Malware Analysis Report

2024-10-19 10:24

Sample ID 240905-esd4eatfjd
Target e53ec984ba966299802cce40e90ebb70N.exe
SHA256 f395283bb65ad17e428a419bb44b122d8d9acb64600bad0b6a4e2d6203da789c
Tags
rat netwire warzonerat botnet discovery infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f395283bb65ad17e428a419bb44b122d8d9acb64600bad0b6a4e2d6203da789c

Threat Level: Known bad

The file e53ec984ba966299802cce40e90ebb70N.exe was found to be: Known bad.

Malicious Activity Summary

rat netwire warzonerat botnet discovery infostealer stealer

WarzoneRat, AveMaria

Netwire

Netwire family

NetWire RAT payload

Warzone RAT payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

AutoIT Executable

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-05 04:11

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-05 04:11

Reported

2024-09-05 04:13

Platform

win7-20240729-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 568 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 568 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 568 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 568 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2380 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2380 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2380 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2380 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 568 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe
PID 568 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe
PID 568 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe
PID 568 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe
PID 568 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe
PID 568 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe
PID 568 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\schtasks.exe
PID 568 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\schtasks.exe
PID 568 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\schtasks.exe
PID 568 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2640 wrote to memory of 2068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2640 wrote to memory of 2068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2640 wrote to memory of 2068 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2068 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2068 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2068 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2068 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2068 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2068 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2068 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2068 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2068 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2068 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1672 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2156 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2640 wrote to memory of 2156 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2640 wrote to memory of 2156 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2640 wrote to memory of 2156 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2156 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2156 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2156 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2156 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2156 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2156 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2156 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2156 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2156 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2156 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1180 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe

"C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe

"C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {21CE9B9E-00CE-4345-A6D8-DFC8BFD2F8EC} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

memory/568-0-0x0000000000DF0000-0x0000000000F5B000-memory.dmp

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2380-24-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2820-29-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2820-39-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2820-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2820-27-0x0000000000080000-0x000000000009D000-memory.dmp

memory/568-26-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/568-41-0x0000000000DF0000-0x0000000000F5B000-memory.dmp

memory/2996-44-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2996-42-0x0000000000270000-0x0000000000271000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 6a8917a9dc1013e88d28f5c31e45fd6c
SHA1 fb764d928b5dfab38ab229883127a63b8bac7336
SHA256 2306cf802cfdbc20cf217528969536b4cdf47be4ab3e5482a68465d82c13f6d8
SHA512 44864a68d765efb230181c914e2cf8d7dc9bfe32f7f9debd19b787c3c61dd511f36284ee07bd7218b7d75d449e3f448760c597a8754b7e4bbec05f2ef4796b2e

memory/2068-49-0x0000000000D70000-0x0000000000EDB000-memory.dmp

memory/1672-74-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1672-69-0x00000000000D0000-0x00000000000ED000-memory.dmp

memory/1672-77-0x00000000000D0000-0x00000000000ED000-memory.dmp

memory/2068-78-0x0000000000D70000-0x0000000000EDB000-memory.dmp

memory/2284-81-0x0000000000120000-0x0000000000121000-memory.dmp

memory/824-84-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2552-86-0x0000000000400000-0x000000000042C000-memory.dmp

memory/824-87-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2156-113-0x0000000000D70000-0x0000000000EDB000-memory.dmp

memory/2448-116-0x00000000000F0000-0x00000000000F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-05 04:11

Reported

2024-09-05 04:13

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2540 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2540 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2076 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2076 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2076 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2540 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe
PID 2540 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe
PID 2540 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe
PID 2540 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe
PID 2540 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe
PID 2012 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2540 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2540 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1348 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1348 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1348 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1348 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1348 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1348 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1348 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3472 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1348 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1348 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 3472 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3436 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3436 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3436 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3436 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3436 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3436 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3436 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3436 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4144 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3436 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 3436 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 3436 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4144 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe

"C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe

"C:\Users\Admin\AppData\Local\Temp\e53ec984ba966299802cce40e90ebb70N.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp

Files

memory/2540-0-0x0000000000EF0000-0x000000000105B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2076-12-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2540-14-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/2012-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2012-23-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2540-25-0x0000000000EF0000-0x000000000105B000-memory.dmp

memory/3420-26-0x00000000014D0000-0x00000000014D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 20edf3fdc9074b690601ea500238265c
SHA1 482ff6abe7b9c513fbca948714dc2528c14d23db
SHA256 977b64280489c108f531ae80cd2056502f254d874136dd825a215d0801690441
SHA512 8621532c8b70c8948ffd809621108938847973492c4958e605394d75a46c711f56779552005770ddcb9c99f69b664b7ab6a616128b60103d6f42e591ee56a10b

memory/1348-29-0x00000000008E0000-0x0000000000A4B000-memory.dmp

memory/1348-47-0x00000000008E0000-0x0000000000A4B000-memory.dmp

memory/5016-48-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/4028-50-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4440-52-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4028-55-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3436-73-0x00000000008E0000-0x0000000000A4B000-memory.dmp

memory/3788-75-0x00000000013F0000-0x00000000013F1000-memory.dmp

memory/4056-78-0x0000000000400000-0x000000000042C000-memory.dmp