Analysis
-
max time kernel
146s -
max time network
183s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 05:46
Static task
static1
Behavioral task
behavioral1
Sample
New Order.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
New Order.js
Resource
win10v2004-20220414-en
General
-
Target
New Order.js
-
Size
531KB
-
MD5
e7c12e5be1dad9a6fa3c0d201f8cce0c
-
SHA1
66e700ec7a5ef9daab0caef89d5feed95cc9ba06
-
SHA256
650a05ec364c57a741c304434972b520db752b659675321246c5e76a0f1a2411
-
SHA512
2acbbbfcbbb09b92f67559070882a7b157875b3fda72ff45bf6951b10a8ff1607943528035fef32bee419f818244d1db7f959ccec44145a86b18231ee7a3eac7
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat -
Blocklisted process makes network request 8 IoCs
Processes:
wscript.exeflow pid process 5 2016 wscript.exe 9 2016 wscript.exe 10 2016 wscript.exe 15 2016 wscript.exe 17 2016 wscript.exe 19 2016 wscript.exe 22 2016 wscript.exe 25 2016 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Tempwinlogon.exepid process 1580 Tempwinlogon.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZezqiNHkoV.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZezqiNHkoV.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\ZezqiNHkoV.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 2020 wrote to memory of 2016 2020 wscript.exe wscript.exe PID 2020 wrote to memory of 2016 2020 wscript.exe wscript.exe PID 2020 wrote to memory of 2016 2020 wscript.exe wscript.exe PID 2020 wrote to memory of 2044 2020 wscript.exe wscript.exe PID 2020 wrote to memory of 2044 2020 wscript.exe wscript.exe PID 2020 wrote to memory of 2044 2020 wscript.exe wscript.exe PID 2044 wrote to memory of 1580 2044 wscript.exe Tempwinlogon.exe PID 2044 wrote to memory of 1580 2044 wscript.exe Tempwinlogon.exe PID 2044 wrote to memory of 1580 2044 wscript.exe Tempwinlogon.exe PID 2044 wrote to memory of 1580 2044 wscript.exe Tempwinlogon.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\New Order.js"1⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZezqiNHkoV.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2016 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\coco.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"3⤵
- Executes dropped EXE
PID:1580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\coco.vbsFilesize
262KB
MD57ed171f03775557ab9dae2b0913a6141
SHA144a21f8522f5ce3cc7559e34cd7bf08314407baa
SHA256a32fbd632126405e9a0d3a307216dcf2f5828058b843322c2bad050d46c5cf51
SHA51227bd180d0b204f46e86692d63401f87874db6b9c41ef419083c7ffe475b43d8d1e3f6f4d77f5717995d8100a65b78e38d5a678c82feaaecb725a9501cc7e74bc
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
131KB
MD5c1d889597ddaeded0537670d00a4ab9f
SHA1d657abfa2084d8b5ae03765cc88133a5980ac204
SHA256fe8a49318d4bf9b8eb541b38219865b9338c31f89ed9b3e28adf338fa6b639dc
SHA512a94b7f4b7ee52c72df031f584f5945a87b04893fe1a4f1741d52312adab3d64169e931184211cea4456cc8b02999c1d394aeabd87ac6987537a6267511362762
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
131KB
MD5c1d889597ddaeded0537670d00a4ab9f
SHA1d657abfa2084d8b5ae03765cc88133a5980ac204
SHA256fe8a49318d4bf9b8eb541b38219865b9338c31f89ed9b3e28adf338fa6b639dc
SHA512a94b7f4b7ee52c72df031f584f5945a87b04893fe1a4f1741d52312adab3d64169e931184211cea4456cc8b02999c1d394aeabd87ac6987537a6267511362762
-
C:\Users\Admin\AppData\Roaming\ZezqiNHkoV.jsFilesize
24KB
MD5f93528065e94fbb67b95cc8924ae924c
SHA16daf76f2f60b1ec1e2e21b0845a17878ffabe1dd
SHA2561ac504a0baca468bbca78692aae52089bbd25053676f6915f76ec84a73c9f6ab
SHA512730ec25aa21016d3af7cb3a03e235a7a50bf4a1c54f26d4c683bc14273afa5038684327fa84ce98973bee7ae669cf1f0a1b62e562887834c28bbb402b43b408a
-
memory/1580-61-0x0000000000000000-mapping.dmp
-
memory/1580-63-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB
-
memory/2016-55-0x0000000000000000-mapping.dmp
-
memory/2020-54-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmpFilesize
8KB
-
memory/2044-57-0x0000000000000000-mapping.dmp