Analysis
-
max time kernel
159s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:52
Behavioral task
behavioral1
Sample
5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe
Resource
win10v2004-en-20220113
General
-
Target
5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe
-
Size
1.3MB
-
MD5
ebc756bf22ed5a01cab31cc6b8da2edd
-
SHA1
5872dd1fa4bae824ed5561a2aafa2014f336ccad
-
SHA256
5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03
-
SHA512
ebcc6180edbff2968e000d45a7f53fb215f326789919e731d3087e5a8924a2aa0c464bbb113cbfa00196d6f19f45ff88132b2faee7bdacfc448af5d3b037711d
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x00070000000130ff-55.dat netwire behavioral1/files/0x00070000000130ff-56.dat netwire behavioral1/files/0x00070000000130ff-57.dat netwire behavioral1/files/0x00070000000130ff-58.dat netwire behavioral1/files/0x00070000000130ff-59.dat netwire behavioral1/files/0x00070000000130ff-61.dat netwire behavioral1/files/0x0006000000013306-62.dat netwire behavioral1/files/0x0006000000013306-64.dat netwire behavioral1/files/0x0006000000013306-63.dat netwire behavioral1/files/0x000600000001330a-80.dat netwire behavioral1/files/0x000600000001330a-81.dat netwire behavioral1/files/0x00070000000130ff-83.dat netwire behavioral1/files/0x00070000000130ff-86.dat netwire behavioral1/files/0x00070000000130ff-87.dat netwire behavioral1/files/0x00070000000130ff-85.dat netwire behavioral1/files/0x00070000000130ff-84.dat netwire behavioral1/files/0x0006000000013306-89.dat netwire behavioral1/files/0x000600000001330a-98.dat netwire behavioral1/files/0x00070000000130ff-104.dat netwire behavioral1/files/0x000600000001330a-105.dat netwire behavioral1/files/0x00070000000130ff-107.dat netwire behavioral1/files/0x00070000000130ff-109.dat netwire behavioral1/files/0x00070000000130ff-108.dat netwire behavioral1/files/0x00070000000130ff-110.dat netwire behavioral1/files/0x000600000001330a-120.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/1380-67-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/1380-75-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/1348-91-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1348-100-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 516 Blasthost.exe 776 Host.exe 1620 RtDCpl64.exe 1496 Blasthost.exe 1348 RtDCpl64.exe 1360 RtDCpl64.exe 1640 Blasthost.exe 1072 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 516 Blasthost.exe 516 Blasthost.exe 1620 RtDCpl64.exe 1620 RtDCpl64.exe 1620 RtDCpl64.exe 1620 RtDCpl64.exe 1360 RtDCpl64.exe 1360 RtDCpl64.exe 1360 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 952 set thread context of 1380 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 29 PID 1620 set thread context of 1348 1620 RtDCpl64.exe 37 PID 1360 set thread context of 1072 1360 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000600000001330a-80.dat autoit_exe behavioral1/files/0x000600000001330a-81.dat autoit_exe behavioral1/files/0x000600000001330a-98.dat autoit_exe behavioral1/files/0x000600000001330a-105.dat autoit_exe behavioral1/files/0x000600000001330a-120.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 532 schtasks.exe 836 schtasks.exe 868 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 952 wrote to memory of 516 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 27 PID 952 wrote to memory of 516 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 27 PID 952 wrote to memory of 516 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 27 PID 952 wrote to memory of 516 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 27 PID 516 wrote to memory of 776 516 Blasthost.exe 28 PID 516 wrote to memory of 776 516 Blasthost.exe 28 PID 516 wrote to memory of 776 516 Blasthost.exe 28 PID 516 wrote to memory of 776 516 Blasthost.exe 28 PID 952 wrote to memory of 1380 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 29 PID 952 wrote to memory of 1380 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 29 PID 952 wrote to memory of 1380 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 29 PID 952 wrote to memory of 1380 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 29 PID 952 wrote to memory of 1380 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 29 PID 952 wrote to memory of 1380 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 29 PID 952 wrote to memory of 836 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 30 PID 952 wrote to memory of 836 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 30 PID 952 wrote to memory of 836 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 30 PID 952 wrote to memory of 836 952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 30 PID 1380 wrote to memory of 1840 1380 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 31 PID 1380 wrote to memory of 1840 1380 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 31 PID 1380 wrote to memory of 1840 1380 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 31 PID 1380 wrote to memory of 1840 1380 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 31 PID 1380 wrote to memory of 1840 1380 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 31 PID 1380 wrote to memory of 1840 1380 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 31 PID 1624 wrote to memory of 1620 1624 taskeng.exe 35 PID 1624 wrote to memory of 1620 1624 taskeng.exe 35 PID 1624 wrote to memory of 1620 1624 taskeng.exe 35 PID 1624 wrote to memory of 1620 1624 taskeng.exe 35 PID 1620 wrote to memory of 1496 1620 RtDCpl64.exe 36 PID 1620 wrote to memory of 1496 1620 RtDCpl64.exe 36 PID 1620 wrote to memory of 1496 1620 RtDCpl64.exe 36 PID 1620 wrote to memory of 1496 1620 RtDCpl64.exe 36 PID 1620 wrote to memory of 1348 1620 RtDCpl64.exe 37 PID 1620 wrote to memory of 1348 1620 RtDCpl64.exe 37 PID 1620 wrote to memory of 1348 1620 RtDCpl64.exe 37 PID 1620 wrote to memory of 1348 1620 RtDCpl64.exe 37 PID 1620 wrote to memory of 1348 1620 RtDCpl64.exe 37 PID 1620 wrote to memory of 1348 1620 RtDCpl64.exe 37 PID 1620 wrote to memory of 868 1620 RtDCpl64.exe 39 PID 1620 wrote to memory of 868 1620 RtDCpl64.exe 39 PID 1620 wrote to memory of 868 1620 RtDCpl64.exe 39 PID 1620 wrote to memory of 868 1620 RtDCpl64.exe 39 PID 1348 wrote to memory of 1060 1348 RtDCpl64.exe 40 PID 1348 wrote to memory of 1060 1348 RtDCpl64.exe 40 PID 1348 wrote to memory of 1060 1348 RtDCpl64.exe 40 PID 1348 wrote to memory of 1060 1348 RtDCpl64.exe 40 PID 1348 wrote to memory of 1060 1348 RtDCpl64.exe 40 PID 1348 wrote to memory of 1060 1348 RtDCpl64.exe 40 PID 1624 wrote to memory of 1360 1624 taskeng.exe 44 PID 1624 wrote to memory of 1360 1624 taskeng.exe 44 PID 1624 wrote to memory of 1360 1624 taskeng.exe 44 PID 1624 wrote to memory of 1360 1624 taskeng.exe 44 PID 1360 wrote to memory of 1640 1360 RtDCpl64.exe 45 PID 1360 wrote to memory of 1640 1360 RtDCpl64.exe 45 PID 1360 wrote to memory of 1640 1360 RtDCpl64.exe 45 PID 1360 wrote to memory of 1640 1360 RtDCpl64.exe 45 PID 1360 wrote to memory of 1072 1360 RtDCpl64.exe 46 PID 1360 wrote to memory of 1072 1360 RtDCpl64.exe 46 PID 1360 wrote to memory of 1072 1360 RtDCpl64.exe 46 PID 1360 wrote to memory of 1072 1360 RtDCpl64.exe 46 PID 1360 wrote to memory of 1072 1360 RtDCpl64.exe 46 PID 1360 wrote to memory of 1072 1360 RtDCpl64.exe 46 PID 1072 wrote to memory of 1580 1072 RtDCpl64.exe 47 PID 1072 wrote to memory of 1580 1072 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe"C:\Users\Admin\AppData\Local\Temp\5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:776
-
-
-
C:\Users\Admin\AppData\Local\Temp\5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe"C:\Users\Admin\AppData\Local\Temp\5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1840
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:836
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D16B766F-E815-4229-8758-09A2B370A7D9} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1496
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1060
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:868
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1640
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1580
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:532
-
-