Analysis
-
max time kernel
165s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 02:52
Behavioral task
behavioral1
Sample
5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe
Resource
win10v2004-en-20220113
General
-
Target
5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe
-
Size
1.3MB
-
MD5
3e7104680f97799c4b4ce6fed9c37887
-
SHA1
6c7b28fdc2abf04aafca9afe7fbbbb0c28a53a1e
-
SHA256
5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2
-
SHA512
a37e3015d86b9201fa4bc3917114a94d5e7c56ab23999c37b1240b18d62dab8f81e6fddb86d72cad7679e187a1d4a742eec40e608caca59c13a5bde9a3d190c0
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 9 IoCs
resource yara_rule behavioral2/files/0x000300000000072f-130.dat netwire behavioral2/files/0x000300000000072f-131.dat netwire behavioral2/files/0x000400000001629a-141.dat netwire behavioral2/files/0x000400000001629a-142.dat netwire behavioral2/files/0x00070000000162aa-147.dat netwire behavioral2/files/0x00070000000162aa-148.dat netwire behavioral2/files/0x000300000000072f-149.dat netwire behavioral2/files/0x00070000000162aa-157.dat netwire behavioral2/files/0x000300000000072f-160.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral2/memory/4856-133-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/4856-140-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 5 IoCs
pid Process 764 Blasthost.exe 1420 Host.exe 972 RtDCpl64.exe 1344 Blasthost.exe 4828 RtDCpl64.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4800 set thread context of 4856 4800 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 83 PID 972 set thread context of 4828 972 RtDCpl64.exe 115 -
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00070000000162aa-147.dat autoit_exe behavioral2/files/0x00070000000162aa-148.dat autoit_exe behavioral2/files/0x00070000000162aa-157.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1476 schtasks.exe 3568 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 228 svchost.exe Token: SeCreatePagefilePrivilege 228 svchost.exe Token: SeShutdownPrivilege 228 svchost.exe Token: SeCreatePagefilePrivilege 228 svchost.exe Token: SeShutdownPrivilege 228 svchost.exe Token: SeCreatePagefilePrivilege 228 svchost.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe Token: SeRestorePrivilege 2264 TiWorker.exe Token: SeSecurityPrivilege 2264 TiWorker.exe Token: SeBackupPrivilege 2264 TiWorker.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 4800 wrote to memory of 764 4800 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 81 PID 4800 wrote to memory of 764 4800 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 81 PID 4800 wrote to memory of 764 4800 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 81 PID 4800 wrote to memory of 4856 4800 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 83 PID 4800 wrote to memory of 4856 4800 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 83 PID 4800 wrote to memory of 4856 4800 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 83 PID 4800 wrote to memory of 4856 4800 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 83 PID 4800 wrote to memory of 4856 4800 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 83 PID 764 wrote to memory of 1420 764 Blasthost.exe 84 PID 764 wrote to memory of 1420 764 Blasthost.exe 84 PID 764 wrote to memory of 1420 764 Blasthost.exe 84 PID 4800 wrote to memory of 1476 4800 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 85 PID 4800 wrote to memory of 1476 4800 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 85 PID 4800 wrote to memory of 1476 4800 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 85 PID 4856 wrote to memory of 1924 4856 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 87 PID 4856 wrote to memory of 1924 4856 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 87 PID 4856 wrote to memory of 1924 4856 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 87 PID 4856 wrote to memory of 1924 4856 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 87 PID 4856 wrote to memory of 1924 4856 5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe 87 PID 972 wrote to memory of 1344 972 RtDCpl64.exe 114 PID 972 wrote to memory of 1344 972 RtDCpl64.exe 114 PID 972 wrote to memory of 1344 972 RtDCpl64.exe 114 PID 972 wrote to memory of 4828 972 RtDCpl64.exe 115 PID 972 wrote to memory of 4828 972 RtDCpl64.exe 115 PID 972 wrote to memory of 4828 972 RtDCpl64.exe 115 PID 972 wrote to memory of 4828 972 RtDCpl64.exe 115 PID 972 wrote to memory of 4828 972 RtDCpl64.exe 115 PID 4828 wrote to memory of 4904 4828 RtDCpl64.exe 116 PID 4828 wrote to memory of 4904 4828 RtDCpl64.exe 116 PID 4828 wrote to memory of 4904 4828 RtDCpl64.exe 116 PID 972 wrote to memory of 3568 972 RtDCpl64.exe 118 PID 972 wrote to memory of 3568 972 RtDCpl64.exe 118 PID 972 wrote to memory of 3568 972 RtDCpl64.exe 118 PID 4828 wrote to memory of 4904 4828 RtDCpl64.exe 116 PID 4828 wrote to memory of 4904 4828 RtDCpl64.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe"C:\Users\Admin\AppData\Local\Temp\5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:1420
-
-
-
C:\Users\Admin\AppData\Local\Temp\5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe"C:\Users\Admin\AppData\Local\Temp\5e703b826e5eee3224c5dbb302cf6614305081b15f306b15c7859d3b01d711d2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1924
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1476
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:228
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:1344
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4904
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3568
-