Analysis
-
max time kernel
162s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 02:53
Behavioral task
behavioral1
Sample
5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe
Resource
win10v2004-en-20220113
General
-
Target
5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe
-
Size
1.3MB
-
MD5
3dfa70d7db07260fb0b5fe1433b77cf9
-
SHA1
1a6998908756f424cc3e81cdf50fb71b46071078
-
SHA256
5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b
-
SHA512
6f29d7d7a068c05c4dfb7138503f055e16ca7b964a119be7e191fc02b9451967cd861913be0c0c7a88a0f8aa0af4fadb16731ab8b4706e63548395e8374ad8cf
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 12 IoCs
resource yara_rule behavioral2/files/0x000600000001e7d9-131.dat netwire behavioral2/files/0x000600000001e7d9-130.dat netwire behavioral2/files/0x000300000001e7df-132.dat netwire behavioral2/files/0x000300000001e7df-133.dat netwire behavioral2/files/0x000400000001e7e4-147.dat netwire behavioral2/files/0x000400000001e7e4-148.dat netwire behavioral2/files/0x000600000001e7d9-149.dat netwire behavioral2/files/0x000400000001e7e4-157.dat netwire behavioral2/files/0x000600000001e7d9-160.dat netwire behavioral2/files/0x000400000001e7e4-161.dat netwire behavioral2/files/0x000600000001e7d9-162.dat netwire behavioral2/files/0x000400000001e7e4-170.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral2/memory/756-135-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/756-142-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/3504-150-0x0000000000150000-0x000000000016D000-memory.dmp warzonerat behavioral2/memory/3504-158-0x0000000000150000-0x000000000016D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 1772 Blasthost.exe 2392 Host.exe 3664 RtDCpl64.exe 3628 Blasthost.exe 3504 RtDCpl64.exe 3484 RtDCpl64.exe 1520 Blasthost.exe 1220 RtDCpl64.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 820 set thread context of 756 820 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 84 PID 3664 set thread context of 3504 3664 RtDCpl64.exe 105 PID 3484 set thread context of 1220 3484 RtDCpl64.exe 116 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000400000001e7e4-147.dat autoit_exe behavioral2/files/0x000400000001e7e4-148.dat autoit_exe behavioral2/files/0x000400000001e7e4-157.dat autoit_exe behavioral2/files/0x000400000001e7e4-161.dat autoit_exe behavioral2/files/0x000400000001e7e4-170.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4072 schtasks.exe 1840 schtasks.exe 2424 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3120 svchost.exe Token: SeCreatePagefilePrivilege 3120 svchost.exe Token: SeShutdownPrivilege 3120 svchost.exe Token: SeCreatePagefilePrivilege 3120 svchost.exe Token: SeShutdownPrivilege 3120 svchost.exe Token: SeCreatePagefilePrivilege 3120 svchost.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe Token: SeRestorePrivilege 2804 TiWorker.exe Token: SeSecurityPrivilege 2804 TiWorker.exe Token: SeBackupPrivilege 2804 TiWorker.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 820 wrote to memory of 1772 820 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 81 PID 820 wrote to memory of 1772 820 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 81 PID 820 wrote to memory of 1772 820 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 81 PID 1772 wrote to memory of 2392 1772 Blasthost.exe 83 PID 1772 wrote to memory of 2392 1772 Blasthost.exe 83 PID 1772 wrote to memory of 2392 1772 Blasthost.exe 83 PID 820 wrote to memory of 756 820 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 84 PID 820 wrote to memory of 756 820 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 84 PID 820 wrote to memory of 756 820 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 84 PID 820 wrote to memory of 756 820 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 84 PID 820 wrote to memory of 756 820 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 84 PID 756 wrote to memory of 2128 756 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 85 PID 756 wrote to memory of 2128 756 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 85 PID 756 wrote to memory of 2128 756 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 85 PID 820 wrote to memory of 4072 820 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 87 PID 820 wrote to memory of 4072 820 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 87 PID 820 wrote to memory of 4072 820 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 87 PID 756 wrote to memory of 2128 756 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 85 PID 756 wrote to memory of 2128 756 5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe 85 PID 3664 wrote to memory of 3628 3664 RtDCpl64.exe 104 PID 3664 wrote to memory of 3628 3664 RtDCpl64.exe 104 PID 3664 wrote to memory of 3628 3664 RtDCpl64.exe 104 PID 3664 wrote to memory of 3504 3664 RtDCpl64.exe 105 PID 3664 wrote to memory of 3504 3664 RtDCpl64.exe 105 PID 3664 wrote to memory of 3504 3664 RtDCpl64.exe 105 PID 3664 wrote to memory of 3504 3664 RtDCpl64.exe 105 PID 3664 wrote to memory of 3504 3664 RtDCpl64.exe 105 PID 3504 wrote to memory of 744 3504 RtDCpl64.exe 106 PID 3504 wrote to memory of 744 3504 RtDCpl64.exe 106 PID 3504 wrote to memory of 744 3504 RtDCpl64.exe 106 PID 3664 wrote to memory of 1840 3664 RtDCpl64.exe 108 PID 3664 wrote to memory of 1840 3664 RtDCpl64.exe 108 PID 3664 wrote to memory of 1840 3664 RtDCpl64.exe 108 PID 3504 wrote to memory of 744 3504 RtDCpl64.exe 106 PID 3504 wrote to memory of 744 3504 RtDCpl64.exe 106 PID 3484 wrote to memory of 1520 3484 RtDCpl64.exe 115 PID 3484 wrote to memory of 1520 3484 RtDCpl64.exe 115 PID 3484 wrote to memory of 1520 3484 RtDCpl64.exe 115 PID 3484 wrote to memory of 1220 3484 RtDCpl64.exe 116 PID 3484 wrote to memory of 1220 3484 RtDCpl64.exe 116 PID 3484 wrote to memory of 1220 3484 RtDCpl64.exe 116 PID 3484 wrote to memory of 1220 3484 RtDCpl64.exe 116 PID 3484 wrote to memory of 1220 3484 RtDCpl64.exe 116 PID 1220 wrote to memory of 2396 1220 RtDCpl64.exe 117 PID 1220 wrote to memory of 2396 1220 RtDCpl64.exe 117 PID 1220 wrote to memory of 2396 1220 RtDCpl64.exe 117 PID 3484 wrote to memory of 2424 3484 RtDCpl64.exe 119 PID 3484 wrote to memory of 2424 3484 RtDCpl64.exe 119 PID 3484 wrote to memory of 2424 3484 RtDCpl64.exe 119 PID 1220 wrote to memory of 2396 1220 RtDCpl64.exe 117 PID 1220 wrote to memory of 2396 1220 RtDCpl64.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe"C:\Users\Admin\AppData\Local\Temp\5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:2392
-
-
-
C:\Users\Admin\AppData\Local\Temp\5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe"C:\Users\Admin\AppData\Local\Temp\5e4ccc58ee9876684c3f3349014f41e4d30324d9d13ee6b5dc158dea6d40c46b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2128
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4072
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:3628
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:744
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1840
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:1520
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2396
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2424
-