0008000000012231-80.dat netwire behavioral1/files/0x0008000000012231-81.dat netwire behavioral1/files/0x0008000000012229-83.dat netwire behavioral1/files/0x0008000000012229-84.dat netwire behavioral1/files/0x0008000000012229-86.dat netwire behavioral1/files/0x0008000000012229-85.dat netwire behavioral1/files/0x0008000000012229-87.dat netwire behavioral1/files/0x0007000000012243-89.dat netwire behavioral1/files/0x0008000000012231-98.dat netwire behavioral1/files/0x0008000000012229-105.dat netwire behavioral1/files/0x0008000000012231-106.dat netwire behavioral1/files/0x0008000000012229-108.dat netwire behavioral1/files/0x0008000000012229-110.dat netwire behavioral1/files/0x0008000000012229-109.dat netwire behavioral1/files/0x0008000000012229-111.dat netwire behavioral1/files/0x0008000000012231-121.dat netwire behavioral1/files/0x0008000000012231-128.dat netwire behavioral1/files/0x0008000000012229-130.dat netwire behavioral1/files/0x0008000000012229-132.dat netwire behavioral1/files/0x0008000000012229-131.dat netwire behavioral1/files/0x0008000000012229-133.dat netwire behavioral1/files/0x0008000000012231-144.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 6 IoCs
resource yara_rule behavioral1/memory/364-61-0x00000000000D0000-0x00000000000ED000-memory.dmp warzonerat behavioral1/memory/364-70-0x00000000000D0000-0x00000000000ED000-memory.dmp warzonerat behavioral1/memory/1944-91-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1944-100-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1332-136-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/1332-146-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat -
Executes dropped EXE 11 IoCs
pid Process 772 Blasthost.exe 276 Host.exe 968 RtDCpl64.exe 996 Blasthost.exe 1944 RtDCpl64.exe 1728 RtDCpl64.exe 688 Blasthost.exe 1828 RtDCpl64.exe 2044 RtDCpl64.exe 912 Blasthost.exe 1332 RtDCpl64.exe -
Loads dropped DLL 16 IoCs
pid Process 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 772 Blasthost.exe 772 Blasthost.exe 968 RtDCpl64.exe 968 RtDCpl64.exe 968 RtDCpl64.exe 968 RtDCpl64.exe 1728 RtDCpl64.exe 1728 RtDCpl64.exe 1728 RtDCpl64.exe 2044 RtDCpl64.exe 2044 RtDCpl64.exe 2044 RtDCpl64.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1920 set thread context of 364 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 28 PID 968 set thread context of 1944 968 RtDCpl64.exe 37 PID 1728 set thread context of 1828 1728 RtDCpl64.exe 46 PID 2044 set thread context of 1332 2044 RtDCpl64.exe 53 -
autoit_exe 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000012231-80.dat autoit_exe behavioral1/files/0x0008000000012231-81.dat autoit_exe behavioral1/files/0x0008000000012231-98.dat autoit_exe behavioral1/files/0x0008000000012231-106.dat autoit_exe behavioral1/files/0x0008000000012231-121.dat autoit_exe behavioral1/files/0x0008000000012231-128.dat autoit_exe behavioral1/files/0x0008000000012231-144.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1704 schtasks.exe 1000 schtasks.exe 316 schtasks.exe 1140 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1920 wrote to memory of 772 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 27 PID 1920 wrote to memory of 772 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 27 PID 1920 wrote to memory of 772 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 27 PID 1920 wrote to memory of 772 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 27 PID 1920 wrote to memory of 364 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 28 PID 1920 wrote to memory of 364 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 28 PID 1920 wrote to memory of 364 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 28 PID 1920 wrote to memory of 364 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 28 PID 1920 wrote to memory of 364 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 28 PID 1920 wrote to memory of 364 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 28 PID 772 wrote to memory of 276 772 Blasthost.exe 29 PID 772 wrote to memory of 276 772 Blasthost.exe 29 PID 772 wrote to memory of 276 772 Blasthost.exe 29 PID 772 wrote to memory of 276 772 Blasthost.exe 29 PID 1920 wrote to memory of 1000 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 30 PID 1920 wrote to memory of 1000 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 30 PID 1920 wrote to memory of 1000 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 30 PID 1920 wrote to memory of 1000 1920 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 30 PID 364 wrote to memory of 2004 364 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 32 PID 364 wrote to memory of 2004 364 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 32 PID 364 wrote to memory of 2004 364 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 32 PID 364 wrote to memory of 2004 364 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 32 PID 364 wrote to memory of 2004 364 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 32 PID 364 wrote to memory of 2004 364 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 32 PID 672 wrote to memory of 968 672 taskeng.exe 35 PID 672 wrote to memory of 968 672 taskeng.exe 35 PID 672 wrote to memory of 968 672 taskeng.exe 35 PID 672 wrote to memory of 968 672 taskeng.exe 35 PID 968 wrote to memory of 996 968 RtDCpl64.exe 36 PID 968 wrote to memory of 996 968 RtDCpl64.exe 36 PID 968 wrote to memory of 996 968 RtDCpl64.exe 36 PID 968 wrote to memory of 996 968 RtDCpl64.exe 36 PID 968 wrote to memory of 1944 968 RtDCpl64.exe 37 PID 968 wrote to memory of 1944 968 RtDCpl64.exe 37 PID 968 wrote to memory of 1944 968 RtDCpl64.exe 37 PID 968 wrote to memory of 1944 968 RtDCpl64.exe 37 PID 968 wrote to memory of 1944 968 RtDCpl64.exe 37 PID 968 wrote to memory of 1944 968 RtDCpl64.exe 37 PID 1944 wrote to memory of 1736 1944 RtDCpl64.exe 38 PID 1944 wrote to memory of 1736 1944 RtDCpl64.exe 38 PID 1944 wrote to memory of 1736 1944 RtDCpl64.exe 38 PID 1944 wrote to memory of 1736 1944 RtDCpl64.exe 38 PID 968 wrote to memory of 316 968 RtDCpl64.exe 40 PID 968 wrote to memory of 316 968 RtDCpl64.exe 40 PID 968 wrote to memory of 316 968 RtDCpl64.exe 40 PID 968 wrote to memory of 316 968 RtDCpl64.exe 40 PID 1944 wrote to memory of 1736 1944 RtDCpl64.exe 38 PID 1944 wrote to memory of 1736 1944 RtDCpl64.exe 38 PID 672 wrote to memory of 1728 672 taskeng.exe 44 PID 672 wrote to memory of 1728 672 taskeng.exe 44 PID 672 wrote to memory of 1728 672 taskeng.exe 44 PID 672 wrote to memory of 1728 672 taskeng.exe 44 PID 1728 wrote to memory of 688 1728 RtDCpl64.exe 45 PID 1728 wrote to memory of 688 1728 RtDCpl64.exe 45 PID 1728 wrote to memory of 688 1728 RtDCpl64.exe 45 PID 1728 wrote to memory of 688 1728 RtDCpl64.exe 45 PID 1728 wrote to memory of 1828 1728 RtDCpl64.exe 46 PID 1728 wrote to memory of 1828 1728 RtDCpl64.exe 46 PID 1728 wrote to memory of 1828 1728 RtDCpl64.exe 46 PID 1728 wrote to memory of 1828 1728 RtDCpl64.exe 46 PID 1728 wrote to memory of 1828 1728 RtDCpl64.exe 46 PID 1728 wrote to memory of 1828 1728 RtDCpl64.exe 46 PID 1728 wrote to memory of 1140 1728 RtDCpl64.exe 47 PID 1728 wrote to memory of 1140 1728 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe"C:\Users\Admin\AppData\Local\Temp\5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:276
-
-
-
C:\Users\Admin\AppData\Local\Temp\5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe"C:\Users\Admin\AppData\Local\Temp\5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2004
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1000
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {495D5BDC-BC75-4805-9814-CB064BABD8AC} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:996
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1736
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:316
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:688
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:292
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1140
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2044 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:912
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1052
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1704
-
-