Analysis
-
max time kernel
164s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:51
Behavioral task
behavioral1
Sample
5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
Resource
win10v2004-en-20220113
General
-
Target
5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
-
Size
1.3MB
-
MD5
8bb18b7bb57a542eeb7b1e92b9e333c1
-
SHA1
7f594d5e69832bcbed332898b00d0489f6d5486b
-
SHA256
5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d
-
SHA512
d921b03f00036af59a975f1e546920a06bf71feafabb639fe320ea89a02442f5a09ebe37e2be3126174852ef06135c1e758300cca80f6858d78f98af9708d11a
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x000800000001225c-55.dat netwire behavioral1/files/0x000800000001225c-56.dat netwire behavioral1/files/0x000800000001225c-57.dat netwire behavioral1/files/0x000800000001225c-58.dat netwire behavioral1/files/0x000800000001225c-59.dat netwire behavioral1/files/0x000800000001225c-72.dat netwire behavioral1/files/0x0006000000012608-73.dat netwire behavioral1/files/0x0006000000012608-74.dat netwire behavioral1/files/0x0006000000012608-75.dat netwire behavioral1/files/0x00070000000125a3-80.dat netwire behavioral1/files/0x00070000000125a3-81.dat netwire behavioral1/files/0x000800000001225c-83.dat netwire behavioral1/files/0x000800000001225c-84.dat netwire behavioral1/files/0x000800000001225c-85.dat netwire behavioral1/files/0x000800000001225c-86.dat netwire behavioral1/files/0x000800000001225c-87.dat netwire behavioral1/files/0x0006000000012608-89.dat netwire behavioral1/files/0x00070000000125a3-98.dat netwire behavioral1/files/0x000800000001225c-104.dat netwire behavioral1/files/0x00070000000125a3-105.dat netwire behavioral1/files/0x000800000001225c-107.dat netwire behavioral1/files/0x000800000001225c-108.dat netwire behavioral1/files/0x000800000001225c-109.dat netwire behavioral1/files/0x000800000001225c-110.dat netwire behavioral1/files/0x00070000000125a3-120.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/1368-61-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1368-71-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1568-113-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/1568-122-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 792 Blasthost.exe 1168 Host.exe 600 RtDCpl64.exe 1752 Blasthost.exe 1384 RtDCpl64.exe 1104 RtDCpl64.exe 1640 Blasthost.exe 1568 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 792 Blasthost.exe 792 Blasthost.exe 600 RtDCpl64.exe 600 RtDCpl64.exe 600 RtDCpl64.exe 600 RtDCpl64.exe 1104 RtDCpl64.exe 1104 RtDCpl64.exe 1104 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1684 set thread context of 1368 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 28 PID 600 set thread context of 1384 600 RtDCpl64.exe 39 PID 1104 set thread context of 1568 1104 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00070000000125a3-80.dat autoit_exe behavioral1/files/0x00070000000125a3-81.dat autoit_exe behavioral1/files/0x00070000000125a3-98.dat autoit_exe behavioral1/files/0x00070000000125a3-105.dat autoit_exe behavioral1/files/0x00070000000125a3-120.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1544 schtasks.exe 396 schtasks.exe 900 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1684 wrote to memory of 792 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 27 PID 1684 wrote to memory of 792 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 27 PID 1684 wrote to memory of 792 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 27 PID 1684 wrote to memory of 792 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 27 PID 1684 wrote to memory of 1368 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 28 PID 1684 wrote to memory of 1368 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 28 PID 1684 wrote to memory of 1368 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 28 PID 1684 wrote to memory of 1368 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 28 PID 1684 wrote to memory of 1368 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 28 PID 1684 wrote to memory of 1368 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 28 PID 792 wrote to memory of 1168 792 Blasthost.exe 29 PID 792 wrote to memory of 1168 792 Blasthost.exe 29 PID 792 wrote to memory of 1168 792 Blasthost.exe 29 PID 792 wrote to memory of 1168 792 Blasthost.exe 29 PID 1684 wrote to memory of 396 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 30 PID 1684 wrote to memory of 396 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 30 PID 1684 wrote to memory of 396 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 30 PID 1684 wrote to memory of 396 1684 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 30 PID 1368 wrote to memory of 976 1368 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 31 PID 1368 wrote to memory of 976 1368 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 31 PID 1368 wrote to memory of 976 1368 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 31 PID 1368 wrote to memory of 976 1368 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 31 PID 1368 wrote to memory of 976 1368 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 31 PID 1368 wrote to memory of 976 1368 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 31 PID 1064 wrote to memory of 600 1064 taskeng.exe 37 PID 1064 wrote to memory of 600 1064 taskeng.exe 37 PID 1064 wrote to memory of 600 1064 taskeng.exe 37 PID 1064 wrote to memory of 600 1064 taskeng.exe 37 PID 600 wrote to memory of 1752 600 RtDCpl64.exe 38 PID 600 wrote to memory of 1752 600 RtDCpl64.exe 38 PID 600 wrote to memory of 1752 600 RtDCpl64.exe 38 PID 600 wrote to memory of 1752 600 RtDCpl64.exe 38 PID 600 wrote to memory of 1384 600 RtDCpl64.exe 39 PID 600 wrote to memory of 1384 600 RtDCpl64.exe 39 PID 600 wrote to memory of 1384 600 RtDCpl64.exe 39 PID 600 wrote to memory of 1384 600 RtDCpl64.exe 39 PID 600 wrote to memory of 1384 600 RtDCpl64.exe 39 PID 600 wrote to memory of 1384 600 RtDCpl64.exe 39 PID 600 wrote to memory of 900 600 RtDCpl64.exe 41 PID 600 wrote to memory of 900 600 RtDCpl64.exe 41 PID 600 wrote to memory of 900 600 RtDCpl64.exe 41 PID 600 wrote to memory of 900 600 RtDCpl64.exe 41 PID 1384 wrote to memory of 1712 1384 RtDCpl64.exe 40 PID 1384 wrote to memory of 1712 1384 RtDCpl64.exe 40 PID 1384 wrote to memory of 1712 1384 RtDCpl64.exe 40 PID 1384 wrote to memory of 1712 1384 RtDCpl64.exe 40 PID 1384 wrote to memory of 1712 1384 RtDCpl64.exe 40 PID 1384 wrote to memory of 1712 1384 RtDCpl64.exe 40 PID 1064 wrote to memory of 1104 1064 taskeng.exe 44 PID 1064 wrote to memory of 1104 1064 taskeng.exe 44 PID 1064 wrote to memory of 1104 1064 taskeng.exe 44 PID 1064 wrote to memory of 1104 1064 taskeng.exe 44 PID 1104 wrote to memory of 1640 1104 RtDCpl64.exe 45 PID 1104 wrote to memory of 1640 1104 RtDCpl64.exe 45 PID 1104 wrote to memory of 1640 1104 RtDCpl64.exe 45 PID 1104 wrote to memory of 1640 1104 RtDCpl64.exe 45 PID 1104 wrote to memory of 1568 1104 RtDCpl64.exe 46 PID 1104 wrote to memory of 1568 1104 RtDCpl64.exe 46 PID 1104 wrote to memory of 1568 1104 RtDCpl64.exe 46 PID 1104 wrote to memory of 1568 1104 RtDCpl64.exe 46 PID 1104 wrote to memory of 1568 1104 RtDCpl64.exe 46 PID 1104 wrote to memory of 1568 1104 RtDCpl64.exe 46 PID 1104 wrote to memory of 1544 1104 RtDCpl64.exe 47 PID 1104 wrote to memory of 1544 1104 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe"C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:1168
-
-
-
C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe"C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:976
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:396
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {CD1EDB0E-EE5C-4FB7-AD59-F4CC19E015E0} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1752
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1712
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:900
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1640
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2000
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1544
-
-