Analysis
-
max time kernel
165s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 02:52
Behavioral task
behavioral1
Sample
5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe
Resource
win10v2004-en-20220113
General
-
Target
5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe
-
Size
1.3MB
-
MD5
ebc756bf22ed5a01cab31cc6b8da2edd
-
SHA1
5872dd1fa4bae824ed5561a2aafa2014f336ccad
-
SHA256
5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03
-
SHA512
ebcc6180edbff2968e000d45a7f53fb215f326789919e731d3087e5a8924a2aa0c464bbb113cbfa00196d6f19f45ff88132b2faee7bdacfc448af5d3b037711d
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 12 IoCs
resource yara_rule behavioral2/files/0x000500000001e7c5-130.dat netwire behavioral2/files/0x000500000001e7c5-131.dat netwire behavioral2/files/0x000400000001e7cc-132.dat netwire behavioral2/files/0x000400000001e7cc-135.dat netwire behavioral2/files/0x000400000001e7d4-147.dat netwire behavioral2/files/0x000400000001e7d4-148.dat netwire behavioral2/files/0x000500000001e7c5-149.dat netwire behavioral2/files/0x000400000001e7d4-157.dat netwire behavioral2/files/0x000500000001e7c5-161.dat netwire behavioral2/files/0x000400000001e7d4-162.dat netwire behavioral2/files/0x000500000001e7c5-163.dat netwire behavioral2/files/0x000400000001e7d4-171.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral2/memory/4952-134-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/4952-142-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 4052 Blasthost.exe 5036 Host.exe 3732 RtDCpl64.exe 4996 Blasthost.exe 392 RtDCpl64.exe 1276 RtDCpl64.exe 4900 Blasthost.exe 4596 RtDCpl64.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1688 set thread context of 4952 1688 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 84 PID 3732 set thread context of 392 3732 RtDCpl64.exe 106 PID 1276 set thread context of 4596 1276 RtDCpl64.exe 119 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000400000001e7d4-147.dat autoit_exe behavioral2/files/0x000400000001e7d4-148.dat autoit_exe behavioral2/files/0x000400000001e7d4-157.dat autoit_exe behavioral2/files/0x000400000001e7d4-162.dat autoit_exe behavioral2/files/0x000400000001e7d4-171.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1292 schtasks.exe 4356 schtasks.exe 3624 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2664 svchost.exe Token: SeCreatePagefilePrivilege 2664 svchost.exe Token: SeShutdownPrivilege 2664 svchost.exe Token: SeCreatePagefilePrivilege 2664 svchost.exe Token: SeShutdownPrivilege 2664 svchost.exe Token: SeCreatePagefilePrivilege 2664 svchost.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe Token: SeRestorePrivilege 2660 TiWorker.exe Token: SeSecurityPrivilege 2660 TiWorker.exe Token: SeBackupPrivilege 2660 TiWorker.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 1688 wrote to memory of 4052 1688 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 82 PID 1688 wrote to memory of 4052 1688 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 82 PID 1688 wrote to memory of 4052 1688 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 82 PID 1688 wrote to memory of 4952 1688 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 84 PID 1688 wrote to memory of 4952 1688 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 84 PID 1688 wrote to memory of 4952 1688 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 84 PID 4052 wrote to memory of 5036 4052 Blasthost.exe 85 PID 4052 wrote to memory of 5036 4052 Blasthost.exe 85 PID 4052 wrote to memory of 5036 4052 Blasthost.exe 85 PID 1688 wrote to memory of 4952 1688 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 84 PID 1688 wrote to memory of 4952 1688 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 84 PID 4952 wrote to memory of 808 4952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 86 PID 4952 wrote to memory of 808 4952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 86 PID 4952 wrote to memory of 808 4952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 86 PID 1688 wrote to memory of 1292 1688 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 88 PID 1688 wrote to memory of 1292 1688 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 88 PID 1688 wrote to memory of 1292 1688 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 88 PID 4952 wrote to memory of 808 4952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 86 PID 4952 wrote to memory of 808 4952 5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe 86 PID 3732 wrote to memory of 4996 3732 RtDCpl64.exe 105 PID 3732 wrote to memory of 4996 3732 RtDCpl64.exe 105 PID 3732 wrote to memory of 4996 3732 RtDCpl64.exe 105 PID 3732 wrote to memory of 392 3732 RtDCpl64.exe 106 PID 3732 wrote to memory of 392 3732 RtDCpl64.exe 106 PID 3732 wrote to memory of 392 3732 RtDCpl64.exe 106 PID 3732 wrote to memory of 392 3732 RtDCpl64.exe 106 PID 3732 wrote to memory of 392 3732 RtDCpl64.exe 106 PID 392 wrote to memory of 3964 392 RtDCpl64.exe 107 PID 392 wrote to memory of 3964 392 RtDCpl64.exe 107 PID 392 wrote to memory of 3964 392 RtDCpl64.exe 107 PID 3732 wrote to memory of 4356 3732 RtDCpl64.exe 109 PID 3732 wrote to memory of 4356 3732 RtDCpl64.exe 109 PID 3732 wrote to memory of 4356 3732 RtDCpl64.exe 109 PID 392 wrote to memory of 3964 392 RtDCpl64.exe 107 PID 392 wrote to memory of 3964 392 RtDCpl64.exe 107 PID 1276 wrote to memory of 4900 1276 RtDCpl64.exe 118 PID 1276 wrote to memory of 4900 1276 RtDCpl64.exe 118 PID 1276 wrote to memory of 4900 1276 RtDCpl64.exe 118 PID 1276 wrote to memory of 4596 1276 RtDCpl64.exe 119 PID 1276 wrote to memory of 4596 1276 RtDCpl64.exe 119 PID 1276 wrote to memory of 4596 1276 RtDCpl64.exe 119 PID 1276 wrote to memory of 4596 1276 RtDCpl64.exe 119 PID 1276 wrote to memory of 4596 1276 RtDCpl64.exe 119 PID 4596 wrote to memory of 1976 4596 RtDCpl64.exe 120 PID 4596 wrote to memory of 1976 4596 RtDCpl64.exe 120 PID 4596 wrote to memory of 1976 4596 RtDCpl64.exe 120 PID 1276 wrote to memory of 3624 1276 RtDCpl64.exe 122 PID 1276 wrote to memory of 3624 1276 RtDCpl64.exe 122 PID 1276 wrote to memory of 3624 1276 RtDCpl64.exe 122 PID 4596 wrote to memory of 1976 4596 RtDCpl64.exe 120 PID 4596 wrote to memory of 1976 4596 RtDCpl64.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe"C:\Users\Admin\AppData\Local\Temp\5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:5036
-
-
-
C:\Users\Admin\AppData\Local\Temp\5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe"C:\Users\Admin\AppData\Local\Temp\5e8c34feb399e1facf73f75050720926386b43252d83ec144cc7e985225bfb03.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:808
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1292
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:4996
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3964
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4356
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:4900
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1976
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3624
-