Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 22:21
Behavioral task
behavioral1
Sample
6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe
Resource
win10v2004-20240226-en
General
-
Target
6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe
-
Size
1.3MB
-
MD5
9a330b075e9f608d64b9959aa80d3024
-
SHA1
e4c1ec6821bab2872c1b6386fbce62d5bc2d6c07
-
SHA256
6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf
-
SHA512
24b88517407678114bc8b24965172b9e0d8055166ccd80102ca2a47e8a6308b653cdc54349b8bae3f2ab4a1ddbf8620c665eb293eeec5d61e2cdbc34ec9dc03b
-
SSDEEP
24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWY5:8u0c++OCvkGs9Fa+rd1f26RaY5
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Extracted
netwire
Wealthy2019.com.strangled.net:20190
wealthyme.ddns.net:20190
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
sunshineslisa
-
install_path
%AppData%\Imgburn\Host.exe
-
keylogger_dir
%AppData%\Logs\Imgburn\
-
lock_executable
false
-
offline_keylogger
true
-
password
sucess
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Blasthost.exe netwire behavioral1/memory/1672-23-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2664-45-0x0000000000400000-0x000000000042C000-memory.dmp netwire C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe netwire behavioral1/memory/2664-81-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2820-83-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2820-85-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2744-37-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/2744-27-0x0000000000080000-0x000000000009D000-memory.dmp warzonerat behavioral1/memory/2880-66-0x0000000000220000-0x000000000023D000-memory.dmp warzonerat behavioral1/memory/2880-75-0x0000000000220000-0x000000000023D000-memory.dmp warzonerat behavioral1/memory/1488-100-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral1/memory/1488-109-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Executes dropped EXE 11 IoCs
Processes:
Blasthost.exeHost.exeRtDCpl64.exeBlasthost.exeRtDCpl64.exeRtDCpl64.exeBlasthost.exeRtDCpl64.exeRtDCpl64.exeBlasthost.exeRtDCpl64.exepid process 1672 Blasthost.exe 2664 Host.exe 1056 RtDCpl64.exe 2820 Blasthost.exe 2880 RtDCpl64.exe 584 RtDCpl64.exe 600 Blasthost.exe 1488 RtDCpl64.exe 1556 RtDCpl64.exe 2252 Blasthost.exe 3064 RtDCpl64.exe -
Loads dropped DLL 16 IoCs
Processes:
6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exeBlasthost.exeRtDCpl64.exeRtDCpl64.exeRtDCpl64.exepid process 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe 1672 Blasthost.exe 1672 Blasthost.exe 1056 RtDCpl64.exe 1056 RtDCpl64.exe 1056 RtDCpl64.exe 1056 RtDCpl64.exe 584 RtDCpl64.exe 584 RtDCpl64.exe 584 RtDCpl64.exe 1556 RtDCpl64.exe 1556 RtDCpl64.exe 1556 RtDCpl64.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exeRtDCpl64.exeRtDCpl64.exeRtDCpl64.exedescription pid process target process PID 1848 set thread context of 2744 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe PID 1056 set thread context of 2880 1056 RtDCpl64.exe RtDCpl64.exe PID 584 set thread context of 1488 584 RtDCpl64.exe RtDCpl64.exe PID 1556 set thread context of 3064 1556 RtDCpl64.exe RtDCpl64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2700 schtasks.exe 1844 schtasks.exe 1996 schtasks.exe 2628 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exeBlasthost.exe6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exetaskeng.exeRtDCpl64.exeRtDCpl64.exeRtDCpl64.exedescription pid process target process PID 1848 wrote to memory of 1672 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe Blasthost.exe PID 1848 wrote to memory of 1672 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe Blasthost.exe PID 1848 wrote to memory of 1672 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe Blasthost.exe PID 1848 wrote to memory of 1672 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe Blasthost.exe PID 1672 wrote to memory of 2664 1672 Blasthost.exe Host.exe PID 1672 wrote to memory of 2664 1672 Blasthost.exe Host.exe PID 1672 wrote to memory of 2664 1672 Blasthost.exe Host.exe PID 1672 wrote to memory of 2664 1672 Blasthost.exe Host.exe PID 1848 wrote to memory of 2744 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe PID 1848 wrote to memory of 2744 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe PID 1848 wrote to memory of 2744 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe PID 1848 wrote to memory of 2744 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe PID 1848 wrote to memory of 2744 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe PID 1848 wrote to memory of 2744 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe PID 1848 wrote to memory of 2700 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe schtasks.exe PID 1848 wrote to memory of 2700 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe schtasks.exe PID 1848 wrote to memory of 2700 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe schtasks.exe PID 1848 wrote to memory of 2700 1848 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe schtasks.exe PID 2744 wrote to memory of 2908 2744 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe cmd.exe PID 2744 wrote to memory of 2908 2744 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe cmd.exe PID 2744 wrote to memory of 2908 2744 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe cmd.exe PID 2744 wrote to memory of 2908 2744 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe cmd.exe PID 2744 wrote to memory of 2908 2744 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe cmd.exe PID 2744 wrote to memory of 2908 2744 6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe cmd.exe PID 1808 wrote to memory of 1056 1808 taskeng.exe RtDCpl64.exe PID 1808 wrote to memory of 1056 1808 taskeng.exe RtDCpl64.exe PID 1808 wrote to memory of 1056 1808 taskeng.exe RtDCpl64.exe PID 1808 wrote to memory of 1056 1808 taskeng.exe RtDCpl64.exe PID 1056 wrote to memory of 2820 1056 RtDCpl64.exe Blasthost.exe PID 1056 wrote to memory of 2820 1056 RtDCpl64.exe Blasthost.exe PID 1056 wrote to memory of 2820 1056 RtDCpl64.exe Blasthost.exe PID 1056 wrote to memory of 2820 1056 RtDCpl64.exe Blasthost.exe PID 1056 wrote to memory of 2880 1056 RtDCpl64.exe RtDCpl64.exe PID 1056 wrote to memory of 2880 1056 RtDCpl64.exe RtDCpl64.exe PID 1056 wrote to memory of 2880 1056 RtDCpl64.exe RtDCpl64.exe PID 1056 wrote to memory of 2880 1056 RtDCpl64.exe RtDCpl64.exe PID 1056 wrote to memory of 2880 1056 RtDCpl64.exe RtDCpl64.exe PID 1056 wrote to memory of 2880 1056 RtDCpl64.exe RtDCpl64.exe PID 2880 wrote to memory of 2220 2880 RtDCpl64.exe cmd.exe PID 2880 wrote to memory of 2220 2880 RtDCpl64.exe cmd.exe PID 2880 wrote to memory of 2220 2880 RtDCpl64.exe cmd.exe PID 2880 wrote to memory of 2220 2880 RtDCpl64.exe cmd.exe PID 1056 wrote to memory of 1844 1056 RtDCpl64.exe schtasks.exe PID 1056 wrote to memory of 1844 1056 RtDCpl64.exe schtasks.exe PID 1056 wrote to memory of 1844 1056 RtDCpl64.exe schtasks.exe PID 1056 wrote to memory of 1844 1056 RtDCpl64.exe schtasks.exe PID 2880 wrote to memory of 2220 2880 RtDCpl64.exe cmd.exe PID 2880 wrote to memory of 2220 2880 RtDCpl64.exe cmd.exe PID 1808 wrote to memory of 584 1808 taskeng.exe RtDCpl64.exe PID 1808 wrote to memory of 584 1808 taskeng.exe RtDCpl64.exe PID 1808 wrote to memory of 584 1808 taskeng.exe RtDCpl64.exe PID 1808 wrote to memory of 584 1808 taskeng.exe RtDCpl64.exe PID 584 wrote to memory of 600 584 RtDCpl64.exe Blasthost.exe PID 584 wrote to memory of 600 584 RtDCpl64.exe Blasthost.exe PID 584 wrote to memory of 600 584 RtDCpl64.exe Blasthost.exe PID 584 wrote to memory of 600 584 RtDCpl64.exe Blasthost.exe PID 584 wrote to memory of 1488 584 RtDCpl64.exe RtDCpl64.exe PID 584 wrote to memory of 1488 584 RtDCpl64.exe RtDCpl64.exe PID 584 wrote to memory of 1488 584 RtDCpl64.exe RtDCpl64.exe PID 584 wrote to memory of 1488 584 RtDCpl64.exe RtDCpl64.exe PID 584 wrote to memory of 1488 584 RtDCpl64.exe RtDCpl64.exe PID 584 wrote to memory of 1488 584 RtDCpl64.exe RtDCpl64.exe PID 584 wrote to memory of 1996 584 RtDCpl64.exe schtasks.exe PID 584 wrote to memory of 1996 584 RtDCpl64.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe"C:\Users\Admin\AppData\Local\Temp\6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe"C:\Users\Admin\AppData\Local\Temp\6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {48BD222F-EFBB-4A50-94F5-8CF4695BCF24} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeC:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Blasthost.exe"C:\Users\Admin\AppData\Roaming\Blasthost.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Blasthost.exeFilesize
132KB
MD56087bf6af59b9c531f2c9bb421d5e902
SHA18bc0f1596c986179b82585c703bacae6d2a00316
SHA2563a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292
-
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exeFilesize
1.3MB
MD5be4b0fb22ef7c59bafae729b32291816
SHA1a6e0387a896be85fde7e0b7b84bb7fe7e22ca3a7
SHA25676c7305440c7cad37f9b197a0b7b2e06d4fe996f9ad08d0ff90f1b34762da78a
SHA5129ba03fa55d790d7615648ccdf5e1c428099c12f9e45e97962fa3bf0cafa0514c56eb6f972f43f44a1ebb8b368704e2675b1d530d2cc214510c1f87f99a8c3ec4
-
memory/1488-109-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1488-106-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/1488-100-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1672-23-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1848-38-0x0000000001120000-0x0000000001121000-memory.dmpFilesize
4KB
-
memory/2028-112-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2220-78-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2664-81-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2664-45-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2744-27-0x0000000000080000-0x000000000009D000-memory.dmpFilesize
116KB
-
memory/2744-25-0x0000000000080000-0x000000000009D000-memory.dmpFilesize
116KB
-
memory/2744-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/2744-37-0x0000000000080000-0x000000000009D000-memory.dmpFilesize
116KB
-
memory/2820-83-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2820-85-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2880-72-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/2880-66-0x0000000000220000-0x000000000023D000-memory.dmpFilesize
116KB
-
memory/2880-75-0x0000000000220000-0x000000000023D000-memory.dmpFilesize
116KB
-
memory/2908-42-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/2908-40-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB