Analysis
-
max time kernel
204s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 11:06
Static task
static1
Behavioral task
behavioral1
Sample
AWB_20220614.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
AWB_20220614.js
Resource
win10v2004-20220414-en
General
-
Target
AWB_20220614.js
-
Size
491KB
-
MD5
6610d7103150befc1c105bc1761f8400
-
SHA1
6cc6d390e077a43752b3aa329bd4c1c1ae6e6325
-
SHA256
c17a47ba600580e0d2229b4c8e12e6063a2c20792fcf0ff256fb85040a6d0799
-
SHA512
ebd3906b2a1bfda395133326877a1cf1d0a4a1f7483de751d96e621f266e3b50aaadc6a8a6d51c7cec7c7e019e2299500d29b18e2d4f7e875317c79f275187e2
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat -
Blocklisted process makes network request 12 IoCs
Processes:
wscript.exeflow pid process 26 4440 wscript.exe 33 4440 wscript.exe 39 4440 wscript.exe 41 4440 wscript.exe 45 4440 wscript.exe 49 4440 wscript.exe 63 4440 wscript.exe 78 4440 wscript.exe 79 4440 wscript.exe 84 4440 wscript.exe 85 4440 wscript.exe 88 4440 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Tempwinlogon.exepid process 4528 Tempwinlogon.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pSsVMrdaGj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pSsVMrdaGj.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\pSsVMrdaGj.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 3472 wrote to memory of 4440 3472 wscript.exe wscript.exe PID 3472 wrote to memory of 4440 3472 wscript.exe wscript.exe PID 3472 wrote to memory of 4612 3472 wscript.exe wscript.exe PID 3472 wrote to memory of 4612 3472 wscript.exe wscript.exe PID 4612 wrote to memory of 4528 4612 wscript.exe Tempwinlogon.exe PID 4612 wrote to memory of 4528 4612 wscript.exe Tempwinlogon.exe PID 4612 wrote to memory of 4528 4612 wscript.exe Tempwinlogon.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\AWB_20220614.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pSsVMrdaGj.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\coco.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\coco.vbsFilesize
262KB
MD5c88b4225d112a00ca24064e0ef0eab73
SHA13e3fdaee20e6ab757e013f0ebfd4f2a0dbb267db
SHA2560a35cdc2af8e2f4b971dc4482d9c3bca3c0de4295406dccd7c6743895769a504
SHA512937617ac5ddd7d8bd971645c81b5667be178d5bb9700152072a9184dddff952327b36e329b1c257da1dc38f1e7c781ea501a14d8a5f0fe2b41a19656732a09ba
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
131KB
MD5d094904acee9a06b8cc82def7ae31dbd
SHA1855bc1ffd23a61fbbe9775de464c43bc532d2e69
SHA256195657d28badaba67b1a0e0a9b32da62179454f2fad141f490c2b6808d326229
SHA512a4b91d26f5db1e5859874f5f1c3f6f39c7cd5535b8a16b321072fb7f539af79cc1b31799ee679401e16fd8b9c0598c5890d389af609e19bf1fc04d624e06220e
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
131KB
MD5d094904acee9a06b8cc82def7ae31dbd
SHA1855bc1ffd23a61fbbe9775de464c43bc532d2e69
SHA256195657d28badaba67b1a0e0a9b32da62179454f2fad141f490c2b6808d326229
SHA512a4b91d26f5db1e5859874f5f1c3f6f39c7cd5535b8a16b321072fb7f539af79cc1b31799ee679401e16fd8b9c0598c5890d389af609e19bf1fc04d624e06220e
-
C:\Users\Admin\AppData\Roaming\pSsVMrdaGj.jsFilesize
10KB
MD536f35fb182d85f31f763a6fc1f7212f2
SHA1515eb9846af5e43e1e51ce0f98e999d72923d3f5
SHA256d0b9ea5f0d9e701886c94631e5027b62499e0a879ec308e7e4a6804be3a33ccd
SHA51279d945ebd19a08c6ec8e864565f919e518689d4ea95391eb05bdd1c8207b0fbb6ca2758ce9d130cff849d6beb6cf2347d265b27f6cc4786d4e69952f9029f518
-
memory/4440-130-0x0000000000000000-mapping.dmp
-
memory/4528-134-0x0000000000000000-mapping.dmp
-
memory/4612-131-0x0000000000000000-mapping.dmp