Analysis
-
max time kernel
166s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:52
Behavioral task
behavioral1
Sample
5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe
Resource
win10v2004-en-20220112
General
-
Target
5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe
-
Size
1.3MB
-
MD5
58551eb23536b135ab4c454925202f99
-
SHA1
221534f28a99b4d3848423ee8e52e4ba8e7beaca
-
SHA256
5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c
-
SHA512
7ad5ee454f4bf59c0925ceef12267f0e722c3807ea9a2ec96370f5ebb4a2382bef46dac00f86ccb7ace917388878770eae8c6520fd961dd804b734da03ac6002
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x000800000001221b-56.dat netwire behavioral1/files/0x000800000001221b-57.dat netwire behavioral1/files/0x000800000001221b-58.dat netwire behavioral1/files/0x000800000001221b-59.dat netwire behavioral1/files/0x000800000001221b-60.dat netwire behavioral1/files/0x000800000001221b-73.dat netwire behavioral1/files/0x0007000000012284-76.dat netwire behavioral1/files/0x0007000000012284-75.dat netwire behavioral1/files/0x0007000000012284-74.dat netwire behavioral1/files/0x000800000001223f-81.dat netwire behavioral1/files/0x000800000001223f-82.dat netwire behavioral1/files/0x000800000001221b-84.dat netwire behavioral1/files/0x000800000001221b-87.dat netwire behavioral1/files/0x000800000001221b-85.dat netwire behavioral1/files/0x000800000001221b-86.dat netwire behavioral1/files/0x000800000001221b-88.dat netwire behavioral1/files/0x0007000000012284-90.dat netwire behavioral1/files/0x000800000001223f-99.dat netwire behavioral1/files/0x000800000001221b-105.dat netwire behavioral1/files/0x000800000001223f-106.dat netwire behavioral1/files/0x000800000001221b-108.dat netwire behavioral1/files/0x000800000001221b-109.dat netwire behavioral1/files/0x000800000001221b-110.dat netwire behavioral1/files/0x000800000001221b-111.dat netwire behavioral1/files/0x000800000001223f-121.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral1/memory/1036-62-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/1036-72-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/1356-92-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1356-101-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 472 Blasthost.exe 1972 Host.exe 1696 RtDCpl64.exe 1496 Blasthost.exe 1356 RtDCpl64.exe 1628 RtDCpl64.exe 1904 Blasthost.exe 1532 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 472 Blasthost.exe 472 Blasthost.exe 1696 RtDCpl64.exe 1696 RtDCpl64.exe 1696 RtDCpl64.exe 1696 RtDCpl64.exe 1628 RtDCpl64.exe 1628 RtDCpl64.exe 1628 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1612 set thread context of 1036 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 28 PID 1696 set thread context of 1356 1696 RtDCpl64.exe 39 PID 1628 set thread context of 1532 1628 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000800000001223f-81.dat autoit_exe behavioral1/files/0x000800000001223f-82.dat autoit_exe behavioral1/files/0x000800000001223f-99.dat autoit_exe behavioral1/files/0x000800000001223f-106.dat autoit_exe behavioral1/files/0x000800000001223f-121.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1748 schtasks.exe 1440 schtasks.exe 976 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1612 wrote to memory of 472 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 27 PID 1612 wrote to memory of 472 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 27 PID 1612 wrote to memory of 472 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 27 PID 1612 wrote to memory of 472 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 27 PID 1612 wrote to memory of 1036 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 28 PID 1612 wrote to memory of 1036 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 28 PID 1612 wrote to memory of 1036 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 28 PID 1612 wrote to memory of 1036 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 28 PID 1612 wrote to memory of 1036 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 28 PID 1612 wrote to memory of 1036 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 28 PID 472 wrote to memory of 1972 472 Blasthost.exe 29 PID 472 wrote to memory of 1972 472 Blasthost.exe 29 PID 472 wrote to memory of 1972 472 Blasthost.exe 29 PID 472 wrote to memory of 1972 472 Blasthost.exe 29 PID 1612 wrote to memory of 976 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 30 PID 1612 wrote to memory of 976 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 30 PID 1612 wrote to memory of 976 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 30 PID 1612 wrote to memory of 976 1612 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 30 PID 1036 wrote to memory of 1736 1036 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 32 PID 1036 wrote to memory of 1736 1036 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 32 PID 1036 wrote to memory of 1736 1036 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 32 PID 1036 wrote to memory of 1736 1036 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 32 PID 1036 wrote to memory of 1736 1036 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 32 PID 1036 wrote to memory of 1736 1036 5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe 32 PID 928 wrote to memory of 1696 928 taskeng.exe 37 PID 928 wrote to memory of 1696 928 taskeng.exe 37 PID 928 wrote to memory of 1696 928 taskeng.exe 37 PID 928 wrote to memory of 1696 928 taskeng.exe 37 PID 1696 wrote to memory of 1496 1696 RtDCpl64.exe 38 PID 1696 wrote to memory of 1496 1696 RtDCpl64.exe 38 PID 1696 wrote to memory of 1496 1696 RtDCpl64.exe 38 PID 1696 wrote to memory of 1496 1696 RtDCpl64.exe 38 PID 1696 wrote to memory of 1356 1696 RtDCpl64.exe 39 PID 1696 wrote to memory of 1356 1696 RtDCpl64.exe 39 PID 1696 wrote to memory of 1356 1696 RtDCpl64.exe 39 PID 1696 wrote to memory of 1356 1696 RtDCpl64.exe 39 PID 1696 wrote to memory of 1356 1696 RtDCpl64.exe 39 PID 1696 wrote to memory of 1356 1696 RtDCpl64.exe 39 PID 1356 wrote to memory of 1740 1356 RtDCpl64.exe 40 PID 1356 wrote to memory of 1740 1356 RtDCpl64.exe 40 PID 1356 wrote to memory of 1740 1356 RtDCpl64.exe 40 PID 1356 wrote to memory of 1740 1356 RtDCpl64.exe 40 PID 1696 wrote to memory of 1748 1696 RtDCpl64.exe 42 PID 1696 wrote to memory of 1748 1696 RtDCpl64.exe 42 PID 1696 wrote to memory of 1748 1696 RtDCpl64.exe 42 PID 1696 wrote to memory of 1748 1696 RtDCpl64.exe 42 PID 1356 wrote to memory of 1740 1356 RtDCpl64.exe 40 PID 1356 wrote to memory of 1740 1356 RtDCpl64.exe 40 PID 928 wrote to memory of 1628 928 taskeng.exe 44 PID 928 wrote to memory of 1628 928 taskeng.exe 44 PID 928 wrote to memory of 1628 928 taskeng.exe 44 PID 928 wrote to memory of 1628 928 taskeng.exe 44 PID 1628 wrote to memory of 1904 1628 RtDCpl64.exe 45 PID 1628 wrote to memory of 1904 1628 RtDCpl64.exe 45 PID 1628 wrote to memory of 1904 1628 RtDCpl64.exe 45 PID 1628 wrote to memory of 1904 1628 RtDCpl64.exe 45 PID 1628 wrote to memory of 1532 1628 RtDCpl64.exe 46 PID 1628 wrote to memory of 1532 1628 RtDCpl64.exe 46 PID 1628 wrote to memory of 1532 1628 RtDCpl64.exe 46 PID 1628 wrote to memory of 1532 1628 RtDCpl64.exe 46 PID 1628 wrote to memory of 1532 1628 RtDCpl64.exe 46 PID 1628 wrote to memory of 1532 1628 RtDCpl64.exe 46 PID 1628 wrote to memory of 1440 1628 RtDCpl64.exe 47 PID 1628 wrote to memory of 1440 1628 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe"C:\Users\Admin\AppData\Local\Temp\5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:1972
-
-
-
C:\Users\Admin\AppData\Local\Temp\5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe"C:\Users\Admin\AppData\Local\Temp\5e7607e8a2f6cfec67a3b1b96ad2999ed226e4144bd7daafdbee175b7e66952c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1736
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:976
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {093652A9-95A2-40A9-832D-0E5BB63EF02A} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1496
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1740
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1748
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1904
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1872
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1440
-
-