Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 18:26
Static task
static1
Behavioral task
behavioral1
Sample
0123987INMWN2987.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0123987INMWN2987.js
Resource
win10v2004-20220414-en
General
-
Target
0123987INMWN2987.js
-
Size
297KB
-
MD5
ee4b83dc3501b10be35a258a19b6251f
-
SHA1
8a8036bdfbf85a9c08a713a4e94c6afdda02d4a4
-
SHA256
8eaa342d5aa2b44bbe85fb030b6e3f08701be8e2e0a973fe749ac2e2f64907a8
-
SHA512
54dd330f4e0dcc779a8fd4f1950270fdab281e50be170af1fb56c5b98f7d561caa18d5cdf485ccbe196aa771f2784287c12dc2891d7fa1aed3055a330cdccf49
Malware Config
Extracted
warzonerat
blessed147.ddns.net:8472
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 6 4672 wscript.exe 16 4672 wscript.exe 23 4672 wscript.exe 32 4672 wscript.exe 35 4672 wscript.exe 39 4672 wscript.exe 42 4672 wscript.exe 44 4672 wscript.exe 47 4672 wscript.exe 48 4672 wscript.exe 50 4672 wscript.exe 51 4672 wscript.exe 52 4672 wscript.exe 53 4672 wscript.exe 54 4672 wscript.exe 57 4672 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
test.exeimages.exepid process 4932 test.exe 4980 images.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PbOVhPXRrj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PbOVhPXRrj.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PbOVhPXRrj.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wscript.exetest.exedescription pid process target process PID 4028 wrote to memory of 4672 4028 wscript.exe wscript.exe PID 4028 wrote to memory of 4672 4028 wscript.exe wscript.exe PID 4028 wrote to memory of 4932 4028 wscript.exe test.exe PID 4028 wrote to memory of 4932 4028 wscript.exe test.exe PID 4028 wrote to memory of 4932 4028 wscript.exe test.exe PID 4932 wrote to memory of 4980 4932 test.exe images.exe PID 4932 wrote to memory of 4980 4932 test.exe images.exe PID 4932 wrote to memory of 4980 4932 test.exe images.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\0123987INMWN2987.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PbOVhPXRrj.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"3⤵
- Executes dropped EXE
PID:4980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\images.exeFilesize
152KB
MD5a1f762b0387032ffb2354bb07e5fb203
SHA1e12a2e66d5fef8bb2fd42e5292e2d358dec5a433
SHA256fa8af34ea6b6c882ee06d009fc2d6655c2c54e65ce45622f529a55b6b1ce62dd
SHA512f19e6a7b5e08cb319626d310667e2782ec30d4dc4677a3d581c04c637bcc0a8b330eff37f11e6c613bbc835205bb4bb168ee76f83aa13f0114928b2670cf0a08
-
C:\ProgramData\images.exeFilesize
152KB
MD5a1f762b0387032ffb2354bb07e5fb203
SHA1e12a2e66d5fef8bb2fd42e5292e2d358dec5a433
SHA256fa8af34ea6b6c882ee06d009fc2d6655c2c54e65ce45622f529a55b6b1ce62dd
SHA512f19e6a7b5e08cb319626d310667e2782ec30d4dc4677a3d581c04c637bcc0a8b330eff37f11e6c613bbc835205bb4bb168ee76f83aa13f0114928b2670cf0a08
-
C:\Users\Admin\AppData\Local\Temp\test.exeFilesize
152KB
MD5a1f762b0387032ffb2354bb07e5fb203
SHA1e12a2e66d5fef8bb2fd42e5292e2d358dec5a433
SHA256fa8af34ea6b6c882ee06d009fc2d6655c2c54e65ce45622f529a55b6b1ce62dd
SHA512f19e6a7b5e08cb319626d310667e2782ec30d4dc4677a3d581c04c637bcc0a8b330eff37f11e6c613bbc835205bb4bb168ee76f83aa13f0114928b2670cf0a08
-
C:\Users\Admin\AppData\Local\Temp\test.exeFilesize
152KB
MD5a1f762b0387032ffb2354bb07e5fb203
SHA1e12a2e66d5fef8bb2fd42e5292e2d358dec5a433
SHA256fa8af34ea6b6c882ee06d009fc2d6655c2c54e65ce45622f529a55b6b1ce62dd
SHA512f19e6a7b5e08cb319626d310667e2782ec30d4dc4677a3d581c04c637bcc0a8b330eff37f11e6c613bbc835205bb4bb168ee76f83aa13f0114928b2670cf0a08
-
C:\Users\Admin\AppData\Roaming\PbOVhPXRrj.jsFilesize
10KB
MD5c822db80563ebedaa46103197f39fd8d
SHA1a893027e0c0eff56b264180ecf4479aa603f012e
SHA256b9a6487159fc63bb98c02afdb35737e88e07ec53d1ab3395604fe853288174d1
SHA5120daa19feb16d2549dd7cd84f337ad045b12b790adf5a427a9dd57dde45d2c8b25ff7530fe832ae2e0565476371300407b95b497359aebe7e4e8686530637ccba
-
memory/4672-130-0x0000000000000000-mapping.dmp
-
memory/4932-132-0x0000000000000000-mapping.dmp
-
memory/4980-135-0x0000000000000000-mapping.dmp