Malware Analysis Report

2024-10-19 10:25

Sample ID 240906-fvsv1sycka
Target 9e4588a9975249ea096046bb852cee50N.exe
SHA256 46a6f9b095a191a16aee3e544b9d32fd417eed9822da3dbea738be1d35210eb9
Tags
rat netwire warzonerat botnet discovery infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46a6f9b095a191a16aee3e544b9d32fd417eed9822da3dbea738be1d35210eb9

Threat Level: Known bad

The file 9e4588a9975249ea096046bb852cee50N.exe was found to be: Known bad.

Malicious Activity Summary

rat netwire warzonerat botnet discovery infostealer stealer

WarzoneRat, AveMaria

Netwire

Netwire family

NetWire RAT payload

Warzone RAT payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

AutoIT Executable

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-06 05:11

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-06 05:11

Reported

2024-09-06 05:14

Platform

win7-20240903-en

Max time kernel

119s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 540 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 540 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 540 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 540 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2596 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2596 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2596 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2596 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 540 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe
PID 540 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe
PID 540 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe
PID 540 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe
PID 540 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe
PID 540 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe
PID 540 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\schtasks.exe
PID 540 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\schtasks.exe
PID 540 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\schtasks.exe
PID 540 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\schtasks.exe
PID 3024 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2416 wrote to memory of 2032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2416 wrote to memory of 2032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2416 wrote to memory of 2032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2032 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2032 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2032 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2032 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2032 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2032 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2032 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2032 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2032 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2032 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1816 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1816 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2416 wrote to memory of 572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2416 wrote to memory of 572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2416 wrote to memory of 572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 572 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 572 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 572 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 572 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 572 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 572 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 572 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 572 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 572 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 572 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 876 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 876 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe

"C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe

"C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {66647590-9B10-45DD-9BBF-CA8BCB60F104} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2596-23-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3024-26-0x0000000000080000-0x000000000009D000-memory.dmp

memory/540-25-0x0000000002610000-0x0000000002611000-memory.dmp

memory/3024-27-0x0000000000080000-0x000000000009D000-memory.dmp

memory/3024-37-0x0000000000080000-0x000000000009D000-memory.dmp

memory/3024-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2888-39-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2888-41-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1248-44-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1248-45-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 efface2a444b496ad9c8837bf57e663f
SHA1 de889cf67ae333283dc4265c32b7f21535001791
SHA256 efa05b035bec6ac3bc08af51c573bfe3cad7330c0952f12a112c75ca6fcf84bc
SHA512 bd416341b13df6fb385aabb6430ed3433a17f4a1a6907ebf856991be0d3e01432230c75094ec3d4c9343ac1f336dce911b6fcbd6e405af5e4498b32de202715e

memory/1816-75-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1724-81-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2580-86-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1804-115-0x00000000000B0000-0x00000000000B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-06 05:11

Reported

2024-09-06 05:14

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3016 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3016 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2992 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2992 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2992 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3016 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe
PID 3016 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe
PID 3016 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe
PID 3016 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe
PID 3016 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe
PID 2696 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 512 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3044 wrote to memory of 512 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3044 wrote to memory of 512 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3044 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3044 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3044 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3044 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3044 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1748 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 3044 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 3044 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 824 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 824 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 824 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 824 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 824 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 824 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 824 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4632 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4632 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4632 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4632 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4632 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe

"C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe

"C:\Users\Admin\AppData\Local\Temp\9e4588a9975249ea096046bb852cee50N.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2992-12-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3016-13-0x0000000001620000-0x0000000001621000-memory.dmp

memory/2696-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2696-22-0x0000000000400000-0x000000000041D000-memory.dmp

memory/920-24-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/3380-26-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 3d772100ed9bd4532bf85dc6ba112a2c
SHA1 a893f567b7709a419dffe3cb3f10ae68636962bc
SHA256 4a7714e8ed81a544110042cedb83831321d99672d9ace9b01d84093785cbba89
SHA512 3642efedd3f4397c9b1d651952f8d597c3023bc881d85d29aff5725e3fcb8eddfb9789d36ca75cae526eaeea49125a402c2dc7dff2f8d47f6dd99517cc2b04ed

memory/4336-49-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/512-53-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4632-66-0x00000000002D0000-0x00000000002ED000-memory.dmp

memory/4632-73-0x00000000002D0000-0x00000000002ED000-memory.dmp

memory/4892-75-0x00000000001F0000-0x00000000001F1000-memory.dmp