Analysis
-
max time kernel
172s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 02:56
Behavioral task
behavioral1
Sample
5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe
Resource
win10v2004-en-20220113
General
-
Target
5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe
-
Size
1.3MB
-
MD5
fd99fbb0810ceec3e2de0e6fa434b943
-
SHA1
e776d2ac977bd2524f5198e7e55fa035030a4ca1
-
SHA256
5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc
-
SHA512
0bec31326d32404af2126db5142fb860145c1bd6d9993b98992000f6abe1a4ebab7bbf837f1e60725dcc259fef1e0ac42d9c7b0199dcf8f952f051a5a29ab394
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 15 IoCs
resource yara_rule behavioral2/files/0x000700000001e77f-133.dat netwire behavioral2/files/0x000700000001e77f-134.dat netwire behavioral2/files/0x000400000001e789-135.dat netwire behavioral2/files/0x000400000001e789-136.dat netwire behavioral2/files/0x000400000001e78b-147.dat netwire behavioral2/files/0x000400000001e78b-148.dat netwire behavioral2/files/0x000700000001e77f-149.dat netwire behavioral2/files/0x000400000001e78b-157.dat netwire behavioral2/files/0x000700000001e77f-162.dat netwire behavioral2/files/0x000400000001e78b-164.dat netwire behavioral2/files/0x000700000001e77f-165.dat netwire behavioral2/files/0x000400000001e78b-173.dat netwire behavioral2/files/0x000400000001e78b-176.dat netwire behavioral2/files/0x000700000001e77f-177.dat netwire behavioral2/files/0x000400000001e78b-185.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral2/memory/1948-138-0x0000000000890000-0x00000000008AD000-memory.dmp warzonerat behavioral2/memory/1948-145-0x0000000000890000-0x00000000008AD000-memory.dmp warzonerat behavioral2/memory/3584-150-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/3584-158-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 11 IoCs
pid Process 1028 Blasthost.exe 3608 Host.exe 388 RtDCpl64.exe 1484 Blasthost.exe 3584 RtDCpl64.exe 1852 RtDCpl64.exe 3664 Blasthost.exe 1836 RtDCpl64.exe 1204 RtDCpl64.exe 3508 Blasthost.exe 3900 RtDCpl64.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2240 set thread context of 1948 2240 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 87 PID 388 set thread context of 3584 388 RtDCpl64.exe 98 PID 1852 set thread context of 1836 1852 RtDCpl64.exe 114 PID 1204 set thread context of 3900 1204 RtDCpl64.exe 126 -
autoit_exe 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000400000001e78b-147.dat autoit_exe behavioral2/files/0x000400000001e78b-148.dat autoit_exe behavioral2/files/0x000400000001e78b-157.dat autoit_exe behavioral2/files/0x000400000001e78b-164.dat autoit_exe behavioral2/files/0x000400000001e78b-173.dat autoit_exe behavioral2/files/0x000400000001e78b-176.dat autoit_exe behavioral2/files/0x000400000001e78b-185.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3420 schtasks.exe 3108 schtasks.exe 3900 schtasks.exe 1728 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2188 svchost.exe Token: SeCreatePagefilePrivilege 2188 svchost.exe Token: SeShutdownPrivilege 2188 svchost.exe Token: SeCreatePagefilePrivilege 2188 svchost.exe Token: SeShutdownPrivilege 2188 svchost.exe Token: SeCreatePagefilePrivilege 2188 svchost.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe Token: SeRestorePrivilege 204 TiWorker.exe Token: SeSecurityPrivilege 204 TiWorker.exe Token: SeBackupPrivilege 204 TiWorker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1028 2240 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 84 PID 2240 wrote to memory of 1028 2240 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 84 PID 2240 wrote to memory of 1028 2240 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 84 PID 1028 wrote to memory of 3608 1028 Blasthost.exe 86 PID 1028 wrote to memory of 3608 1028 Blasthost.exe 86 PID 1028 wrote to memory of 3608 1028 Blasthost.exe 86 PID 2240 wrote to memory of 1948 2240 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 87 PID 2240 wrote to memory of 1948 2240 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 87 PID 2240 wrote to memory of 1948 2240 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 87 PID 2240 wrote to memory of 1948 2240 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 87 PID 2240 wrote to memory of 1948 2240 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 87 PID 2240 wrote to memory of 3420 2240 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 88 PID 2240 wrote to memory of 3420 2240 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 88 PID 2240 wrote to memory of 3420 2240 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 88 PID 1948 wrote to memory of 1240 1948 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 90 PID 1948 wrote to memory of 1240 1948 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 90 PID 1948 wrote to memory of 1240 1948 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 90 PID 1948 wrote to memory of 1240 1948 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 90 PID 1948 wrote to memory of 1240 1948 5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe 90 PID 388 wrote to memory of 1484 388 RtDCpl64.exe 97 PID 388 wrote to memory of 1484 388 RtDCpl64.exe 97 PID 388 wrote to memory of 1484 388 RtDCpl64.exe 97 PID 388 wrote to memory of 3584 388 RtDCpl64.exe 98 PID 388 wrote to memory of 3584 388 RtDCpl64.exe 98 PID 388 wrote to memory of 3584 388 RtDCpl64.exe 98 PID 388 wrote to memory of 3584 388 RtDCpl64.exe 98 PID 388 wrote to memory of 3584 388 RtDCpl64.exe 98 PID 3584 wrote to memory of 2336 3584 RtDCpl64.exe 99 PID 3584 wrote to memory of 2336 3584 RtDCpl64.exe 99 PID 3584 wrote to memory of 2336 3584 RtDCpl64.exe 99 PID 388 wrote to memory of 3108 388 RtDCpl64.exe 101 PID 388 wrote to memory of 3108 388 RtDCpl64.exe 101 PID 388 wrote to memory of 3108 388 RtDCpl64.exe 101 PID 3584 wrote to memory of 2336 3584 RtDCpl64.exe 99 PID 3584 wrote to memory of 2336 3584 RtDCpl64.exe 99 PID 1852 wrote to memory of 3664 1852 RtDCpl64.exe 113 PID 1852 wrote to memory of 3664 1852 RtDCpl64.exe 113 PID 1852 wrote to memory of 3664 1852 RtDCpl64.exe 113 PID 1852 wrote to memory of 1836 1852 RtDCpl64.exe 114 PID 1852 wrote to memory of 1836 1852 RtDCpl64.exe 114 PID 1852 wrote to memory of 1836 1852 RtDCpl64.exe 114 PID 1852 wrote to memory of 1836 1852 RtDCpl64.exe 114 PID 1852 wrote to memory of 1836 1852 RtDCpl64.exe 114 PID 1836 wrote to memory of 3944 1836 RtDCpl64.exe 115 PID 1836 wrote to memory of 3944 1836 RtDCpl64.exe 115 PID 1836 wrote to memory of 3944 1836 RtDCpl64.exe 115 PID 1852 wrote to memory of 3900 1852 RtDCpl64.exe 117 PID 1852 wrote to memory of 3900 1852 RtDCpl64.exe 117 PID 1852 wrote to memory of 3900 1852 RtDCpl64.exe 117 PID 1836 wrote to memory of 3944 1836 RtDCpl64.exe 115 PID 1836 wrote to memory of 3944 1836 RtDCpl64.exe 115 PID 1204 wrote to memory of 3508 1204 RtDCpl64.exe 125 PID 1204 wrote to memory of 3508 1204 RtDCpl64.exe 125 PID 1204 wrote to memory of 3508 1204 RtDCpl64.exe 125 PID 1204 wrote to memory of 3900 1204 RtDCpl64.exe 126 PID 1204 wrote to memory of 3900 1204 RtDCpl64.exe 126 PID 1204 wrote to memory of 3900 1204 RtDCpl64.exe 126 PID 1204 wrote to memory of 3900 1204 RtDCpl64.exe 126 PID 1204 wrote to memory of 3900 1204 RtDCpl64.exe 126 PID 3900 wrote to memory of 1996 3900 RtDCpl64.exe 127 PID 3900 wrote to memory of 1996 3900 RtDCpl64.exe 127 PID 3900 wrote to memory of 1996 3900 RtDCpl64.exe 127 PID 1204 wrote to memory of 1728 1204 RtDCpl64.exe 129 PID 1204 wrote to memory of 1728 1204 RtDCpl64.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe"C:\Users\Admin\AppData\Local\Temp\5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:3608
-
-
-
C:\Users\Admin\AppData\Local\Temp\5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe"C:\Users\Admin\AppData\Local\Temp\5dedf7302c9993def502be42f07e86cb1579509e0f82e15dc9690475a56243cc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1240
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3420
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:1484
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2336
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3108
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:204
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:3664
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3944
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3900
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:3508
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1996
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1728
-