Analysis
-
max time kernel
192s -
max time network
199s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 11:06
Static task
static1
Behavioral task
behavioral1
Sample
AWB_20220614.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
AWB_20220614.js
Resource
win10v2004-20220414-en
General
-
Target
AWB_20220614.js
-
Size
491KB
-
MD5
6610d7103150befc1c105bc1761f8400
-
SHA1
6cc6d390e077a43752b3aa329bd4c1c1ae6e6325
-
SHA256
c17a47ba600580e0d2229b4c8e12e6063a2c20792fcf0ff256fb85040a6d0799
-
SHA512
ebd3906b2a1bfda395133326877a1cf1d0a4a1f7483de751d96e621f266e3b50aaadc6a8a6d51c7cec7c7e019e2299500d29b18e2d4f7e875317c79f275187e2
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat -
Blocklisted process makes network request 11 IoCs
Processes:
wscript.exeflow pid process 5 1060 wscript.exe 6 1060 wscript.exe 7 1060 wscript.exe 10 1060 wscript.exe 11 1060 wscript.exe 12 1060 wscript.exe 14 1060 wscript.exe 15 1060 wscript.exe 16 1060 wscript.exe 18 1060 wscript.exe 19 1060 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Tempwinlogon.exepid process 1804 Tempwinlogon.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pSsVMrdaGj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pSsVMrdaGj.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\pSsVMrdaGj.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 844 wrote to memory of 1060 844 wscript.exe wscript.exe PID 844 wrote to memory of 1060 844 wscript.exe wscript.exe PID 844 wrote to memory of 1060 844 wscript.exe wscript.exe PID 844 wrote to memory of 948 844 wscript.exe wscript.exe PID 844 wrote to memory of 948 844 wscript.exe wscript.exe PID 844 wrote to memory of 948 844 wscript.exe wscript.exe PID 948 wrote to memory of 1804 948 wscript.exe Tempwinlogon.exe PID 948 wrote to memory of 1804 948 wscript.exe Tempwinlogon.exe PID 948 wrote to memory of 1804 948 wscript.exe Tempwinlogon.exe PID 948 wrote to memory of 1804 948 wscript.exe Tempwinlogon.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\AWB_20220614.js1⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pSsVMrdaGj.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1060 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\coco.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"3⤵
- Executes dropped EXE
PID:1804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\coco.vbsFilesize
262KB
MD5c88b4225d112a00ca24064e0ef0eab73
SHA13e3fdaee20e6ab757e013f0ebfd4f2a0dbb267db
SHA2560a35cdc2af8e2f4b971dc4482d9c3bca3c0de4295406dccd7c6743895769a504
SHA512937617ac5ddd7d8bd971645c81b5667be178d5bb9700152072a9184dddff952327b36e329b1c257da1dc38f1e7c781ea501a14d8a5f0fe2b41a19656732a09ba
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
131KB
MD5d094904acee9a06b8cc82def7ae31dbd
SHA1855bc1ffd23a61fbbe9775de464c43bc532d2e69
SHA256195657d28badaba67b1a0e0a9b32da62179454f2fad141f490c2b6808d326229
SHA512a4b91d26f5db1e5859874f5f1c3f6f39c7cd5535b8a16b321072fb7f539af79cc1b31799ee679401e16fd8b9c0598c5890d389af609e19bf1fc04d624e06220e
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
131KB
MD5d094904acee9a06b8cc82def7ae31dbd
SHA1855bc1ffd23a61fbbe9775de464c43bc532d2e69
SHA256195657d28badaba67b1a0e0a9b32da62179454f2fad141f490c2b6808d326229
SHA512a4b91d26f5db1e5859874f5f1c3f6f39c7cd5535b8a16b321072fb7f539af79cc1b31799ee679401e16fd8b9c0598c5890d389af609e19bf1fc04d624e06220e
-
C:\Users\Admin\AppData\Roaming\pSsVMrdaGj.jsFilesize
10KB
MD536f35fb182d85f31f763a6fc1f7212f2
SHA1515eb9846af5e43e1e51ce0f98e999d72923d3f5
SHA256d0b9ea5f0d9e701886c94631e5027b62499e0a879ec308e7e4a6804be3a33ccd
SHA51279d945ebd19a08c6ec8e864565f919e518689d4ea95391eb05bdd1c8207b0fbb6ca2758ce9d130cff849d6beb6cf2347d265b27f6cc4786d4e69952f9029f518
-
memory/844-54-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmpFilesize
8KB
-
memory/948-56-0x0000000000000000-mapping.dmp
-
memory/1060-55-0x0000000000000000-mapping.dmp
-
memory/1804-61-0x0000000000000000-mapping.dmp
-
memory/1804-63-0x0000000076461000-0x0000000076463000-memory.dmpFilesize
8KB