Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
10-08-2023 13:25
Static task
static1
Behavioral task
behavioral1
Sample
wis2war.vbs
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
wis2war.vbs
Resource
win10v2004-20230703-en
General
-
Target
wis2war.vbs
-
Size
1.9MB
-
MD5
72fab82acb233fa5b2d7aeb5cecf14bb
-
SHA1
dd7e2daa860b045e8b683407ab653c75df13256a
-
SHA256
35dd9286ed2d79a748a02cd32a9418e39a1b91d237f9ee67d2f305fc4b659f0b
-
SHA512
534c935688b227edaa3b77ba95b3de95ae1cf34a8614e906986c8448c54a64a5c4811d3d5ff79ea232160722173370e0dc3ae3b157ed12d789848034a6479ed4
-
SSDEEP
6144:MhFLSUbTzDvAaRZMF2nkKA3T7oB32XsPhY0/QSE2lGNpUoB+mZIS7/942c:ctxrPgwivYeSV4pR7/M
Malware Config
Extracted
warzonerat
chongmei33.publicvm.com:49746
Extracted
wshrat
http://chongmei33.publicvm.com:7045
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat C:\ProgramData\images.exe warzonerat C:\ProgramData\images.exe warzonerat -
Blocklisted process makes network request 26 IoCs
Processes:
WScript.exeflow pid process 8 3836 WScript.exe 10 3836 WScript.exe 24 3836 WScript.exe 30 3836 WScript.exe 31 3836 WScript.exe 41 3836 WScript.exe 42 3836 WScript.exe 43 3836 WScript.exe 44 3836 WScript.exe 48 3836 WScript.exe 52 3836 WScript.exe 53 3836 WScript.exe 54 3836 WScript.exe 59 3836 WScript.exe 60 3836 WScript.exe 62 3836 WScript.exe 64 3836 WScript.exe 65 3836 WScript.exe 66 3836 WScript.exe 67 3836 WScript.exe 69 3836 WScript.exe 70 3836 WScript.exe 71 3836 WScript.exe 72 3836 WScript.exe 74 3836 WScript.exe 75 3836 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wis2war.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wis2war.vbs WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
Tempwinlogon.exeimages.exepid process 3572 Tempwinlogon.exe 2152 images.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
WScript.exeTempwinlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wis2war = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wis2war.vbs\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wis2war = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wis2war.vbs\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" Tempwinlogon.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings WScript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
images.exepid process 2152 images.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
WScript.exeWScript.exeTempwinlogon.exeimages.exedescription pid process target process PID 3836 wrote to memory of 936 3836 WScript.exe WScript.exe PID 3836 wrote to memory of 936 3836 WScript.exe WScript.exe PID 936 wrote to memory of 3572 936 WScript.exe Tempwinlogon.exe PID 936 wrote to memory of 3572 936 WScript.exe Tempwinlogon.exe PID 936 wrote to memory of 3572 936 WScript.exe Tempwinlogon.exe PID 3572 wrote to memory of 2152 3572 Tempwinlogon.exe images.exe PID 3572 wrote to memory of 2152 3572 Tempwinlogon.exe images.exe PID 3572 wrote to memory of 2152 3572 Tempwinlogon.exe images.exe PID 2152 wrote to memory of 1652 2152 images.exe cmd.exe PID 2152 wrote to memory of 1652 2152 images.exe cmd.exe PID 2152 wrote to memory of 1652 2152 images.exe cmd.exe PID 2152 wrote to memory of 1652 2152 images.exe cmd.exe PID 2152 wrote to memory of 1652 2152 images.exe cmd.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wis2war.vbs"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aug.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵PID:1652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD520390c8434f741d1abee9c8d48248bdb
SHA110577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b
-
Filesize
98KB
MD520390c8434f741d1abee9c8d48248bdb
SHA110577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b
-
Filesize
323B
MD50c17abb0ed055fecf0c48bb6e46eb4eb
SHA1a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3
-
Filesize
196KB
MD52725abf432ceeca35be3ac737c3f0847
SHA1608ac3ed1248b3c35deec3ee55070d52b2c9d1a0
SHA2566eaa55f7bd4117835ac0116d85b20fdcc35e1c461379dbac106d2c2c51d60516
SHA512a014a6c2a10f9efe9ca85f4da5505fb2eb6071342b7f4dce0b48446d4462ba26fc1e44a1ba9833d6ab623d2d75c0643c488e46d1995fb20bfd0ed8d8f517b0e2
-
Filesize
98KB
MD520390c8434f741d1abee9c8d48248bdb
SHA110577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b
-
Filesize
98KB
MD520390c8434f741d1abee9c8d48248bdb
SHA110577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b
-
Filesize
98KB
MD520390c8434f741d1abee9c8d48248bdb
SHA110577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b
-
Filesize
1.9MB
MD572fab82acb233fa5b2d7aeb5cecf14bb
SHA1dd7e2daa860b045e8b683407ab653c75df13256a
SHA25635dd9286ed2d79a748a02cd32a9418e39a1b91d237f9ee67d2f305fc4b659f0b
SHA512534c935688b227edaa3b77ba95b3de95ae1cf34a8614e906986c8448c54a64a5c4811d3d5ff79ea232160722173370e0dc3ae3b157ed12d789848034a6479ed4