Malware Analysis Report

2025-04-03 09:54

Sample ID 250202-jsl68svjer
Target d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe
SHA256 d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4
Tags
rat netwire warzonerat botnet discovery infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4

Threat Level: Known bad

The file d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe was found to be: Known bad.

Malicious Activity Summary

rat netwire warzonerat botnet discovery infostealer stealer

NetWire RAT payload

Netwire

Netwire family

WarzoneRat, AveMaria

Warzonerat family

Warzone RAT payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

AutoIT Executable

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-02 07:55

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-02 07:55

Reported

2025-02-02 07:58

Platform

win7-20240903-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2384 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2384 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2384 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1864 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1864 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1864 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1864 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2384 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe
PID 2384 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe
PID 2384 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe
PID 2384 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe
PID 2384 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe
PID 2384 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe
PID 2384 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2384 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2384 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2384 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2168 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 2896 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 380 wrote to memory of 2896 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 380 wrote to memory of 2896 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 380 wrote to memory of 2896 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2896 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2896 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2896 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2896 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2896 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2896 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2896 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2896 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2896 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2896 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1740 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2896 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2896 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2896 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1740 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 380 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 380 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 380 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1540 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1540 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1540 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1540 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1540 wrote to memory of 288 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1540 wrote to memory of 288 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1540 wrote to memory of 288 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1540 wrote to memory of 288 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1540 wrote to memory of 288 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1540 wrote to memory of 288 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1540 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1540 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe

"C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe

"C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {77782EF8-D935-48E5-812E-860DCAF1F3CC} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

memory/2384-0-0x0000000000190000-0x00000000002FB000-memory.dmp

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/1864-24-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2384-26-0x0000000000480000-0x0000000000481000-memory.dmp

memory/2168-39-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2168-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2168-29-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2168-27-0x0000000000080000-0x000000000009D000-memory.dmp

memory/2384-41-0x0000000000190000-0x00000000002FB000-memory.dmp

memory/2752-44-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2752-42-0x0000000000160000-0x0000000000161000-memory.dmp

memory/3012-47-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3012-48-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 a25606b7f0cd1ea989ab7a7e25f2d89d
SHA1 13162afc8dee88d367e242af850340cd6006b4b8
SHA256 69ebca4ffbe4d0f12d8ae2de31de6290b0b8b74c9a6113286c4d876c5891dda9
SHA512 c197e996eed86004f600c76fd54a550441e3b52b4be6a8062c5b2ffb78b205ed74f01c0725d6c07273a1f14ee3a48ffd3cea5c959eaf074828a2d841b9bf876d

memory/2896-54-0x0000000000260000-0x00000000003CB000-memory.dmp

memory/1740-82-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1740-79-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1740-73-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2896-83-0x0000000000260000-0x00000000003CB000-memory.dmp

memory/1764-86-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1612-91-0x0000000000400000-0x000000000042C000-memory.dmp

memory/288-114-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1540-118-0x0000000000260000-0x00000000003CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-02 07:55

Reported

2025-02-02 07:58

Platform

win10v2004-20250129-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1656 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1656 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2300 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2300 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2300 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1656 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe
PID 1656 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe
PID 1656 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe
PID 1656 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe
PID 1656 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe
PID 1912 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\schtasks.exe
PID 1912 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1668 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1668 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1668 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1668 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1668 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1668 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1668 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 1668 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1668 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 1668 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2064 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe

"C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe

"C:\Users\Admin\AppData\Local\Temp\d055e81562f5239a24846ad6c5c8f54186fc29e294c82fb91606ce1b3adfd8e4N.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 11.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 udp

Files

memory/1656-0-0x00000000001B0000-0x000000000031B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2300-12-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1656-14-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

memory/1912-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1912-23-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1656-25-0x00000000001B0000-0x000000000031B000-memory.dmp

memory/3100-26-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

memory/1604-28-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 98b9f5f1681d614c16382a8f04a2ac1f
SHA1 29f1dcc8e97df05abd0d9069a008d29e19732076
SHA256 5f85512c186bdb942fccf89ee36a95609737c983f22297eeb221940ad335c9f8
SHA512 b7b33196be0d6a371a176894749b8d312ce67c13434d60f4458b166666c803c2c844e6b7ae680440bd16e1a0093bf8bf45a1c593824687004ef7cb85fc75621e

memory/1668-35-0x0000000000570000-0x00000000006DB000-memory.dmp

memory/2064-44-0x00000000004C0000-0x00000000004DD000-memory.dmp

memory/2064-52-0x00000000004C0000-0x00000000004DD000-memory.dmp

memory/1668-53-0x0000000000570000-0x00000000006DB000-memory.dmp

memory/4852-54-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/1396-58-0x0000000000400000-0x000000000042C000-memory.dmp