Analysis
-
max time kernel
63s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 15:51
Static task
static1
Behavioral task
behavioral1
Sample
AWB06152022.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
AWB06152022.js
Resource
win10-20220414-en
General
-
Target
AWB06152022.js
-
Size
491KB
-
MD5
9132b6feb40cf5d30ee938e72a505826
-
SHA1
30cc4aa2aa1b2e2698beb6b8b6a878523913dd2c
-
SHA256
98cc9c29783c707d3981c59c3cb48474cd4c99a58db0b13fb3dc96ade0e50fba
-
SHA512
7d7862ec8a3446be4769e6ccb0ca209f3ab01a7b0581f57182b3373e2f43374339c3887c624181d7820fc105c9fd5c48e7c000c45c93e077cca095312affce09
Malware Config
Extracted
vjw0rm
http://franmhort.duia.ro:8152
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat -
Blocklisted process makes network request 3 IoCs
Processes:
wscript.exeflow pid process 4 2004 wscript.exe 5 2004 wscript.exe 7 2004 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Tempwinlogon.exepid process 1728 Tempwinlogon.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDeixdadNw.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDeixdadNw.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\HDeixdadNw.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 2008 wrote to memory of 2004 2008 wscript.exe wscript.exe PID 2008 wrote to memory of 2004 2008 wscript.exe wscript.exe PID 2008 wrote to memory of 2004 2008 wscript.exe wscript.exe PID 2008 wrote to memory of 1988 2008 wscript.exe wscript.exe PID 2008 wrote to memory of 1988 2008 wscript.exe wscript.exe PID 2008 wrote to memory of 1988 2008 wscript.exe wscript.exe PID 1988 wrote to memory of 1728 1988 wscript.exe Tempwinlogon.exe PID 1988 wrote to memory of 1728 1988 wscript.exe Tempwinlogon.exe PID 1988 wrote to memory of 1728 1988 wscript.exe Tempwinlogon.exe PID 1988 wrote to memory of 1728 1988 wscript.exe Tempwinlogon.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\AWB06152022.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HDeixdadNw.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\coco.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\coco.vbsFilesize
262KB
MD5c88b4225d112a00ca24064e0ef0eab73
SHA13e3fdaee20e6ab757e013f0ebfd4f2a0dbb267db
SHA2560a35cdc2af8e2f4b971dc4482d9c3bca3c0de4295406dccd7c6743895769a504
SHA512937617ac5ddd7d8bd971645c81b5667be178d5bb9700152072a9184dddff952327b36e329b1c257da1dc38f1e7c781ea501a14d8a5f0fe2b41a19656732a09ba
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
131KB
MD5d094904acee9a06b8cc82def7ae31dbd
SHA1855bc1ffd23a61fbbe9775de464c43bc532d2e69
SHA256195657d28badaba67b1a0e0a9b32da62179454f2fad141f490c2b6808d326229
SHA512a4b91d26f5db1e5859874f5f1c3f6f39c7cd5535b8a16b321072fb7f539af79cc1b31799ee679401e16fd8b9c0598c5890d389af609e19bf1fc04d624e06220e
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
131KB
MD5d094904acee9a06b8cc82def7ae31dbd
SHA1855bc1ffd23a61fbbe9775de464c43bc532d2e69
SHA256195657d28badaba67b1a0e0a9b32da62179454f2fad141f490c2b6808d326229
SHA512a4b91d26f5db1e5859874f5f1c3f6f39c7cd5535b8a16b321072fb7f539af79cc1b31799ee679401e16fd8b9c0598c5890d389af609e19bf1fc04d624e06220e
-
C:\Users\Admin\AppData\Roaming\HDeixdadNw.jsFilesize
10KB
MD5a48f536f703ee0912c56793251cd2cce
SHA1de0bce31d9b9b143d81942eeff44aa7e0318b1e8
SHA256173da53c8d93e620556f5557083c0b714802c3d3cad6aeb24ae09118a1b06f36
SHA512bdbf60dd94eb29052756065eea2aea2132c7af712f1f7854bb549ecf0998632950e2dc6c35dfb4bf25f2b7857111f29567a71a917d033ad62e8535f36d8f5d6b
-
memory/1728-61-0x0000000000000000-mapping.dmp
-
memory/1728-63-0x0000000076391000-0x0000000076393000-memory.dmpFilesize
8KB
-
memory/1988-56-0x0000000000000000-mapping.dmp
-
memory/2004-55-0x0000000000000000-mapping.dmp
-
memory/2008-54-0x000007FEFC061000-0x000007FEFC063000-memory.dmpFilesize
8KB