warzonerat | e3c938b4f4fe140677bb420c68b052b4473cfc1135b223871ade67706a3d16b3

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
10-08-2023 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PurchaseOrder.XLS.js
Size

7KB
MD5

1cc985fc54d86c85a9fedc783ece93bf
SHA1

25ec6c257f51023f42094cf74e748514369190cc
SHA256

e3c938b4f4fe140677bb420c68b052b4473cfc1135b223871ade67706a3d16b3
SHA512

7818e205750495df0c13687d0a2ee47306113478aa858af31dfbb3e2a30eebaf58c808d9810ca231708c70fd0089cc05f90595c3125bf4a1b87deb5510e70779
SSDEEP

192:rrCbeo9//0bGiExYWySgU3Ub+k0OAaBvRMYRfuYbcZwulYp2h:m

Score

10^/10

warzonerat wshrat infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

warzonerat

chongmei33.publicvm.com:49746

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 7 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000018fcb-70.dat	warzonerat
behavioral1/files/0x0008000000018fcb-72.dat	warzonerat
behavioral1/files/0x0008000000018fcb-73.dat	warzonerat
behavioral1/files/0x0005000000018fdf-75.dat	warzonerat
behavioral1/files/0x0005000000018fdf-77.dat	warzonerat
behavioral1/files/0x0005000000018fdf-81.dat	warzonerat
behavioral1/files/0x0005000000018fdf-88.dat	warzonerat

Blocklisted process makes network request 27 IoCs

flow	pid	Process
5	2364	wscript.exe
8	2224	WScript.exe
10	2224	WScript.exe
12	2224	WScript.exe
13	2224	WScript.exe
15	2224	WScript.exe
16	2224	WScript.exe
17	2224	WScript.exe
23	2224	WScript.exe
24	2224	WScript.exe
25	2224	WScript.exe
27	2224	WScript.exe
30	2224	WScript.exe
33	2224	WScript.exe
34	2224	WScript.exe
37	2224	WScript.exe
40	2224	WScript.exe
42	2224	WScript.exe
45	2224	WScript.exe
48	2224	WScript.exe
50	2224	WScript.exe
52	2224	WScript.exe
55	2224	WScript.exe
58	2224	WScript.exe
61	2224	WScript.exe
63	2224	WScript.exe
65	2224	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SGTICY.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SGTICY.vbs	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
1712	Tempwinlogon.exe
2176	images.exe

Loads dropped DLL 2 IoCs

pid	Process
1712	Tempwinlogon.exe
1712	Tempwinlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\SGTICY = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SGTICY.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGTICY = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SGTICY.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	Tempwinlogon.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2176	images.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2224	2364	wscript.exe	29
PID 2364 wrote to memory of 2224	2364	wscript.exe	29
PID 2364 wrote to memory of 2224	2364	wscript.exe	29
PID 2224 wrote to memory of 2372	2224	WScript.exe	32
PID 2224 wrote to memory of 2372	2224	WScript.exe	32
PID 2224 wrote to memory of 2372	2224	WScript.exe	32
PID 2372 wrote to memory of 1712	2372	WScript.exe	34
PID 2372 wrote to memory of 1712	2372	WScript.exe	34
PID 2372 wrote to memory of 1712	2372	WScript.exe	34
PID 2372 wrote to memory of 1712	2372	WScript.exe	34
PID 1712 wrote to memory of 2176	1712	Tempwinlogon.exe	35
PID 1712 wrote to memory of 2176	1712	Tempwinlogon.exe	35
PID 1712 wrote to memory of 2176	1712	Tempwinlogon.exe	35
PID 1712 wrote to memory of 2176	1712	Tempwinlogon.exe	35
PID 2176 wrote to memory of 2976	2176	images.exe	36
PID 2176 wrote to memory of 2976	2176	images.exe	36
PID 2176 wrote to memory of 2976	2176	images.exe	36
PID 2176 wrote to memory of 2976	2176	images.exe	36
PID 2176 wrote to memory of 2976	2176	images.exe	36
PID 2176 wrote to memory of 2976	2176	images.exe	36

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PurchaseOrder.XLS.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SGTICY.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aug.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Users\Admin\AppData\Local\Tempwinlogon.exe
      "C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        6⤵
        
        PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

Filesize
98KB

MD5
20390c8434f741d1abee9c8d48248bdb

SHA1
10577df5ed0ecba6a3da8552d112bd5e00e793d2

SHA256
ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3

SHA512
e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

Download Submit
C:\ProgramData\images.exe

Filesize
98KB

MD5
20390c8434f741d1abee9c8d48248bdb

SHA1
10577df5ed0ecba6a3da8552d112bd5e00e793d2

SHA256
ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3

SHA512
e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12APMO2Y\json[1].json

Filesize
323B

MD5
149c2823b7eadbfb0a82388a2ab9494f

SHA1
415fe979ce5fd0064d2557a48745a3ed1a3fbf9c

SHA256
06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869

SHA512
f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGTICY.vbs

Filesize
1.9MB

MD5
72fab82acb233fa5b2d7aeb5cecf14bb

SHA1
dd7e2daa860b045e8b683407ab653c75df13256a

SHA256
35dd9286ed2d79a748a02cd32a9418e39a1b91d237f9ee67d2f305fc4b659f0b

SHA512
534c935688b227edaa3b77ba95b3de95ae1cf34a8614e906986c8448c54a64a5c4811d3d5ff79ea232160722173370e0dc3ae3b157ed12d789848034a6479ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aug.vbs

Filesize
196KB

MD5
2725abf432ceeca35be3ac737c3f0847

SHA1
608ac3ed1248b3c35deec3ee55070d52b2c9d1a0

SHA256
6eaa55f7bd4117835ac0116d85b20fdcc35e1c461379dbac106d2c2c51d60516

SHA512
a014a6c2a10f9efe9ca85f4da5505fb2eb6071342b7f4dce0b48446d4462ba26fc1e44a1ba9833d6ab623d2d75c0643c488e46d1995fb20bfd0ed8d8f517b0e2

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe

Filesize
98KB

MD5
20390c8434f741d1abee9c8d48248bdb

SHA1
10577df5ed0ecba6a3da8552d112bd5e00e793d2

SHA256
ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3

SHA512
e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe

Filesize
98KB

MD5
20390c8434f741d1abee9c8d48248bdb

SHA1
10577df5ed0ecba6a3da8552d112bd5e00e793d2

SHA256
ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3

SHA512
e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe

Filesize
98KB

MD5
20390c8434f741d1abee9c8d48248bdb

SHA1
10577df5ed0ecba6a3da8552d112bd5e00e793d2

SHA256
ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3

SHA512
e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SGTICY.vbs

Filesize
1.9MB

MD5
72fab82acb233fa5b2d7aeb5cecf14bb

SHA1
dd7e2daa860b045e8b683407ab653c75df13256a

SHA256
35dd9286ed2d79a748a02cd32a9418e39a1b91d237f9ee67d2f305fc4b659f0b

SHA512
534c935688b227edaa3b77ba95b3de95ae1cf34a8614e906986c8448c54a64a5c4811d3d5ff79ea232160722173370e0dc3ae3b157ed12d789848034a6479ed4

Download Submit
\ProgramData\images.exe

Filesize
98KB

MD5
20390c8434f741d1abee9c8d48248bdb

SHA1
10577df5ed0ecba6a3da8552d112bd5e00e793d2

SHA256
ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3

SHA512
e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

Download Submit
\ProgramData\images.exe

Filesize
98KB

MD5
20390c8434f741d1abee9c8d48248bdb

SHA1
10577df5ed0ecba6a3da8552d112bd5e00e793d2

SHA256
ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3

SHA512
e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

Download Submit
memory/2176-102-0x00000000035D0000-0x0000000003654000-memory.dmp

Filesize
528KB

Download
memory/2176-107-0x00000000035D0000-0x0000000003654000-memory.dmp

Filesize
528KB

Download
memory/2976-84-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2976-82-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads