Analysis
-
max time kernel
175s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 02:57
Behavioral task
behavioral1
Sample
5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe
Resource
win10v2004-en-20220113
General
-
Target
5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe
-
Size
1.3MB
-
MD5
c1fcb5285d620f9d9a56fc16a29a46d4
-
SHA1
6b137003994552ea5c05927f633e731ba8a8e790
-
SHA256
5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e
-
SHA512
f6ef479550a1b75e9d790e7513a9f8a21862ad776bfe5c5f54dbc0d0d5b3034a94f376b50f95549522c86f3477d4f879e2c7ce662718bffea8cbf9726458ddb8
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 12 IoCs
resource yara_rule behavioral2/files/0x0003000000000733-130.dat netwire behavioral2/files/0x0003000000000733-131.dat netwire behavioral2/files/0x000200000001e463-140.dat netwire behavioral2/files/0x000200000001e463-141.dat netwire behavioral2/files/0x00070000000162aa-147.dat netwire behavioral2/files/0x00070000000162aa-148.dat netwire behavioral2/files/0x0003000000000733-149.dat netwire behavioral2/files/0x00070000000162aa-157.dat netwire behavioral2/files/0x0003000000000733-160.dat netwire behavioral2/files/0x00070000000162aa-161.dat netwire behavioral2/files/0x0003000000000733-162.dat netwire behavioral2/files/0x00070000000162aa-170.dat netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 4 IoCs
resource yara_rule behavioral2/memory/4628-132-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/4628-139-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/5060-163-0x0000000000A90000-0x0000000000AAD000-memory.dmp warzonerat behavioral2/memory/5060-171-0x0000000000A90000-0x0000000000AAD000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
pid Process 1392 Blasthost.exe 4780 Host.exe 2804 RtDCpl64.exe 4244 Blasthost.exe 3732 RtDCpl64.exe 3976 RtDCpl64.exe 4836 Blasthost.exe 5060 RtDCpl64.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RtDCpl64.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4728 set thread context of 4628 4728 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 84 PID 2804 set thread context of 3732 2804 RtDCpl64.exe 108 PID 3976 set thread context of 5060 3976 RtDCpl64.exe 120 -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00070000000162aa-147.dat autoit_exe behavioral2/files/0x00070000000162aa-148.dat autoit_exe behavioral2/files/0x00070000000162aa-157.dat autoit_exe behavioral2/files/0x00070000000162aa-161.dat autoit_exe behavioral2/files/0x00070000000162aa-170.dat autoit_exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1140 schtasks.exe 3096 schtasks.exe 1192 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4604 svchost.exe Token: SeCreatePagefilePrivilege 4604 svchost.exe Token: SeShutdownPrivilege 4604 svchost.exe Token: SeCreatePagefilePrivilege 4604 svchost.exe Token: SeShutdownPrivilege 4604 svchost.exe Token: SeCreatePagefilePrivilege 4604 svchost.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe Token: SeRestorePrivilege 4708 TiWorker.exe Token: SeSecurityPrivilege 4708 TiWorker.exe Token: SeBackupPrivilege 4708 TiWorker.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 4728 wrote to memory of 1392 4728 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 82 PID 4728 wrote to memory of 1392 4728 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 82 PID 4728 wrote to memory of 1392 4728 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 82 PID 4728 wrote to memory of 4628 4728 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 84 PID 4728 wrote to memory of 4628 4728 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 84 PID 4728 wrote to memory of 4628 4728 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 84 PID 4728 wrote to memory of 4628 4728 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 84 PID 4728 wrote to memory of 4628 4728 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 84 PID 1392 wrote to memory of 4780 1392 Blasthost.exe 85 PID 1392 wrote to memory of 4780 1392 Blasthost.exe 85 PID 1392 wrote to memory of 4780 1392 Blasthost.exe 85 PID 4728 wrote to memory of 1140 4728 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 86 PID 4728 wrote to memory of 1140 4728 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 86 PID 4728 wrote to memory of 1140 4728 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 86 PID 4628 wrote to memory of 4928 4628 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 88 PID 4628 wrote to memory of 4928 4628 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 88 PID 4628 wrote to memory of 4928 4628 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 88 PID 4628 wrote to memory of 4928 4628 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 88 PID 4628 wrote to memory of 4928 4628 5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe 88 PID 2804 wrote to memory of 4244 2804 RtDCpl64.exe 107 PID 2804 wrote to memory of 4244 2804 RtDCpl64.exe 107 PID 2804 wrote to memory of 4244 2804 RtDCpl64.exe 107 PID 2804 wrote to memory of 3732 2804 RtDCpl64.exe 108 PID 2804 wrote to memory of 3732 2804 RtDCpl64.exe 108 PID 2804 wrote to memory of 3732 2804 RtDCpl64.exe 108 PID 2804 wrote to memory of 3732 2804 RtDCpl64.exe 108 PID 2804 wrote to memory of 3732 2804 RtDCpl64.exe 108 PID 3732 wrote to memory of 3712 3732 RtDCpl64.exe 109 PID 3732 wrote to memory of 3712 3732 RtDCpl64.exe 109 PID 3732 wrote to memory of 3712 3732 RtDCpl64.exe 109 PID 2804 wrote to memory of 3096 2804 RtDCpl64.exe 111 PID 2804 wrote to memory of 3096 2804 RtDCpl64.exe 111 PID 2804 wrote to memory of 3096 2804 RtDCpl64.exe 111 PID 3732 wrote to memory of 3712 3732 RtDCpl64.exe 109 PID 3732 wrote to memory of 3712 3732 RtDCpl64.exe 109 PID 3976 wrote to memory of 4836 3976 RtDCpl64.exe 119 PID 3976 wrote to memory of 4836 3976 RtDCpl64.exe 119 PID 3976 wrote to memory of 4836 3976 RtDCpl64.exe 119 PID 3976 wrote to memory of 5060 3976 RtDCpl64.exe 120 PID 3976 wrote to memory of 5060 3976 RtDCpl64.exe 120 PID 3976 wrote to memory of 5060 3976 RtDCpl64.exe 120 PID 3976 wrote to memory of 5060 3976 RtDCpl64.exe 120 PID 3976 wrote to memory of 5060 3976 RtDCpl64.exe 120 PID 5060 wrote to memory of 2336 5060 RtDCpl64.exe 121 PID 5060 wrote to memory of 2336 5060 RtDCpl64.exe 121 PID 5060 wrote to memory of 2336 5060 RtDCpl64.exe 121 PID 3976 wrote to memory of 1192 3976 RtDCpl64.exe 123 PID 3976 wrote to memory of 1192 3976 RtDCpl64.exe 123 PID 3976 wrote to memory of 1192 3976 RtDCpl64.exe 123 PID 5060 wrote to memory of 2336 5060 RtDCpl64.exe 121 PID 5060 wrote to memory of 2336 5060 RtDCpl64.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe"C:\Users\Admin\AppData\Local\Temp\5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:4780
-
-
-
C:\Users\Admin\AppData\Local\Temp\5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe"C:\Users\Admin\AppData\Local\Temp\5db31ca87867f296048347c9aea368b4fd740adfec9b77a97bcce2a3efa00f3e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4928
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1140
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:4244
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3712
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3096
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
PID:4836
-
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2336
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1192
-