Analysis
-
max time kernel
162s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:57
Behavioral task
behavioral1
Sample
5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe
Resource
win10v2004-en-20220113
General
-
Target
5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe
-
Size
1.3MB
-
MD5
c1fcb5285d620f9d9a56fc16a29a46d4
-
SHA1
6b137003994552ea5c05927f633e731ba8a8e790
-
SHA256
5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e
-
SHA512
f6ef479550a1b75e9d790e7513a9f8a21862ad776bfe5c5f54dbc0d0d5b3034a94f376b50f95549522c86f3477d4f879e2c7ce662718bffea8cbf9726458ddb8
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 25 IoCs
resource yara_rule behavioral1/files/0x000700000001262d-55.dat netwire behavioral1/files/0x000700000001262d-56.dat netwire behavioral1/files/0x000700000001262d-57.dat netwire behavioral1/files/0x000700000001262d-58.dat netwire behavioral1/files/0x000700000001262d-59.dat netwire behavioral1/files/0x000700000001262d-61.dat netwire behavioral1/files/0x000700000001266d-62.dat netwire behavioral1/files/0x000700000001266d-63.dat netwire behavioral1/files/0x000700000001266d-64.dat netwire behavioral1/files/0x0006000000013090-79.dat netwire behavioral1/files/0x0006000000013090-80.dat netwire behavioral1/files/0x000700000001262d-82.dat netwire behavioral1/files/0x000700000001262d-85.dat netwire behavioral1/files/0x000700000001262d-83.dat netwire behavioral1/files/0x000700000001262d-84.dat netwire behavioral1/files/0x000700000001262d-86.dat netwire behavioral1/files/0x000700000001266d-88.dat netwire behavioral1/files/0x0006000000013090-97.dat netwire behavioral1/files/0x000700000001262d-104.dat netwire behavioral1/files/0x0006000000013090-105.dat netwire behavioral1/files/0x000700000001262d-107.dat netwire behavioral1/files/0x000700000001262d-109.dat netwire behavioral1/files/0x000700000001262d-108.dat netwire behavioral1/files/0x000700000001262d-110.dat netwire behavioral1/files/0x0006000000013090-120.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 6 IoCs
resource yara_rule behavioral1/memory/1928-67-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/1928-75-0x00000000000C0000-0x00000000000DD000-memory.dmp warzonerat behavioral1/memory/1232-90-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/1232-99-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/764-113-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/764-122-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 484 Blasthost.exe 280 Host.exe 1716 RtDCpl64.exe 360 Blasthost.exe 1232 RtDCpl64.exe 1848 RtDCpl64.exe 1776 Blasthost.exe 764 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
pid Process 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 484 Blasthost.exe 484 Blasthost.exe 1716 RtDCpl64.exe 1716 RtDCpl64.exe 1716 RtDCpl64.exe 1716 RtDCpl64.exe 1848 RtDCpl64.exe 1848 RtDCpl64.exe 1848 RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 832 set thread context of 1928 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 29 PID 1716 set thread context of 1232 1716 RtDCpl64.exe 39 PID 1848 set thread context of 764 1848 RtDCpl64.exe 46 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0006000000013090-79.dat autoit_exe behavioral1/files/0x0006000000013090-80.dat autoit_exe behavioral1/files/0x0006000000013090-97.dat autoit_exe behavioral1/files/0x0006000000013090-105.dat autoit_exe behavioral1/files/0x0006000000013090-120.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1104 schtasks.exe 880 schtasks.exe 1720 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 832 wrote to memory of 484 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 27 PID 832 wrote to memory of 484 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 27 PID 832 wrote to memory of 484 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 27 PID 832 wrote to memory of 484 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 27 PID 484 wrote to memory of 280 484 Blasthost.exe 28 PID 484 wrote to memory of 280 484 Blasthost.exe 28 PID 484 wrote to memory of 280 484 Blasthost.exe 28 PID 484 wrote to memory of 280 484 Blasthost.exe 28 PID 832 wrote to memory of 1928 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 29 PID 832 wrote to memory of 1928 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 29 PID 832 wrote to memory of 1928 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 29 PID 832 wrote to memory of 1928 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 29 PID 832 wrote to memory of 1928 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 29 PID 832 wrote to memory of 1928 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 29 PID 1928 wrote to memory of 1780 1928 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 30 PID 1928 wrote to memory of 1780 1928 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 30 PID 1928 wrote to memory of 1780 1928 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 30 PID 1928 wrote to memory of 1780 1928 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 30 PID 832 wrote to memory of 1104 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 31 PID 832 wrote to memory of 1104 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 31 PID 832 wrote to memory of 1104 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 31 PID 832 wrote to memory of 1104 832 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 31 PID 1928 wrote to memory of 1780 1928 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 30 PID 1928 wrote to memory of 1780 1928 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 30 PID 1356 wrote to memory of 1716 1356 taskeng.exe 37 PID 1356 wrote to memory of 1716 1356 taskeng.exe 37 PID 1356 wrote to memory of 1716 1356 taskeng.exe 37 PID 1356 wrote to memory of 1716 1356 taskeng.exe 37 PID 1716 wrote to memory of 360 1716 RtDCpl64.exe 38 PID 1716 wrote to memory of 360 1716 RtDCpl64.exe 38 PID 1716 wrote to memory of 360 1716 RtDCpl64.exe 38 PID 1716 wrote to memory of 360 1716 RtDCpl64.exe 38 PID 1716 wrote to memory of 1232 1716 RtDCpl64.exe 39 PID 1716 wrote to memory of 1232 1716 RtDCpl64.exe 39 PID 1716 wrote to memory of 1232 1716 RtDCpl64.exe 39 PID 1716 wrote to memory of 1232 1716 RtDCpl64.exe 39 PID 1716 wrote to memory of 1232 1716 RtDCpl64.exe 39 PID 1716 wrote to memory of 1232 1716 RtDCpl64.exe 39 PID 1716 wrote to memory of 880 1716 RtDCpl64.exe 40 PID 1716 wrote to memory of 880 1716 RtDCpl64.exe 40 PID 1716 wrote to memory of 880 1716 RtDCpl64.exe 40 PID 1716 wrote to memory of 880 1716 RtDCpl64.exe 40 PID 1232 wrote to memory of 1808 1232 RtDCpl64.exe 41 PID 1232 wrote to memory of 1808 1232 RtDCpl64.exe 41 PID 1232 wrote to memory of 1808 1232 RtDCpl64.exe 41 PID 1232 wrote to memory of 1808 1232 RtDCpl64.exe 41 PID 1232 wrote to memory of 1808 1232 RtDCpl64.exe 41 PID 1232 wrote to memory of 1808 1232 RtDCpl64.exe 41 PID 1356 wrote to memory of 1848 1356 taskeng.exe 44 PID 1356 wrote to memory of 1848 1356 taskeng.exe 44 PID 1356 wrote to memory of 1848 1356 taskeng.exe 44 PID 1356 wrote to memory of 1848 1356 taskeng.exe 44 PID 1848 wrote to memory of 1776 1848 RtDCpl64.exe 45 PID 1848 wrote to memory of 1776 1848 RtDCpl64.exe 45 PID 1848 wrote to memory of 1776 1848 RtDCpl64.exe 45 PID 1848 wrote to memory of 1776 1848 RtDCpl64.exe 45 PID 1848 wrote to memory of 764 1848 RtDCpl64.exe 46 PID 1848 wrote to memory of 764 1848 RtDCpl64.exe 46 PID 1848 wrote to memory of 764 1848 RtDCpl64.exe 46 PID 1848 wrote to memory of 764 1848 RtDCpl64.exe 46 PID 1848 wrote to memory of 764 1848 RtDCpl64.exe 46 PID 1848 wrote to memory of 764 1848 RtDCpl64.exe 46 PID 1848 wrote to memory of 1720 1848 RtDCpl64.exe 47 PID 1848 wrote to memory of 1720 1848 RtDCpl64.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe"C:\Users\Admin\AppData\Local\Temp\5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:280
-
-
-
C:\Users\Admin\AppData\Local\Temp\5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe"C:\Users\Admin\AppData\Local\Temp\5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1780
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1104
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {5DB27955-FF82-4D5E-8B2B-7A8AF7297491} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:360
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1808
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:880
-
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1776
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1732
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1720
-
-