Overview

overview

10

Static

static

10

f42c959912...cb.exe

windows7-x64

10

f42c959912...cb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220718-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2022 10:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f42c9599126a2145a8337859062564cb.exe

  • Size

    1.3MB

  • MD5

    f42c9599126a2145a8337859062564cb

  • SHA1

    0c3d5afe4e3e875292073f5c7780bf015688b7ca

  • SHA256

    7149f99900a42e8b22a22392523faf51cd0fe268c3f7e983463232e7945f7aa5

  • SHA512

    f96c92545a1529d6fbeed5cd60fd3f079acabc8f0201e0a4282acd2ea6201fb7405ac4cc1c6ca021fe1275db70a0069825f3ecfcfb117f9fd2b1c4648b8b1388

Score
10/10
netwirewarzoneratbotnetinfostealerratstealer

Malware Config

Extracted

Family

netwire

C2

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    sunshineslisa

  • install_path

    %AppData%\Imgburn\Host.exe

  • keylogger_dir

    %AppData%\Logs\Imgburn\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    sucess

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Signatures

  • NetWire RAT payload 13 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 4 IoCs
    rat
  • Executes dropped EXE 9 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f42c9599126a2145a8337859062564cb.exe
    "C:\Users\Admin\AppData\Local\Temp\f42c9599126a2145a8337859062564cb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3448
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
        "C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
        3⤵
        • Executes dropped EXE
        PID:4448
    • C:\Users\Admin\AppData\Local\Temp\f42c9599126a2145a8337859062564cb.exe
      "C:\Users\Admin\AppData\Local\Temp\f42c9599126a2145a8337859062564cb.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:2796
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
        2⤵
        • Creates scheduled task(s)
        PID:2516
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      1⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4216
      • C:\Users\Admin\AppData\Roaming\Blasthost.exe
        "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
        2⤵
        • Executes dropped EXE
        PID:5084
      • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4688
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe"
          3⤵
            PID:1424
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
          2⤵
          • Creates scheduled task(s)
          PID:4560
      • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        1⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:208
        • C:\Users\Admin\AppData\Roaming\Blasthost.exe
          "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
          2⤵
          • Executes dropped EXE
          PID:1320
        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3796
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            3⤵
              PID:4200
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
            2⤵
            • Creates scheduled task(s)
            PID:4504
        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          1⤵
          • Executes dropped EXE
          PID:3312

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Blasthost.exe
          Filesize

          132KB

          MD5

          6087bf6af59b9c531f2c9bb421d5e902

          SHA1

          8bc0f1596c986179b82585c703bacae6d2a00316

          SHA256

          3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

          SHA512

          c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Blasthost.exe
          Filesize

          132KB

          MD5

          6087bf6af59b9c531f2c9bb421d5e902

          SHA1

          8bc0f1596c986179b82585c703bacae6d2a00316

          SHA256

          3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

          SHA512

          c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Blasthost.exe
          Filesize

          132KB

          MD5

          6087bf6af59b9c531f2c9bb421d5e902

          SHA1

          8bc0f1596c986179b82585c703bacae6d2a00316

          SHA256

          3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

          SHA512

          c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Blasthost.exe
          Filesize

          132KB

          MD5

          6087bf6af59b9c531f2c9bb421d5e902

          SHA1

          8bc0f1596c986179b82585c703bacae6d2a00316

          SHA256

          3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

          SHA512

          c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Blasthost.exe
          Filesize

          132KB

          MD5

          6087bf6af59b9c531f2c9bb421d5e902

          SHA1

          8bc0f1596c986179b82585c703bacae6d2a00316

          SHA256

          3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

          SHA512

          c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
          Filesize

          132KB

          MD5

          6087bf6af59b9c531f2c9bb421d5e902

          SHA1

          8bc0f1596c986179b82585c703bacae6d2a00316

          SHA256

          3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

          SHA512

          c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
          Filesize

          132KB

          MD5

          6087bf6af59b9c531f2c9bb421d5e902

          SHA1

          8bc0f1596c986179b82585c703bacae6d2a00316

          SHA256

          3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

          SHA512

          c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

          Download Submit

        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          Filesize

          1.3MB

          MD5

          02811b150cd4176507bf3784e37b0375

          SHA1

          af997cbf63892e52f232c2b8dc4511f0913a60fb

          SHA256

          7caecb21bae3af5099e6e31e9604babcefb8759eac1bb8c6ee73062474f35ae0

          SHA512

          762a7b481960719f9e5e19484f2679e549deb27fbef45092f3c380a0c2c6f11098eb1de8a9a571ccba63c86818ab74a539c9399f517f1e3f911892c874947528

          Download Submit

        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          Filesize

          1.3MB

          MD5

          02811b150cd4176507bf3784e37b0375

          SHA1

          af997cbf63892e52f232c2b8dc4511f0913a60fb

          SHA256

          7caecb21bae3af5099e6e31e9604babcefb8759eac1bb8c6ee73062474f35ae0

          SHA512

          762a7b481960719f9e5e19484f2679e549deb27fbef45092f3c380a0c2c6f11098eb1de8a9a571ccba63c86818ab74a539c9399f517f1e3f911892c874947528

          Download Submit

        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          Filesize

          1.3MB

          MD5

          02811b150cd4176507bf3784e37b0375

          SHA1

          af997cbf63892e52f232c2b8dc4511f0913a60fb

          SHA256

          7caecb21bae3af5099e6e31e9604babcefb8759eac1bb8c6ee73062474f35ae0

          SHA512

          762a7b481960719f9e5e19484f2679e549deb27fbef45092f3c380a0c2c6f11098eb1de8a9a571ccba63c86818ab74a539c9399f517f1e3f911892c874947528

          Download Submit

        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          Filesize

          1.3MB

          MD5

          02811b150cd4176507bf3784e37b0375

          SHA1

          af997cbf63892e52f232c2b8dc4511f0913a60fb

          SHA256

          7caecb21bae3af5099e6e31e9604babcefb8759eac1bb8c6ee73062474f35ae0

          SHA512

          762a7b481960719f9e5e19484f2679e549deb27fbef45092f3c380a0c2c6f11098eb1de8a9a571ccba63c86818ab74a539c9399f517f1e3f911892c874947528

          Download Submit

        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          Filesize

          1.3MB

          MD5

          02811b150cd4176507bf3784e37b0375

          SHA1

          af997cbf63892e52f232c2b8dc4511f0913a60fb

          SHA256

          7caecb21bae3af5099e6e31e9604babcefb8759eac1bb8c6ee73062474f35ae0

          SHA512

          762a7b481960719f9e5e19484f2679e549deb27fbef45092f3c380a0c2c6f11098eb1de8a9a571ccba63c86818ab74a539c9399f517f1e3f911892c874947528

          Download Submit

        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          Filesize

          1.3MB

          MD5

          02811b150cd4176507bf3784e37b0375

          SHA1

          af997cbf63892e52f232c2b8dc4511f0913a60fb

          SHA256

          7caecb21bae3af5099e6e31e9604babcefb8759eac1bb8c6ee73062474f35ae0

          SHA512

          762a7b481960719f9e5e19484f2679e549deb27fbef45092f3c380a0c2c6f11098eb1de8a9a571ccba63c86818ab74a539c9399f517f1e3f911892c874947528

          Download Submit

        • memory/1320-169-0x0000000000000000-mapping.dmp

          Download

        • memory/1424-164-0x0000000000000000-mapping.dmp

          Download

        • memory/1424-166-0x00000000012D0000-0x00000000012D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1472-134-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

          Download

        • memory/1472-142-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

          Download

        • memory/1472-133-0x0000000000000000-mapping.dmp

          Download

        • memory/1936-130-0x0000000000000000-mapping.dmp

          Download

        • memory/2516-147-0x0000000000000000-mapping.dmp

          Download

        • memory/2796-146-0x0000000000000000-mapping.dmp

          Download

        • memory/2796-148-0x0000000001030000-0x0000000001031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3796-171-0x0000000000000000-mapping.dmp

          Download

        • memory/3796-172-0x0000000000AB0000-0x0000000000ACD000-memory.dmp

          Filesize

          116KB

          Download

        • memory/3796-181-0x0000000000AB0000-0x0000000000ACD000-memory.dmp

          Filesize

          116KB

          Download

        • memory/4200-182-0x0000000000000000-mapping.dmp

          Download

        • memory/4200-184-0x00000000008B0000-0x00000000008B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4448-143-0x0000000000000000-mapping.dmp

          Download

        • memory/4504-183-0x0000000000000000-mapping.dmp

          Download

        • memory/4560-165-0x0000000000000000-mapping.dmp

          Download

        • memory/4688-153-0x0000000000000000-mapping.dmp

          Download

        • memory/5084-151-0x0000000000000000-mapping.dmp

          Download