Analysis
-
max time kernel
170s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 02:51
Behavioral task
behavioral1
Sample
5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
Resource
win10v2004-en-20220113
General
-
Target
5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe
-
Size
1.3MB
-
MD5
8bb18b7bb57a542eeb7b1e92b9e333c1
-
SHA1
7f594d5e69832bcbed332898b00d0489f6d5486b
-
SHA256
5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d
-
SHA512
d921b03f00036af59a975f1e546920a06bf71feafabb639fe320ea89a02442f5a09ebe37e2be3126174852ef06135c1e758300cca80f6858d78f98af9708d11a
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 12 IoCs
resource yara_rule behavioral2/files/0x000300000000072d-130.dat netwire behavioral2/files/0x000300000000072d-131.dat netwire behavioral2/files/0x0003000000000733-133.dat netwire behavioral2/files/0x0003000000000733-132.dat netwire behavioral2/files/0x001d00000001da68-147.dat netwire behavioral2/files/0x001d00000001da68-148.dat netwire behavioral2/files/0x000300000000072d-149.dat netwire behavioral2/files/0x001d00000001da68-157.dat netwire behavioral2/files/0x000300000000072d-160.dat netwire behavioral2/files/0x001d00000001da68-161.dat netwire behavioral2/files/0x000300000000072d-162.dat netwire behavioral2/files/0x001d00000001da68-170.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral2/memory/1656-135-0x00000000003E0000-0x00000000003FD000-memory.dmp warzonerat behavioral2/memory/1656-142-0x00000000003E0000-0x00000000003FD000-memory.dmp warzonerat behavioral2/memory/1228-150-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/1228-158-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 4840 Blasthost.exe 4584 Host.exe 1740 RtDCpl64.exe 1256 Blasthost.exe 1228 RtDCpl64.exe 2364 RtDCpl64.exe 3924 Blasthost.exe 4276 RtDCpl64.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4500 set thread context of 1656 4500 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 85 PID 1740 set thread context of 1228 1740 RtDCpl64.exe 106 PID 2364 set thread context of 4276 2364 RtDCpl64.exe 114 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x001d00000001da68-147.dat autoit_exe behavioral2/files/0x001d00000001da68-148.dat autoit_exe behavioral2/files/0x001d00000001da68-157.dat autoit_exe behavioral2/files/0x001d00000001da68-161.dat autoit_exe behavioral2/files/0x001d00000001da68-170.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4256 schtasks.exe 1168 schtasks.exe 2636 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3028 svchost.exe Token: SeCreatePagefilePrivilege 3028 svchost.exe Token: SeShutdownPrivilege 3028 svchost.exe Token: SeCreatePagefilePrivilege 3028 svchost.exe Token: SeShutdownPrivilege 3028 svchost.exe Token: SeCreatePagefilePrivilege 3028 svchost.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe Token: SeRestorePrivilege 2176 TiWorker.exe Token: SeSecurityPrivilege 2176 TiWorker.exe Token: SeBackupPrivilege 2176 TiWorker.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 4500 wrote to memory of 4840 4500 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 82 PID 4500 wrote to memory of 4840 4500 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 82 PID 4500 wrote to memory of 4840 4500 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 82 PID 4840 wrote to memory of 4584 4840 Blasthost.exe 84 PID 4840 wrote to memory of 4584 4840 Blasthost.exe 84 PID 4840 wrote to memory of 4584 4840 Blasthost.exe 84 PID 4500 wrote to memory of 1656 4500 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 85 PID 4500 wrote to memory of 1656 4500 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 85 PID 4500 wrote to memory of 1656 4500 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 85 PID 4500 wrote to memory of 1656 4500 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 85 PID 4500 wrote to memory of 1656 4500 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 85 PID 1656 wrote to memory of 4852 1656 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 86 PID 1656 wrote to memory of 4852 1656 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 86 PID 1656 wrote to memory of 4852 1656 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 86 PID 4500 wrote to memory of 1168 4500 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 88 PID 4500 wrote to memory of 1168 4500 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 88 PID 4500 wrote to memory of 1168 4500 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 88 PID 1656 wrote to memory of 4852 1656 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 86 PID 1656 wrote to memory of 4852 1656 5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe 86 PID 1740 wrote to memory of 1256 1740 RtDCpl64.exe 105 PID 1740 wrote to memory of 1256 1740 RtDCpl64.exe 105 PID 1740 wrote to memory of 1256 1740 RtDCpl64.exe 105 PID 1740 wrote to memory of 1228 1740 RtDCpl64.exe 106 PID 1740 wrote to memory of 1228 1740 RtDCpl64.exe 106 PID 1740 wrote to memory of 1228 1740 RtDCpl64.exe 106 PID 1740 wrote to memory of 1228 1740 RtDCpl64.exe 106 PID 1740 wrote to memory of 1228 1740 RtDCpl64.exe 106 PID 1228 wrote to memory of 684 1228 RtDCpl64.exe 107 PID 1228 wrote to memory of 684 1228 RtDCpl64.exe 107 PID 1228 wrote to memory of 684 1228 RtDCpl64.exe 107 PID 1740 wrote to memory of 2636 1740 RtDCpl64.exe 109 PID 1740 wrote to memory of 2636 1740 RtDCpl64.exe 109 PID 1740 wrote to memory of 2636 1740 RtDCpl64.exe 109 PID 1228 wrote to memory of 684 1228 RtDCpl64.exe 107 PID 1228 wrote to memory of 684 1228 RtDCpl64.exe 107 PID 2364 wrote to memory of 3924 2364 RtDCpl64.exe 113 PID 2364 wrote to memory of 3924 2364 RtDCpl64.exe 113 PID 2364 wrote to memory of 3924 2364 RtDCpl64.exe 113 PID 2364 wrote to memory of 4276 2364 RtDCpl64.exe 114 PID 2364 wrote to memory of 4276 2364 RtDCpl64.exe 114 PID 2364 wrote to memory of 4276 2364 RtDCpl64.exe 114 PID 2364 wrote to memory of 4276 2364 RtDCpl64.exe 114 PID 2364 wrote to memory of 4276 2364 RtDCpl64.exe 114 PID 4276 wrote to memory of 1648 4276 RtDCpl64.exe 115 PID 4276 wrote to memory of 1648 4276 RtDCpl64.exe 115 PID 4276 wrote to memory of 1648 4276 RtDCpl64.exe 115 PID 2364 wrote to memory of 4256 2364 RtDCpl64.exe 116 PID 2364 wrote to memory of 4256 2364 RtDCpl64.exe 116 PID 2364 wrote to memory of 4256 2364 RtDCpl64.exe 116 PID 4276 wrote to memory of 1648 4276 RtDCpl64.exe 115 PID 4276 wrote to memory of 1648 4276 RtDCpl64.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe"C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:4584
-
-
-
C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe"C:\Users\Admin\AppData\Local\Temp\5e8f02a6b2da3f020e0cb8c13c617a93ecc609367f3d5f15b3fc431d1acd3a3d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4852
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1168
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:1256
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:684
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2636
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:3924
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1648
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4256
-