Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 18:26
Static task
static1
Behavioral task
behavioral1
Sample
AWB06152022.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
AWB06152022.js
Resource
win10v2004-20220414-en
General
-
Target
AWB06152022.js
-
Size
491KB
-
MD5
9132b6feb40cf5d30ee938e72a505826
-
SHA1
30cc4aa2aa1b2e2698beb6b8b6a878523913dd2c
-
SHA256
98cc9c29783c707d3981c59c3cb48474cd4c99a58db0b13fb3dc96ade0e50fba
-
SHA512
7d7862ec8a3446be4769e6ccb0ca209f3ab01a7b0581f57182b3373e2f43374339c3887c624181d7820fc105c9fd5c48e7c000c45c93e077cca095312affce09
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat -
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 5 2000 wscript.exe 15 2000 wscript.exe 26 2000 wscript.exe 35 2000 wscript.exe 38 2000 wscript.exe 43 2000 wscript.exe 47 2000 wscript.exe 51 2000 wscript.exe 53 2000 wscript.exe 56 2000 wscript.exe 60 2000 wscript.exe 62 2000 wscript.exe 64 2000 wscript.exe 66 2000 wscript.exe 68 2000 wscript.exe 70 2000 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Tempwinlogon.exepid process 4504 Tempwinlogon.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDeixdadNw.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDeixdadNw.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\HDeixdadNw.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 4260 wrote to memory of 2000 4260 wscript.exe wscript.exe PID 4260 wrote to memory of 2000 4260 wscript.exe wscript.exe PID 4260 wrote to memory of 4932 4260 wscript.exe wscript.exe PID 4260 wrote to memory of 4932 4260 wscript.exe wscript.exe PID 4932 wrote to memory of 4504 4932 wscript.exe Tempwinlogon.exe PID 4932 wrote to memory of 4504 4932 wscript.exe Tempwinlogon.exe PID 4932 wrote to memory of 4504 4932 wscript.exe Tempwinlogon.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\AWB06152022.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HDeixdadNw.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2000 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\coco.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"3⤵
- Executes dropped EXE
PID:4504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\coco.vbsFilesize
262KB
MD5c88b4225d112a00ca24064e0ef0eab73
SHA13e3fdaee20e6ab757e013f0ebfd4f2a0dbb267db
SHA2560a35cdc2af8e2f4b971dc4482d9c3bca3c0de4295406dccd7c6743895769a504
SHA512937617ac5ddd7d8bd971645c81b5667be178d5bb9700152072a9184dddff952327b36e329b1c257da1dc38f1e7c781ea501a14d8a5f0fe2b41a19656732a09ba
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
131KB
MD5d094904acee9a06b8cc82def7ae31dbd
SHA1855bc1ffd23a61fbbe9775de464c43bc532d2e69
SHA256195657d28badaba67b1a0e0a9b32da62179454f2fad141f490c2b6808d326229
SHA512a4b91d26f5db1e5859874f5f1c3f6f39c7cd5535b8a16b321072fb7f539af79cc1b31799ee679401e16fd8b9c0598c5890d389af609e19bf1fc04d624e06220e
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
131KB
MD5d094904acee9a06b8cc82def7ae31dbd
SHA1855bc1ffd23a61fbbe9775de464c43bc532d2e69
SHA256195657d28badaba67b1a0e0a9b32da62179454f2fad141f490c2b6808d326229
SHA512a4b91d26f5db1e5859874f5f1c3f6f39c7cd5535b8a16b321072fb7f539af79cc1b31799ee679401e16fd8b9c0598c5890d389af609e19bf1fc04d624e06220e
-
C:\Users\Admin\AppData\Roaming\HDeixdadNw.jsFilesize
10KB
MD5a48f536f703ee0912c56793251cd2cce
SHA1de0bce31d9b9b143d81942eeff44aa7e0318b1e8
SHA256173da53c8d93e620556f5557083c0b714802c3d3cad6aeb24ae09118a1b06f36
SHA512bdbf60dd94eb29052756065eea2aea2132c7af712f1f7854bb549ecf0998632950e2dc6c35dfb4bf25f2b7857111f29567a71a917d033ad62e8535f36d8f5d6b
-
memory/2000-130-0x0000000000000000-mapping.dmp
-
memory/4504-134-0x0000000000000000-mapping.dmp
-
memory/4932-131-0x0000000000000000-mapping.dmp