Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 05:49
Static task
static1
Behavioral task
behavioral1
Sample
New Order.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
New Order.js
Resource
win10v2004-20220414-en
General
-
Target
New Order.js
-
Size
531KB
-
MD5
e7c12e5be1dad9a6fa3c0d201f8cce0c
-
SHA1
66e700ec7a5ef9daab0caef89d5feed95cc9ba06
-
SHA256
650a05ec364c57a741c304434972b520db752b659675321246c5e76a0f1a2411
-
SHA512
2acbbbfcbbb09b92f67559070882a7b157875b3fda72ff45bf6951b10a8ff1607943528035fef32bee419f818244d1db7f959ccec44145a86b18231ee7a3eac7
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat -
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 7 952 wscript.exe 9 952 wscript.exe 30 952 wscript.exe 32 952 wscript.exe 42 952 wscript.exe 45 952 wscript.exe 47 952 wscript.exe 51 952 wscript.exe 54 952 wscript.exe 58 952 wscript.exe 60 952 wscript.exe 62 952 wscript.exe 65 952 wscript.exe 67 952 wscript.exe 69 952 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Tempwinlogon.exepid process 1512 Tempwinlogon.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZezqiNHkoV.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZezqiNHkoV.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\ZezqiNHkoV.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 2036 wrote to memory of 952 2036 wscript.exe wscript.exe PID 2036 wrote to memory of 952 2036 wscript.exe wscript.exe PID 2036 wrote to memory of 4872 2036 wscript.exe wscript.exe PID 2036 wrote to memory of 4872 2036 wscript.exe wscript.exe PID 4872 wrote to memory of 1512 4872 wscript.exe Tempwinlogon.exe PID 4872 wrote to memory of 1512 4872 wscript.exe Tempwinlogon.exe PID 4872 wrote to memory of 1512 4872 wscript.exe Tempwinlogon.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\New Order.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZezqiNHkoV.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:952 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\coco.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"3⤵
- Executes dropped EXE
PID:1512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\coco.vbsFilesize
262KB
MD57ed171f03775557ab9dae2b0913a6141
SHA144a21f8522f5ce3cc7559e34cd7bf08314407baa
SHA256a32fbd632126405e9a0d3a307216dcf2f5828058b843322c2bad050d46c5cf51
SHA51227bd180d0b204f46e86692d63401f87874db6b9c41ef419083c7ffe475b43d8d1e3f6f4d77f5717995d8100a65b78e38d5a678c82feaaecb725a9501cc7e74bc
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
131KB
MD5c1d889597ddaeded0537670d00a4ab9f
SHA1d657abfa2084d8b5ae03765cc88133a5980ac204
SHA256fe8a49318d4bf9b8eb541b38219865b9338c31f89ed9b3e28adf338fa6b639dc
SHA512a94b7f4b7ee52c72df031f584f5945a87b04893fe1a4f1741d52312adab3d64169e931184211cea4456cc8b02999c1d394aeabd87ac6987537a6267511362762
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
131KB
MD5c1d889597ddaeded0537670d00a4ab9f
SHA1d657abfa2084d8b5ae03765cc88133a5980ac204
SHA256fe8a49318d4bf9b8eb541b38219865b9338c31f89ed9b3e28adf338fa6b639dc
SHA512a94b7f4b7ee52c72df031f584f5945a87b04893fe1a4f1741d52312adab3d64169e931184211cea4456cc8b02999c1d394aeabd87ac6987537a6267511362762
-
C:\Users\Admin\AppData\Roaming\ZezqiNHkoV.jsFilesize
24KB
MD5f93528065e94fbb67b95cc8924ae924c
SHA16daf76f2f60b1ec1e2e21b0845a17878ffabe1dd
SHA2561ac504a0baca468bbca78692aae52089bbd25053676f6915f76ec84a73c9f6ab
SHA512730ec25aa21016d3af7cb3a03e235a7a50bf4a1c54f26d4c683bc14273afa5038684327fa84ce98973bee7ae669cf1f0a1b62e562887834c28bbb402b43b408a
-
memory/952-130-0x0000000000000000-mapping.dmp
-
memory/1512-134-0x0000000000000000-mapping.dmp
-
memory/4872-131-0x0000000000000000-mapping.dmp