Analysis
-
max time kernel
177s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-06-2022 05:56
Static task
static1
Behavioral task
behavioral1
Sample
Details.pdf.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Details.pdf.js
Resource
win10v2004-20220414-en
General
-
Target
Details.pdf.js
-
Size
562KB
-
MD5
cb59237d6204d65a220eac88ad0af4e5
-
SHA1
64304835929c67739b2aba280dcd0f9761925440
-
SHA256
880764b02a05b427918594f017fa9c1fa3e9e8255506d542c302eb93380b0be8
-
SHA512
ccd966e2c4e9715d0e46fe4e3c9f331c591757ffe184deaec93797271a77c12d86ad5e00d1b90fc4aa829a38016e3b38344bc711556c8026a0397f9d66bcea9a
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Anew.exe warzonerat C:\Users\Admin\AppData\Roaming\Anew.exe warzonerat \Users\Admin\Documents\images.exe warzonerat \Users\Admin\Documents\images.exe warzonerat C:\Users\Admin\Documents\images.exe warzonerat C:\Users\Admin\Documents\images.exe warzonerat -
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 4 1048 wscript.exe 6 1048 wscript.exe 7 1048 wscript.exe 9 1048 wscript.exe 10 1048 wscript.exe 11 1048 wscript.exe 13 1048 wscript.exe 14 1048 wscript.exe 15 1048 wscript.exe 17 1048 wscript.exe 18 1048 wscript.exe 21 1048 wscript.exe 24 1048 wscript.exe 27 1048 wscript.exe 29 1048 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
Anew.exeimages.exepid process 2008 Anew.exe 576 images.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\duRKcJnxZP.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\duRKcJnxZP.js wscript.exe -
Loads dropped DLL 2 IoCs
Processes:
Anew.exepid process 2008 Anew.exe 2008 Anew.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
wscript.exeAnew.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\duRKcJnxZP.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images.exe = "C:\\Users\\Admin\\Documents\\images.exe" Anew.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1244 powershell.exe 1328 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1244 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
wscript.exeAnew.exeimages.exedescription pid process target process PID 756 wrote to memory of 1048 756 wscript.exe wscript.exe PID 756 wrote to memory of 1048 756 wscript.exe wscript.exe PID 756 wrote to memory of 1048 756 wscript.exe wscript.exe PID 756 wrote to memory of 2008 756 wscript.exe Anew.exe PID 756 wrote to memory of 2008 756 wscript.exe Anew.exe PID 756 wrote to memory of 2008 756 wscript.exe Anew.exe PID 756 wrote to memory of 2008 756 wscript.exe Anew.exe PID 2008 wrote to memory of 1244 2008 Anew.exe powershell.exe PID 2008 wrote to memory of 1244 2008 Anew.exe powershell.exe PID 2008 wrote to memory of 1244 2008 Anew.exe powershell.exe PID 2008 wrote to memory of 1244 2008 Anew.exe powershell.exe PID 2008 wrote to memory of 576 2008 Anew.exe images.exe PID 2008 wrote to memory of 576 2008 Anew.exe images.exe PID 2008 wrote to memory of 576 2008 Anew.exe images.exe PID 2008 wrote to memory of 576 2008 Anew.exe images.exe PID 576 wrote to memory of 1328 576 images.exe powershell.exe PID 576 wrote to memory of 1328 576 images.exe powershell.exe PID 576 wrote to memory of 1328 576 images.exe powershell.exe PID 576 wrote to memory of 1328 576 images.exe powershell.exe PID 576 wrote to memory of 1760 576 images.exe cmd.exe PID 576 wrote to memory of 1760 576 images.exe cmd.exe PID 576 wrote to memory of 1760 576 images.exe cmd.exe PID 576 wrote to memory of 1760 576 images.exe cmd.exe PID 576 wrote to memory of 1760 576 images.exe cmd.exe PID 576 wrote to memory of 1760 576 images.exe cmd.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Details.pdf.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\duRKcJnxZP.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Anew.exe"C:\Users\Admin\AppData\Roaming\Anew.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\images.exe"C:\Users\Admin\Documents\images.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Anew.exeFilesize
131KB
MD5db85d99c2bd8a7d6b1a6e4fdda9dedc7
SHA102561516bf81162120b3d1a741e232cf6962173b
SHA256898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1
SHA512ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf
-
C:\Users\Admin\AppData\Roaming\Anew.exeFilesize
131KB
MD5db85d99c2bd8a7d6b1a6e4fdda9dedc7
SHA102561516bf81162120b3d1a741e232cf6962173b
SHA256898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1
SHA512ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD59a99cead739ada0570fb9ab6cad29003
SHA1704bf42fe9f036b40877f8195636207e72eb642d
SHA2563fa4d2aae3c983f26e8b105a8da27543b900cfd3f0d5d6dd4886756f8c9b8c27
SHA512c95c0127a838ab1b5862124f94844d4a308305c587b6f201d1491f3bdad15ed94cdfb7b59d7a5b7e631a3963fcfd8047c982b565b80e1a78c53b5263ccb0c53f
-
C:\Users\Admin\AppData\Roaming\duRKcJnxZP.jsFilesize
117KB
MD52ceda72d46215115db2fd420d1b2b572
SHA1aa5df32f61fef685e1ba28715c68a60f54b27de7
SHA2561a01f5780fe39194f89c220a0e899f028478c9312977d176b3c9e2db544b6e96
SHA512924e847d376e2c33dfe7e14ab7120a63264396c2cd293a7c20b4df864fb3a170c7fe7abc42bfecce89cb1ce0c42709a91ec0cf76ddf8707088a6c1278544f055
-
C:\Users\Admin\Documents\images.exeFilesize
131KB
MD5db85d99c2bd8a7d6b1a6e4fdda9dedc7
SHA102561516bf81162120b3d1a741e232cf6962173b
SHA256898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1
SHA512ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf
-
C:\Users\Admin\Documents\images.exeFilesize
131KB
MD5db85d99c2bd8a7d6b1a6e4fdda9dedc7
SHA102561516bf81162120b3d1a741e232cf6962173b
SHA256898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1
SHA512ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf
-
\Users\Admin\Documents\images.exeFilesize
131KB
MD5db85d99c2bd8a7d6b1a6e4fdda9dedc7
SHA102561516bf81162120b3d1a741e232cf6962173b
SHA256898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1
SHA512ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf
-
\Users\Admin\Documents\images.exeFilesize
131KB
MD5db85d99c2bd8a7d6b1a6e4fdda9dedc7
SHA102561516bf81162120b3d1a741e232cf6962173b
SHA256898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1
SHA512ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf
-
memory/576-68-0x0000000000000000-mapping.dmp
-
memory/756-54-0x000007FEFC5C1000-0x000007FEFC5C3000-memory.dmpFilesize
8KB
-
memory/1048-55-0x0000000000000000-mapping.dmp
-
memory/1244-62-0x0000000000000000-mapping.dmp
-
memory/1244-64-0x0000000074420000-0x00000000749CB000-memory.dmpFilesize
5.7MB
-
memory/1244-65-0x0000000074420000-0x00000000749CB000-memory.dmpFilesize
5.7MB
-
memory/1328-72-0x0000000000000000-mapping.dmp
-
memory/1328-75-0x0000000073BE0000-0x000000007418B000-memory.dmpFilesize
5.7MB
-
memory/1328-76-0x0000000073BE0000-0x000000007418B000-memory.dmpFilesize
5.7MB
-
memory/1760-77-0x0000000000000000-mapping.dmp
-
memory/1760-78-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/2008-59-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/2008-57-0x0000000000000000-mapping.dmp