Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

9a79c6997a...cs.exe

windows7-x64

10

9a79c6997a...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a79c6997a87c9ccfa20fd3d2ea4ac667079206f145cc9d77a519e441dc8ec27_NeikiAnalytics.exe

  • Size

    1.3MB

  • MD5

    bb96aeaa6334013d1c2a8f59753feae0

  • SHA1

    e8224db4c01b7f54f56154a6f93b701017e5e0f2

  • SHA256

    9a79c6997a87c9ccfa20fd3d2ea4ac667079206f145cc9d77a519e441dc8ec27

  • SHA512

    316137125ab09f6c65b26e75e97f9c57d6293533dc02aa22a85b8ee7dc92d7f8f56c18a3e9aabdd60c9aeb3cc5fa89e1051b5dd2e3737a07c56cbbde744eead8

  • SSDEEP

    24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWY/:8u0c++OCvkGs9Fa+rd1f26RaY/

Score
10/10
netwirewarzoneratbotnetinfostealerratstealer

Malware Config

Extracted

Family

netwire

C2

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    sunshineslisa

  • install_path

    %AppData%\Imgburn\Host.exe

  • keylogger_dir

    %AppData%\Logs\Imgburn\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    sucess

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Signatures

  • NetWire RAT payload 9 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a79c6997a87c9ccfa20fd3d2ea4ac667079206f145cc9d77a519e441dc8ec27_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9a79c6997a87c9ccfa20fd3d2ea4ac667079206f145cc9d77a519e441dc8ec27_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4232
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1128
      • C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
        "C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
        3⤵
        • Executes dropped EXE
        PID:2024
    • C:\Users\Admin\AppData\Local\Temp\9a79c6997a87c9ccfa20fd3d2ea4ac667079206f145cc9d77a519e441dc8ec27_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\9a79c6997a87c9ccfa20fd3d2ea4ac667079206f145cc9d77a519e441dc8ec27_NeikiAnalytics.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:2200
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
        2⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2992
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4724
      • C:\Users\Admin\AppData\Roaming\Blasthost.exe
        "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
        2⤵
        • Executes dropped EXE
        PID:5096
      • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe"
          3⤵
            PID:5108
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
          2⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4804
      • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Users\Admin\AppData\Roaming\Blasthost.exe
          "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
          2⤵
          • Executes dropped EXE
          PID:1568
        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4980
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            3⤵
              PID:3652
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
            2⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4568

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Blasthost.exe
          Filesize

          132KB

          MD5

          6087bf6af59b9c531f2c9bb421d5e902

          SHA1

          8bc0f1596c986179b82585c703bacae6d2a00316

          SHA256

          3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

          SHA512

          c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

          Download Submit

        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          Filesize

          1.3MB

          MD5

          cac7d9199b0a58b6a3c7ab4e44671cf8

          SHA1

          aaf3e85c1a9f43a66eb9ddb5e39bbd5cde7314f0

          SHA256

          b9171e7710f81d7d06274338921058a54930947109e3e4de2170c108b747316c

          SHA512

          35fc577c253b9f4cb06dcc4ceb00c270b3b14f7dd7c505b40b9d5d82f8cfd8cbb8f27b68d5a5dc2722b098f6734d5950d974cfb2cca65ae61c067ed14eb83182

          Download Submit

        • memory/1128-10-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/1568-79-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/1568-85-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/2024-26-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/2024-27-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/2200-24-0x0000000001370000-0x0000000001371000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2800-40-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

          Download

        • memory/2800-48-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

          Download

        • memory/3652-74-0x00000000007F0000-0x00000000007F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3852-22-0x00000000000D0000-0x00000000000ED000-memory.dmp

          Filesize

          116KB

          Download

        • memory/3852-13-0x00000000000D0000-0x00000000000ED000-memory.dmp

          Filesize

          116KB

          Download

        • memory/4232-21-0x0000000003870000-0x0000000003871000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5096-57-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/5096-53-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/5108-49-0x0000000000610000-0x0000000000611000-memory.dmp

          Filesize

          4KB

          Download