Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 05:26
Behavioral task
behavioral1
Sample
fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe
Resource
win10v2004-20240419-en
General
-
Target
fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe
-
Size
1.3MB
-
MD5
80e07d0bbe217136cc6a929af64daf1d
-
SHA1
dce77d6bb8544e77d44d57c8e3dd8417fc719a45
-
SHA256
fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd
-
SHA512
c6488925faf0fcb86d06dafcd4fe4157829c007df9082fe34b182da652da78b40e6aa35f5c264b92ea80f13fe06e305efed0f8aae1eda22a49cc16c54d348a18
-
SSDEEP
24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWYM:8u0c++OCvkGs9Fa+rd1f26RaYM
Malware Config
Extracted
netwire
Wealthy2019.com.strangled.net:20190
wealthyme.ddns.net:20190
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
sunshineslisa
-
install_path
%AppData%\Imgburn\Host.exe
-
keylogger_dir
%AppData%\Logs\Imgburn\
-
lock_executable
false
-
offline_keylogger
true
-
password
sucess
-
registry_autorun
false
-
use_mutex
false
Extracted
warzonerat
wealth.warzonedns.com:5202
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Blasthost.exe netwire behavioral1/memory/320-23-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/1968-43-0x0000000000400000-0x000000000042C000-memory.dmp netwire C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe netwire behavioral1/memory/1996-84-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2672-36-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/2672-26-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/1760-68-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/1760-76-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat -
Executes dropped EXE 8 IoCs
Processes:
Blasthost.exeHost.exeRtDCpl64.exeBlasthost.exeRtDCpl64.exeRtDCpl64.exeBlasthost.exeRtDCpl64.exepid process 320 Blasthost.exe 1968 Host.exe 3012 RtDCpl64.exe 1996 Blasthost.exe 1760 RtDCpl64.exe 3008 RtDCpl64.exe 2260 Blasthost.exe 1632 RtDCpl64.exe -
Loads dropped DLL 13 IoCs
Processes:
fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exeBlasthost.exeRtDCpl64.exeRtDCpl64.exepid process 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe 320 Blasthost.exe 320 Blasthost.exe 3012 RtDCpl64.exe 3012 RtDCpl64.exe 3012 RtDCpl64.exe 3012 RtDCpl64.exe 3008 RtDCpl64.exe 3008 RtDCpl64.exe 3008 RtDCpl64.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exeRtDCpl64.exeRtDCpl64.exedescription pid process target process PID 2404 set thread context of 2672 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe PID 3012 set thread context of 1760 3012 RtDCpl64.exe RtDCpl64.exe PID 3008 set thread context of 1632 3008 RtDCpl64.exe RtDCpl64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2584 schtasks.exe 2652 schtasks.exe 800 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exeBlasthost.exefe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exetaskeng.exeRtDCpl64.exeRtDCpl64.exeRtDCpl64.exedescription pid process target process PID 2404 wrote to memory of 320 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe Blasthost.exe PID 2404 wrote to memory of 320 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe Blasthost.exe PID 2404 wrote to memory of 320 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe Blasthost.exe PID 2404 wrote to memory of 320 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe Blasthost.exe PID 320 wrote to memory of 1968 320 Blasthost.exe Host.exe PID 320 wrote to memory of 1968 320 Blasthost.exe Host.exe PID 320 wrote to memory of 1968 320 Blasthost.exe Host.exe PID 320 wrote to memory of 1968 320 Blasthost.exe Host.exe PID 2404 wrote to memory of 2672 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe PID 2404 wrote to memory of 2672 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe PID 2404 wrote to memory of 2672 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe PID 2404 wrote to memory of 2672 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe PID 2404 wrote to memory of 2672 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe PID 2404 wrote to memory of 2672 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe PID 2672 wrote to memory of 2600 2672 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe cmd.exe PID 2672 wrote to memory of 2600 2672 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe cmd.exe PID 2672 wrote to memory of 2600 2672 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe cmd.exe PID 2672 wrote to memory of 2600 2672 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe cmd.exe PID 2404 wrote to memory of 2584 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe schtasks.exe PID 2404 wrote to memory of 2584 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe schtasks.exe PID 2404 wrote to memory of 2584 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe schtasks.exe PID 2404 wrote to memory of 2584 2404 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe schtasks.exe PID 2672 wrote to memory of 2600 2672 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe cmd.exe PID 2672 wrote to memory of 2600 2672 fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe cmd.exe PID 2884 wrote to memory of 3012 2884 taskeng.exe RtDCpl64.exe PID 2884 wrote to memory of 3012 2884 taskeng.exe RtDCpl64.exe PID 2884 wrote to memory of 3012 2884 taskeng.exe RtDCpl64.exe PID 2884 wrote to memory of 3012 2884 taskeng.exe RtDCpl64.exe PID 3012 wrote to memory of 1996 3012 RtDCpl64.exe Blasthost.exe PID 3012 wrote to memory of 1996 3012 RtDCpl64.exe Blasthost.exe PID 3012 wrote to memory of 1996 3012 RtDCpl64.exe Blasthost.exe PID 3012 wrote to memory of 1996 3012 RtDCpl64.exe Blasthost.exe PID 3012 wrote to memory of 1760 3012 RtDCpl64.exe RtDCpl64.exe PID 3012 wrote to memory of 1760 3012 RtDCpl64.exe RtDCpl64.exe PID 3012 wrote to memory of 1760 3012 RtDCpl64.exe RtDCpl64.exe PID 3012 wrote to memory of 1760 3012 RtDCpl64.exe RtDCpl64.exe PID 3012 wrote to memory of 1760 3012 RtDCpl64.exe RtDCpl64.exe PID 3012 wrote to memory of 1760 3012 RtDCpl64.exe RtDCpl64.exe PID 1760 wrote to memory of 2764 1760 RtDCpl64.exe cmd.exe PID 1760 wrote to memory of 2764 1760 RtDCpl64.exe cmd.exe PID 1760 wrote to memory of 2764 1760 RtDCpl64.exe cmd.exe PID 1760 wrote to memory of 2764 1760 RtDCpl64.exe cmd.exe PID 3012 wrote to memory of 2652 3012 RtDCpl64.exe schtasks.exe PID 3012 wrote to memory of 2652 3012 RtDCpl64.exe schtasks.exe PID 3012 wrote to memory of 2652 3012 RtDCpl64.exe schtasks.exe PID 3012 wrote to memory of 2652 3012 RtDCpl64.exe schtasks.exe PID 1760 wrote to memory of 2764 1760 RtDCpl64.exe cmd.exe PID 1760 wrote to memory of 2764 1760 RtDCpl64.exe cmd.exe PID 2884 wrote to memory of 3008 2884 taskeng.exe RtDCpl64.exe PID 2884 wrote to memory of 3008 2884 taskeng.exe RtDCpl64.exe PID 2884 wrote to memory of 3008 2884 taskeng.exe RtDCpl64.exe PID 2884 wrote to memory of 3008 2884 taskeng.exe RtDCpl64.exe PID 3008 wrote to memory of 2260 3008 RtDCpl64.exe Blasthost.exe PID 3008 wrote to memory of 2260 3008 RtDCpl64.exe Blasthost.exe PID 3008 wrote to memory of 2260 3008 RtDCpl64.exe Blasthost.exe PID 3008 wrote to memory of 2260 3008 RtDCpl64.exe Blasthost.exe PID 3008 wrote to memory of 1632 3008 RtDCpl64.exe RtDCpl64.exe PID 3008 wrote to memory of 1632 3008 RtDCpl64.exe RtDCpl64.exe PID 3008 wrote to memory of 1632 3008 RtDCpl64.exe RtDCpl64.exe PID 3008 wrote to memory of 1632 3008 RtDCpl64.exe RtDCpl64.exe PID 3008 wrote to memory of 1632 3008 RtDCpl64.exe RtDCpl64.exe PID 3008 wrote to memory of 1632 3008 RtDCpl64.exe RtDCpl64.exe PID 3008 wrote to memory of 800 3008 RtDCpl64.exe schtasks.exe PID 3008 wrote to memory of 800 3008 RtDCpl64.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe"C:\Users\Admin\AppData\Local\Temp\fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe"C:\Users\Admin\AppData\Local\Temp\fe206cad485629cb3bc8bd13a9cf8edbd4c55812760ef83b7451e266761420bd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2600
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2584
-
C:\Windows\system32\taskeng.exetaskeng.exe {75784E6D-0BC6-4C8E-B3D6-CA4130757840} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:1996 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2764
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2652 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
PID:2260 -
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1380
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD56e1540464459a11dfbba24fe4f8a0112
SHA11bc2e6ab6adddeda3386c22f07e3e8bb1ac87af0
SHA25632d2ed0d8de652eaa00fabaee224192d717f608ef86f601c9e11c1a3f1f1dd7e
SHA51223d515c0b0907429350a2ce0cb1191906082d75076c0669ae1dc2206213504b5c6c19f00b8b3137eee1ce4e9442f7a085f1563f623645b5871c04dd1f9e057bc
-
Filesize
132KB
MD56087bf6af59b9c531f2c9bb421d5e902
SHA18bc0f1596c986179b82585c703bacae6d2a00316
SHA2563a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292