Overview

overview

10

Static

static

10

win10-standard

windows10-2004-x64

10

Analysis

  • max time kernel
    200s
  • max time network
    202s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-10-2022 00:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a3bcbcc87165f362f27ad83b40bda48b218e809.exe

  • Size

    1.3MB

  • MD5

    3c10caa90ad81be12466eacafd4d9bd5

  • SHA1

    3a3bcbcc87165f362f27ad83b40bda48b218e809

  • SHA256

    0ff14b11b9dd9661f78c9c3546682350770016c7359a977a379a83d6b2dafce6

  • SHA512

    91ebdb7f11d3e4c8127176fe3ea880e6ffe636b25a89d2861124236d956e15190f807aa1830368aeeb39e69fd69f0903881566b1c6c86bf247552777f2758b1f

  • SSDEEP

    24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWYn:8u0c++OCvkGs9Fa+rd1f26RaYn

Score
10/10
netwirewarzoneratbotnetinfostealerratstealer

Malware Config

Extracted

Family

netwire

C2

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    sunshineslisa

  • install_path

    %AppData%\Imgburn\Host.exe

  • keylogger_dir

    %AppData%\Logs\Imgburn\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    sucess

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Signatures

  • NetWire RAT payload 15 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 8 IoCs
    rat
  • Executes dropped EXE 11 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a3bcbcc87165f362f27ad83b40bda48b218e809.exe
    "C:\Users\Admin\AppData\Local\Temp\3a3bcbcc87165f362f27ad83b40bda48b218e809.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3308
      • C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
        "C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
        3⤵
        • Executes dropped EXE
        PID:4112
    • C:\Users\Admin\AppData\Local\Temp\3a3bcbcc87165f362f27ad83b40bda48b218e809.exe
      "C:\Users\Admin\AppData\Local\Temp\3a3bcbcc87165f362f27ad83b40bda48b218e809.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3124
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:4008
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
        2⤵
        • Creates scheduled task(s)
        PID:3144
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      1⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Users\Admin\AppData\Roaming\Blasthost.exe
        "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
        2⤵
        • Executes dropped EXE
        PID:2024
      • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4768
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe"
          3⤵
            PID:4888
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
          2⤵
          • Creates scheduled task(s)
          PID:2348
      • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        1⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:384
        • C:\Users\Admin\AppData\Roaming\Blasthost.exe
          "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
          2⤵
          • Executes dropped EXE
          PID:3400
        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1680
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            3⤵
              PID:1096
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
            2⤵
            • Creates scheduled task(s)
            PID:2008
        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          1⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3888
          • C:\Users\Admin\AppData\Roaming\Blasthost.exe
            "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
            2⤵
            • Executes dropped EXE
            PID:548
          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3752
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe"
              3⤵
                PID:3076
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
              2⤵
              • Creates scheduled task(s)
              PID:3392

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Scheduled Task

          1
          T1053

          Persistence

          Scheduled Task

          1
          T1053

          Privilege Escalation

          Scheduled Task

          1
          T1053

          Defense Evasion

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Blasthost.exe
            Filesize

            132KB

            MD5

            6087bf6af59b9c531f2c9bb421d5e902

            SHA1

            8bc0f1596c986179b82585c703bacae6d2a00316

            SHA256

            3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

            SHA512

            c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Blasthost.exe
            Filesize

            132KB

            MD5

            6087bf6af59b9c531f2c9bb421d5e902

            SHA1

            8bc0f1596c986179b82585c703bacae6d2a00316

            SHA256

            3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

            SHA512

            c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Blasthost.exe
            Filesize

            132KB

            MD5

            6087bf6af59b9c531f2c9bb421d5e902

            SHA1

            8bc0f1596c986179b82585c703bacae6d2a00316

            SHA256

            3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

            SHA512

            c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Blasthost.exe
            Filesize

            132KB

            MD5

            6087bf6af59b9c531f2c9bb421d5e902

            SHA1

            8bc0f1596c986179b82585c703bacae6d2a00316

            SHA256

            3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

            SHA512

            c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Blasthost.exe
            Filesize

            132KB

            MD5

            6087bf6af59b9c531f2c9bb421d5e902

            SHA1

            8bc0f1596c986179b82585c703bacae6d2a00316

            SHA256

            3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

            SHA512

            c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Blasthost.exe
            Filesize

            132KB

            MD5

            6087bf6af59b9c531f2c9bb421d5e902

            SHA1

            8bc0f1596c986179b82585c703bacae6d2a00316

            SHA256

            3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

            SHA512

            c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
            Filesize

            132KB

            MD5

            6087bf6af59b9c531f2c9bb421d5e902

            SHA1

            8bc0f1596c986179b82585c703bacae6d2a00316

            SHA256

            3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

            SHA512

            c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
            Filesize

            132KB

            MD5

            6087bf6af59b9c531f2c9bb421d5e902

            SHA1

            8bc0f1596c986179b82585c703bacae6d2a00316

            SHA256

            3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

            SHA512

            c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

            Download Submit
          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            Filesize

            1.3MB

            MD5

            b9cd97c144a9cf748f21f5780618e05c

            SHA1

            83e21daf76b4fc5b98a5f02c0b973edd0bbe781e

            SHA256

            86df81ea943cf000cb56e174174a4c48c40214d195d66bd17dc8ee5d95f9f0f6

            SHA512

            79617a874d50481de54cf447c009f4b4c7d979e44e3c4880e7d90cfcb751c7a7cb73550ead0fba38a16a478949d9dd3cf5390cc71cc21d4f7a189f6c8eff241c

            Download Submit
          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            Filesize

            1.3MB

            MD5

            b9cd97c144a9cf748f21f5780618e05c

            SHA1

            83e21daf76b4fc5b98a5f02c0b973edd0bbe781e

            SHA256

            86df81ea943cf000cb56e174174a4c48c40214d195d66bd17dc8ee5d95f9f0f6

            SHA512

            79617a874d50481de54cf447c009f4b4c7d979e44e3c4880e7d90cfcb751c7a7cb73550ead0fba38a16a478949d9dd3cf5390cc71cc21d4f7a189f6c8eff241c

            Download Submit
          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            Filesize

            1.3MB

            MD5

            b9cd97c144a9cf748f21f5780618e05c

            SHA1

            83e21daf76b4fc5b98a5f02c0b973edd0bbe781e

            SHA256

            86df81ea943cf000cb56e174174a4c48c40214d195d66bd17dc8ee5d95f9f0f6

            SHA512

            79617a874d50481de54cf447c009f4b4c7d979e44e3c4880e7d90cfcb751c7a7cb73550ead0fba38a16a478949d9dd3cf5390cc71cc21d4f7a189f6c8eff241c

            Download Submit
          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            Filesize

            1.3MB

            MD5

            b9cd97c144a9cf748f21f5780618e05c

            SHA1

            83e21daf76b4fc5b98a5f02c0b973edd0bbe781e

            SHA256

            86df81ea943cf000cb56e174174a4c48c40214d195d66bd17dc8ee5d95f9f0f6

            SHA512

            79617a874d50481de54cf447c009f4b4c7d979e44e3c4880e7d90cfcb751c7a7cb73550ead0fba38a16a478949d9dd3cf5390cc71cc21d4f7a189f6c8eff241c

            Download Submit
          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            Filesize

            1.3MB

            MD5

            b9cd97c144a9cf748f21f5780618e05c

            SHA1

            83e21daf76b4fc5b98a5f02c0b973edd0bbe781e

            SHA256

            86df81ea943cf000cb56e174174a4c48c40214d195d66bd17dc8ee5d95f9f0f6

            SHA512

            79617a874d50481de54cf447c009f4b4c7d979e44e3c4880e7d90cfcb751c7a7cb73550ead0fba38a16a478949d9dd3cf5390cc71cc21d4f7a189f6c8eff241c

            Download Submit
          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            Filesize

            1.3MB

            MD5

            b9cd97c144a9cf748f21f5780618e05c

            SHA1

            83e21daf76b4fc5b98a5f02c0b973edd0bbe781e

            SHA256

            86df81ea943cf000cb56e174174a4c48c40214d195d66bd17dc8ee5d95f9f0f6

            SHA512

            79617a874d50481de54cf447c009f4b4c7d979e44e3c4880e7d90cfcb751c7a7cb73550ead0fba38a16a478949d9dd3cf5390cc71cc21d4f7a189f6c8eff241c

            Download Submit
          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            Filesize

            1.3MB

            MD5

            b9cd97c144a9cf748f21f5780618e05c

            SHA1

            83e21daf76b4fc5b98a5f02c0b973edd0bbe781e

            SHA256

            86df81ea943cf000cb56e174174a4c48c40214d195d66bd17dc8ee5d95f9f0f6

            SHA512

            79617a874d50481de54cf447c009f4b4c7d979e44e3c4880e7d90cfcb751c7a7cb73550ead0fba38a16a478949d9dd3cf5390cc71cc21d4f7a189f6c8eff241c

            Download Submit
          • memory/548-188-0x0000000000000000-mapping.dmp
            Download
          • memory/1096-184-0x0000000000000000-mapping.dmp
            Download
          • memory/1096-186-0x0000000001680000-0x0000000001681000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1680-173-0x0000000000000000-mapping.dmp
            Download
          • memory/1680-174-0x0000000000C90000-0x0000000000CAD000-memory.dmp
            Filesize

            116KB

            Download
          • memory/1680-183-0x0000000000C90000-0x0000000000CAD000-memory.dmp
            Filesize

            116KB

            Download
          • memory/2008-185-0x0000000000000000-mapping.dmp
            Download
          • memory/2024-153-0x0000000000000000-mapping.dmp
            Download
          • memory/2348-167-0x0000000000000000-mapping.dmp
            Download
          • memory/3076-203-0x0000000000350000-0x0000000000351000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3076-201-0x0000000000000000-mapping.dmp
            Download
          • memory/3124-147-0x0000000000400000-0x000000000041D000-memory.dmp
            Filesize

            116KB

            Download
          • memory/3124-139-0x0000000000400000-0x000000000041D000-memory.dmp
            Filesize

            116KB

            Download
          • memory/3124-138-0x0000000000000000-mapping.dmp
            Download
          • memory/3144-148-0x0000000000000000-mapping.dmp
            Download
          • memory/3308-132-0x0000000000000000-mapping.dmp
            Download
          • memory/3392-202-0x0000000000000000-mapping.dmp
            Download
          • memory/3400-171-0x0000000000000000-mapping.dmp
            Download
          • memory/3752-200-0x0000000001000000-0x000000000101D000-memory.dmp
            Filesize

            116KB

            Download
          • memory/3752-190-0x0000000000000000-mapping.dmp
            Download
          • memory/3752-191-0x0000000001000000-0x000000000101D000-memory.dmp
            Filesize

            116KB

            Download
          • memory/4008-150-0x00000000003E0000-0x00000000003E1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4008-149-0x0000000000000000-mapping.dmp
            Download
          • memory/4112-135-0x0000000000000000-mapping.dmp
            Download
          • memory/4768-165-0x0000000000C00000-0x0000000000C1D000-memory.dmp
            Filesize

            116KB

            Download
          • memory/4768-156-0x0000000000C00000-0x0000000000C1D000-memory.dmp
            Filesize

            116KB

            Download
          • memory/4768-155-0x0000000000000000-mapping.dmp
            Download
          • memory/4888-168-0x0000000001470000-0x0000000001471000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4888-166-0x0000000000000000-mapping.dmp
            Download