Analysis
-
max time kernel
162s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:53
Behavioral task
behavioral1
Sample
5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe
Resource
win10v2004-en-20220113
General
-
Target
5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe
-
Size
1.3MB
-
MD5
f7c87ba8f8cdc3d7559743f79c77d48d
-
SHA1
748e9c38aa1165ddd27f260cb8d9640dbd1107dc
-
SHA256
5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4
-
SHA512
d655800e9f6f6af10e7bfbaa53f3b25b864e4a700cf56d61a8ef804c991a0c90477907688e8ba79b1622d04b14c80925ca077ff62f064b33028db2654f934ca1
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x0007000000013413-55.dat netwire behavioral1/files/0x0007000000013413-56.dat netwire behavioral1/files/0x0007000000013413-57.dat netwire behavioral1/files/0x0007000000013413-58.dat netwire behavioral1/files/0x0007000000013413-59.dat netwire behavioral1/files/0x0007000000013413-61.dat netwire behavioral1/files/0x0007000000013919-65.dat netwire behavioral1/files/0x0007000000013919-66.dat netwire behavioral1/files/0x0007000000013919-68.dat netwire behavioral1/files/0x000600000001393d-80.dat netwire behavioral1/files/0x000600000001393d-81.dat netwire behavioral1/files/0x0007000000013413-83.dat netwire behavioral1/files/0x0007000000013413-84.dat netwire behavioral1/files/0x0007000000013413-86.dat netwire behavioral1/files/0x0007000000013413-85.dat netwire behavioral1/files/0x0007000000013413-87.dat netwire behavioral1/files/0x0007000000013919-89.dat netwire behavioral1/files/0x000600000001393d-98.dat netwire behavioral1/files/0x0007000000013413-104.dat netwire behavioral1/files/0x000600000001393d-105.dat netwire behavioral1/files/0x0007000000013413-108.dat netwire behavioral1/files/0x0007000000013413-109.dat netwire behavioral1/files/0x0007000000013413-107.dat netwire behavioral1/files/0x0007000000013413-110.dat netwire behavioral1/files/0x000600000001393d-120.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
resource yara_rule behavioral1/memory/1372-63-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1372-75-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 268 Blasthost.exe 576 Host.exe 1720 RtDCpl64.exe 1880 Blasthost.exe 1664 RtDCpl64.exe 760 RtDCpl64.exe 924 Blasthost.exe 1192 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 268 Blasthost.exe 268 Blasthost.exe 1720 RtDCpl64.exe 1720 RtDCpl64.exe 1720 RtDCpl64.exe 1720 RtDCpl64.exe 760 RtDCpl64.exe 760 RtDCpl64.exe 760 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1632 set thread context of 1372 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 28 PID 1720 set thread context of 1664 1720 RtDCpl64.exe 39 PID 760 set thread context of 1192 760 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000600000001393d-80.dat autoit_exe behavioral1/files/0x000600000001393d-81.dat autoit_exe behavioral1/files/0x000600000001393d-98.dat autoit_exe behavioral1/files/0x000600000001393d-105.dat autoit_exe behavioral1/files/0x000600000001393d-120.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 432 schtasks.exe 884 schtasks.exe 432 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1632 wrote to memory of 268 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 27 PID 1632 wrote to memory of 268 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 27 PID 1632 wrote to memory of 268 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 27 PID 1632 wrote to memory of 268 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 27 PID 1632 wrote to memory of 1372 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 28 PID 1632 wrote to memory of 1372 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 28 PID 1632 wrote to memory of 1372 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 28 PID 1632 wrote to memory of 1372 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 28 PID 1632 wrote to memory of 1372 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 28 PID 268 wrote to memory of 576 268 Blasthost.exe 29 PID 268 wrote to memory of 576 268 Blasthost.exe 29 PID 268 wrote to memory of 576 268 Blasthost.exe 29 PID 268 wrote to memory of 576 268 Blasthost.exe 29 PID 1632 wrote to memory of 1372 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 28 PID 1632 wrote to memory of 432 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 30 PID 1632 wrote to memory of 432 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 30 PID 1632 wrote to memory of 432 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 30 PID 1632 wrote to memory of 432 1632 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 30 PID 1372 wrote to memory of 1788 1372 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 31 PID 1372 wrote to memory of 1788 1372 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 31 PID 1372 wrote to memory of 1788 1372 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 31 PID 1372 wrote to memory of 1788 1372 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 31 PID 1372 wrote to memory of 1788 1372 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 31 PID 1372 wrote to memory of 1788 1372 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 31 PID 1064 wrote to memory of 1720 1064 taskeng.exe 37 PID 1064 wrote to memory of 1720 1064 taskeng.exe 37 PID 1064 wrote to memory of 1720 1064 taskeng.exe 37 PID 1064 wrote to memory of 1720 1064 taskeng.exe 37 PID 1720 wrote to memory of 1880 1720 RtDCpl64.exe 38 PID 1720 wrote to memory of 1880 1720 RtDCpl64.exe 38 PID 1720 wrote to memory of 1880 1720 RtDCpl64.exe 38 PID 1720 wrote to memory of 1880 1720 RtDCpl64.exe 38 PID 1720 wrote to memory of 1664 1720 RtDCpl64.exe 39 PID 1720 wrote to memory of 1664 1720 RtDCpl64.exe 39 PID 1720 wrote to memory of 1664 1720 RtDCpl64.exe 39 PID 1720 wrote to memory of 1664 1720 RtDCpl64.exe 39 PID 1720 wrote to memory of 1664 1720 RtDCpl64.exe 39 PID 1720 wrote to memory of 1664 1720 RtDCpl64.exe 39 PID 1720 wrote to memory of 884 1720 RtDCpl64.exe 40 PID 1720 wrote to memory of 884 1720 RtDCpl64.exe 40 PID 1720 wrote to memory of 884 1720 RtDCpl64.exe 40 PID 1720 wrote to memory of 884 1720 RtDCpl64.exe 40 PID 1664 wrote to memory of 1448 1664 RtDCpl64.exe 42 PID 1664 wrote to memory of 1448 1664 RtDCpl64.exe 42 PID 1664 wrote to memory of 1448 1664 RtDCpl64.exe 42 PID 1664 wrote to memory of 1448 1664 RtDCpl64.exe 42 PID 1664 wrote to memory of 1448 1664 RtDCpl64.exe 42 PID 1664 wrote to memory of 1448 1664 RtDCpl64.exe 42 PID 1064 wrote to memory of 760 1064 taskeng.exe 44 PID 1064 wrote to memory of 760 1064 taskeng.exe 44 PID 1064 wrote to memory of 760 1064 taskeng.exe 44 PID 1064 wrote to memory of 760 1064 taskeng.exe 44 PID 760 wrote to memory of 924 760 RtDCpl64.exe 45 PID 760 wrote to memory of 924 760 RtDCpl64.exe 45 PID 760 wrote to memory of 924 760 RtDCpl64.exe 45 PID 760 wrote to memory of 924 760 RtDCpl64.exe 45 PID 760 wrote to memory of 1192 760 RtDCpl64.exe 46 PID 760 wrote to memory of 1192 760 RtDCpl64.exe 46 PID 760 wrote to memory of 1192 760 RtDCpl64.exe 46 PID 760 wrote to memory of 1192 760 RtDCpl64.exe 46 PID 760 wrote to memory of 1192 760 RtDCpl64.exe 46 PID 760 wrote to memory of 1192 760 RtDCpl64.exe 46 PID 1192 wrote to memory of 1488 1192 RtDCpl64.exe 47 PID 1192 wrote to memory of 1488 1192 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe"C:\Users\Admin\AppData\Local\Temp\5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:576
-
-
-
C:\Users\Admin\AppData\Local\Temp\5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe"C:\Users\Admin\AppData\Local\Temp\5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1788
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:432
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6A59F289-880F-41C4-B3D8-B2A11DA64BB2} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1880
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1448
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:884
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:924
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1488
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:432
-
-