Analysis
-
max time kernel
168s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 02:53
Behavioral task
behavioral1
Sample
5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe
Resource
win10v2004-en-20220113
General
-
Target
5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe
-
Size
1.3MB
-
MD5
f7c87ba8f8cdc3d7559743f79c77d48d
-
SHA1
748e9c38aa1165ddd27f260cb8d9640dbd1107dc
-
SHA256
5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4
-
SHA512
d655800e9f6f6af10e7bfbaa53f3b25b864e4a700cf56d61a8ef804c991a0c90477907688e8ba79b1622d04b14c80925ca077ff62f064b33028db2654f934ca1
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 12 IoCs
resource yara_rule behavioral2/files/0x000900000001e79a-130.dat netwire behavioral2/files/0x000900000001e79a-131.dat netwire behavioral2/files/0x000600000001e7a7-141.dat netwire behavioral2/files/0x000600000001e7a7-142.dat netwire behavioral2/files/0x000500000001e7b7-147.dat netwire behavioral2/files/0x000500000001e7b7-148.dat netwire behavioral2/files/0x000900000001e79a-149.dat netwire behavioral2/files/0x000500000001e7b7-157.dat netwire behavioral2/files/0x000900000001e79a-161.dat netwire behavioral2/files/0x000500000001e7b7-162.dat netwire behavioral2/files/0x000900000001e79a-163.dat netwire behavioral2/files/0x000500000001e7b7-171.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral2/memory/3752-132-0x00000000014A0000-0x00000000014BD000-memory.dmp warzonerat behavioral2/memory/3752-139-0x00000000014A0000-0x00000000014BD000-memory.dmp warzonerat behavioral2/memory/1988-150-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/1988-158-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 2688 Blasthost.exe 880 Host.exe 1064 RtDCpl64.exe 3252 Blasthost.exe 1988 RtDCpl64.exe 4252 RtDCpl64.exe 4540 Blasthost.exe 2776 RtDCpl64.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1928 set thread context of 3752 1928 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 84 PID 1064 set thread context of 1988 1064 RtDCpl64.exe 108 PID 4252 set thread context of 2776 4252 RtDCpl64.exe 119 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000500000001e7b7-147.dat autoit_exe behavioral2/files/0x000500000001e7b7-148.dat autoit_exe behavioral2/files/0x000500000001e7b7-157.dat autoit_exe behavioral2/files/0x000500000001e7b7-162.dat autoit_exe behavioral2/files/0x000500000001e7b7-171.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4736 schtasks.exe 4036 schtasks.exe 644 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5008 svchost.exe Token: SeCreatePagefilePrivilege 5008 svchost.exe Token: SeShutdownPrivilege 5008 svchost.exe Token: SeCreatePagefilePrivilege 5008 svchost.exe Token: SeShutdownPrivilege 5008 svchost.exe Token: SeCreatePagefilePrivilege 5008 svchost.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe Token: SeRestorePrivilege 2588 TiWorker.exe Token: SeSecurityPrivilege 2588 TiWorker.exe Token: SeBackupPrivilege 2588 TiWorker.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2688 1928 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 82 PID 1928 wrote to memory of 2688 1928 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 82 PID 1928 wrote to memory of 2688 1928 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 82 PID 1928 wrote to memory of 3752 1928 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 84 PID 1928 wrote to memory of 3752 1928 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 84 PID 1928 wrote to memory of 3752 1928 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 84 PID 1928 wrote to memory of 3752 1928 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 84 PID 1928 wrote to memory of 3752 1928 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 84 PID 2688 wrote to memory of 880 2688 Blasthost.exe 86 PID 2688 wrote to memory of 880 2688 Blasthost.exe 86 PID 2688 wrote to memory of 880 2688 Blasthost.exe 86 PID 1928 wrote to memory of 4736 1928 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 87 PID 1928 wrote to memory of 4736 1928 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 87 PID 1928 wrote to memory of 4736 1928 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 87 PID 3752 wrote to memory of 2080 3752 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 89 PID 3752 wrote to memory of 2080 3752 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 89 PID 3752 wrote to memory of 2080 3752 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 89 PID 3752 wrote to memory of 2080 3752 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 89 PID 3752 wrote to memory of 2080 3752 5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe 89 PID 1064 wrote to memory of 3252 1064 RtDCpl64.exe 107 PID 1064 wrote to memory of 3252 1064 RtDCpl64.exe 107 PID 1064 wrote to memory of 3252 1064 RtDCpl64.exe 107 PID 1064 wrote to memory of 1988 1064 RtDCpl64.exe 108 PID 1064 wrote to memory of 1988 1064 RtDCpl64.exe 108 PID 1064 wrote to memory of 1988 1064 RtDCpl64.exe 108 PID 1064 wrote to memory of 1988 1064 RtDCpl64.exe 108 PID 1064 wrote to memory of 1988 1064 RtDCpl64.exe 108 PID 1988 wrote to memory of 2696 1988 RtDCpl64.exe 109 PID 1988 wrote to memory of 2696 1988 RtDCpl64.exe 109 PID 1988 wrote to memory of 2696 1988 RtDCpl64.exe 109 PID 1064 wrote to memory of 4036 1064 RtDCpl64.exe 111 PID 1064 wrote to memory of 4036 1064 RtDCpl64.exe 111 PID 1064 wrote to memory of 4036 1064 RtDCpl64.exe 111 PID 1988 wrote to memory of 2696 1988 RtDCpl64.exe 109 PID 1988 wrote to memory of 2696 1988 RtDCpl64.exe 109 PID 4252 wrote to memory of 4540 4252 RtDCpl64.exe 118 PID 4252 wrote to memory of 4540 4252 RtDCpl64.exe 118 PID 4252 wrote to memory of 4540 4252 RtDCpl64.exe 118 PID 4252 wrote to memory of 2776 4252 RtDCpl64.exe 119 PID 4252 wrote to memory of 2776 4252 RtDCpl64.exe 119 PID 4252 wrote to memory of 2776 4252 RtDCpl64.exe 119 PID 4252 wrote to memory of 2776 4252 RtDCpl64.exe 119 PID 4252 wrote to memory of 2776 4252 RtDCpl64.exe 119 PID 2776 wrote to memory of 1828 2776 RtDCpl64.exe 120 PID 2776 wrote to memory of 1828 2776 RtDCpl64.exe 120 PID 2776 wrote to memory of 1828 2776 RtDCpl64.exe 120 PID 4252 wrote to memory of 644 4252 RtDCpl64.exe 122 PID 4252 wrote to memory of 644 4252 RtDCpl64.exe 122 PID 4252 wrote to memory of 644 4252 RtDCpl64.exe 122 PID 2776 wrote to memory of 1828 2776 RtDCpl64.exe 120 PID 2776 wrote to memory of 1828 2776 RtDCpl64.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe"C:\Users\Admin\AppData\Local\Temp\5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:880
-
-
-
C:\Users\Admin\AppData\Local\Temp\5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe"C:\Users\Admin\AppData\Local\Temp\5e666dd322071cb3a929e02610809e8a19b040bdc4487a72cc4d6adf03c452d4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2080
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4736
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:3252
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2696
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4036
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:4540
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1828
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:644
-