Malware Analysis Report

2024-10-19 10:25

Sample ID 240905-1xr2qa1bpk
Target 382a0f214e63ee29203a0763357ec5a0N.exe
SHA256 a41f096eea3b90002abdae553b8f70d5b50747e437115c08cfa77547349f000c
Tags
rat netwire warzonerat botnet discovery infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a41f096eea3b90002abdae553b8f70d5b50747e437115c08cfa77547349f000c

Threat Level: Known bad

The file 382a0f214e63ee29203a0763357ec5a0N.exe was found to be: Known bad.

Malicious Activity Summary

rat netwire warzonerat botnet discovery infostealer stealer

WarzoneRat, AveMaria

NetWire RAT payload

Netwire family

Netwire

Warzone RAT payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

AutoIT Executable

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-05 22:02

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-05 22:02

Reported

2024-09-05 22:04

Platform

win7-20240903-en

Max time kernel

119s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2372 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2372 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2372 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1976 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1976 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1976 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1976 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2372 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe
PID 2372 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe
PID 2372 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe
PID 2372 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe
PID 2372 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe
PID 2372 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe
PID 2504 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2504 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1732 wrote to memory of 2016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1732 wrote to memory of 2016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1732 wrote to memory of 2016 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2016 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2016 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2016 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2016 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2016 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2016 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2016 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2016 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2016 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2016 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2016 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2428 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1732 wrote to memory of 2428 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1732 wrote to memory of 2428 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1732 wrote to memory of 2428 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2428 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2428 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2428 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2428 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2428 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2428 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2428 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2428 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2428 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2428 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2428 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2428 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe

"C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe

"C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {581C6684-E530-45BD-BC95-C149A9E4D6E5} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/1976-23-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2372-25-0x0000000001040000-0x0000000001041000-memory.dmp

memory/2504-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2504-28-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2504-38-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2504-26-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2304-40-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2304-42-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1440-45-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 5952e702de9336550dd11594fedcd805
SHA1 feb8bea9fd38c9423f33836547d256d79dd703d8
SHA256 bab03fcae25e6b86c28d26cbe23525b98aa966cb5e00029a74c12901c61af3b8
SHA512 d21ae8a29c3dc5fcdc4effd0a78d6649d6e59b14ed0146a2bc98c1f9b9e84349355637b7e12f44648238124e1cf1ab0ebfbd319aa040ac9be8ebe9627c5461bf

memory/2028-76-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1956-82-0x0000000000160000-0x0000000000161000-memory.dmp

memory/1440-85-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2032-87-0x0000000000400000-0x000000000042C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-05 22:02

Reported

2024-09-05 22:04

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4932 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4932 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 5068 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 5068 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 5068 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 4932 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe
PID 4932 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe
PID 4932 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe
PID 4932 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe
PID 4932 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe
PID 3308 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 4932 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 4932 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 3308 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 452 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4552 wrote to memory of 452 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4552 wrote to memory of 452 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4552 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4552 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4552 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4552 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4552 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1092 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4552 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4552 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1092 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1820 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1820 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1820 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1820 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1820 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1820 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1820 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3060 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 440 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 440 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 440 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 3060 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe

"C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe

"C:\Users\Admin\AppData\Local\Temp\382a0f214e63ee29203a0763357ec5a0N.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp

Files

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/5068-11-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3308-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3308-22-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4932-13-0x0000000000B30000-0x0000000000B31000-memory.dmp

memory/4500-24-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

memory/4820-26-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4820-27-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 2be270a24ffe3104a30f7b79ad79dc74
SHA1 af8931db57b19b55ec56196b406212cdf9fa7966
SHA256 9a03d699b6f535c44dc634660d533c1d80bba2ddb6f65ff2b50470ca1c900a6f
SHA512 36aa12b4f43a5bb31baaf513aeafe6a090bdcf4d7d2a6200e50b5f79a7e0c890badd56c3ce9cb7d305f5fc4545bd6444b9f1be591d438cf931c6bfc966898ad7

memory/1092-39-0x0000000000B20000-0x0000000000B3D000-memory.dmp

memory/1092-47-0x0000000000B20000-0x0000000000B3D000-memory.dmp

memory/4840-48-0x0000000001350000-0x0000000001351000-memory.dmp

memory/452-52-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4868-74-0x00000000005D0000-0x00000000005D1000-memory.dmp