Overview

overview

10

Static

static

10

0cee1af392...9e.exe

windows7-x64

10

0cee1af392...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-04-2024 18:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cee1af392a0f85e3378ac6514b0d8be8cead46a4b60c2a9bbb1c7d0cc09ca9e.exe

  • Size

    1.3MB

  • MD5

    2b1337e4e48797deb0b880a8b04c9b88

  • SHA1

    313b8bdc2c597826858f3fd6fbd5a6e1300e7d69

  • SHA256

    0cee1af392a0f85e3378ac6514b0d8be8cead46a4b60c2a9bbb1c7d0cc09ca9e

  • SHA512

    eadb85f13c0c4f950470ec8f1daf932b06f31de7862b72b0cda5649ad6913111532fd1b029fdc7e78e79402ca4673fcc1fd74a1e45c5e7df3342a874d2a46df2

  • SSDEEP

    24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWYK:8u0c++OCvkGs9Fa+rd1f26RaYK

Score
10/10
netwirewarzoneratbotnetinfostealerratstealer

Malware Config

Extracted

Family

netwire

C2

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    sunshineslisa

  • install_path

    %AppData%\Imgburn\Host.exe

  • keylogger_dir

    %AppData%\Logs\Imgburn\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    sucess

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Signatures

  • NetWire RAT payload 6 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 4 IoCs
    rat
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 13 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cee1af392a0f85e3378ac6514b0d8be8cead46a4b60c2a9bbb1c7d0cc09ca9e.exe
    "C:\Users\Admin\AppData\Local\Temp\0cee1af392a0f85e3378ac6514b0d8be8cead46a4b60c2a9bbb1c7d0cc09ca9e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
        "C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
        3⤵
        • Executes dropped EXE
        PID:2532
    • C:\Users\Admin\AppData\Local\Temp\0cee1af392a0f85e3378ac6514b0d8be8cead46a4b60c2a9bbb1c7d0cc09ca9e.exe
      "C:\Users\Admin\AppData\Local\Temp\0cee1af392a0f85e3378ac6514b0d8be8cead46a4b60c2a9bbb1c7d0cc09ca9e.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:2544
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
        2⤵
        • Creates scheduled task(s)
        PID:2096
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {3F50D15E-7554-4B4A-BDE2-654C46C15E5B} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2176
        • C:\Users\Admin\AppData\Roaming\Blasthost.exe
          "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
          3⤵
          • Executes dropped EXE
          PID:1912
        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2040
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            4⤵
              PID:2720
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
            3⤵
            • Creates scheduled task(s)
            PID:3032
        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1700
          • C:\Users\Admin\AppData\Roaming\Blasthost.exe
            "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
            3⤵
            • Executes dropped EXE
            PID:1884
          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
            3⤵
            • Executes dropped EXE
            PID:788
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe"
              4⤵
                PID:3036
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
              3⤵
              • Creates scheduled task(s)
              PID:920

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          Filesize

          1.3MB

          MD5

          2028fdd9b102234febe0442336a55bbc

          SHA1

          6db5f3bcf88809a7b1cd310c3fb6ad6bb04ddd0b

          SHA256

          0d6d999966e8eca56034af9ad1bc56d43418ee3c9cbc792dbc948865432fc7c8

          SHA512

          d0b1debb74ba4d1f072e2196e4e5ef947a1a9b95f5906a4568fa0ab9ff184c8962a57e0a216cdec25d2159a06c476770f6551aa9cf6b2fc8a78bf4dc7c67f8ff

          Download Submit

        • \Users\Admin\AppData\Roaming\Blasthost.exe
          Filesize

          132KB

          MD5

          6087bf6af59b9c531f2c9bb421d5e902

          SHA1

          8bc0f1596c986179b82585c703bacae6d2a00316

          SHA256

          3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

          SHA512

          c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

          Download Submit

        • memory/1880-23-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/1912-90-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/2040-81-0x0000000000080000-0x000000000009D000-memory.dmp

          Filesize

          116KB

          Download

        • memory/2040-77-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2040-70-0x0000000000080000-0x000000000009D000-memory.dmp

          Filesize

          116KB

          Download

        • memory/2084-31-0x00000000024D0000-0x00000000024D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2532-45-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/2532-95-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/2536-38-0x00000000000C0000-0x00000000000DD000-memory.dmp

          Filesize

          116KB

          Download

        • memory/2536-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2536-27-0x00000000000C0000-0x00000000000DD000-memory.dmp

          Filesize

          116KB

          Download

        • memory/2536-25-0x00000000000C0000-0x00000000000DD000-memory.dmp

          Filesize

          116KB

          Download

        • memory/2544-42-0x00000000001A0000-0x00000000001A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2544-40-0x00000000001A0000-0x00000000001A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2720-84-0x0000000000130000-0x0000000000131000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3036-126-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

          Download