warzonerat | 5502c7306e749b3a59e5c8b35d7e3b21e397ac0a98092519a19e1c1de2ce1de3

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2023 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER-230814AF.vbs
Size

9KB
MD5

a1c23f6dbe187a6168eda9a75d5050f8
SHA1

3969f916dee7b2d658feb1850023257e6986dac0
SHA256

5502c7306e749b3a59e5c8b35d7e3b21e397ac0a98092519a19e1c1de2ce1de3
SHA512

36df97c39faa3eb70f75b5858d81fc9c263926402342f488efb2fe6c51d76f60a283c1d2e736088d365c9c9edb7c93ea36579920fc1c37680d4f6623a7e9bb62
SSDEEP

48:NjhD1INdjhDlzDaNdjhD5nqNhIINu1G0NVaUsyOUsfhqzDaNu1G0NVaUsuazD8ug:R

Score

10^/10

warzonerat wshrat infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

warzonerat

chongmei33.publicvm.com:49746

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 5 IoCs

rat

resource	yara_rule
behavioral2/files/0x000300000001e64c-157.dat	warzonerat
behavioral2/files/0x000300000001e64c-159.dat	warzonerat
behavioral2/files/0x000300000001e64c-160.dat	warzonerat
behavioral2/files/0x000200000001e6ed-163.dat	warzonerat
behavioral2/files/0x000200000001e6ed-164.dat	warzonerat

Blocklisted process makes network request 29 IoCs

flow	pid	Process
2	1404	WScript.exe
7	1404	WScript.exe
9	1404	WScript.exe
15	1404	WScript.exe
27	4500	WScript.exe
30	4500	WScript.exe
35	4500	WScript.exe
39	4500	WScript.exe
53	4500	WScript.exe
54	4500	WScript.exe
55	4500	WScript.exe
56	4500	WScript.exe
58	4500	WScript.exe
59	4500	WScript.exe
63	4500	WScript.exe
65	4500	WScript.exe
66	4500	WScript.exe
70	4500	WScript.exe
71	4500	WScript.exe
73	4500	WScript.exe
74	4500	WScript.exe
75	4500	WScript.exe
76	4500	WScript.exe
78	4500	WScript.exe
79	4500	WScript.exe
80	4500	WScript.exe
85	4500	WScript.exe
87	4500	WScript.exe
88	4500	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QENVVO.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QENVVO.vbs	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
468	Tempwinlogon.exe
4960	images.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QENVVO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QENVVO.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QENVVO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QENVVO.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	Tempwinlogon.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	WScript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4960	images.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4500	1404	WScript.exe	81
PID 1404 wrote to memory of 4500	1404	WScript.exe	81
PID 4500 wrote to memory of 3556	4500	WScript.exe	85
PID 4500 wrote to memory of 3556	4500	WScript.exe	85
PID 3556 wrote to memory of 468	3556	WScript.exe	88
PID 3556 wrote to memory of 468	3556	WScript.exe	88
PID 3556 wrote to memory of 468	3556	WScript.exe	88
PID 468 wrote to memory of 4960	468	Tempwinlogon.exe	90
PID 468 wrote to memory of 4960	468	Tempwinlogon.exe	90
PID 468 wrote to memory of 4960	468	Tempwinlogon.exe	90
PID 4960 wrote to memory of 2476	4960	images.exe	91
PID 4960 wrote to memory of 2476	4960	images.exe	91
PID 4960 wrote to memory of 2476	4960	images.exe	91
PID 4960 wrote to memory of 2476	4960	images.exe	91
PID 4960 wrote to memory of 2476	4960	images.exe	91

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-230814AF.vbs"
1⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QENVVO.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aug.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Users\Admin\AppData\Local\Tempwinlogon.exe
      "C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:468
    - - C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4960
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        6⤵
        
        PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

Filesize
98KB

MD5
20390c8434f741d1abee9c8d48248bdb

SHA1
10577df5ed0ecba6a3da8552d112bd5e00e793d2

SHA256
ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3

SHA512
e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

Download Submit
C:\ProgramData\images.exe

Filesize
98KB

MD5
20390c8434f741d1abee9c8d48248bdb

SHA1
10577df5ed0ecba6a3da8552d112bd5e00e793d2

SHA256
ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3

SHA512
e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6V1Y4KVO\json[1].json

Filesize
323B

MD5
0c17abb0ed055fecf0c48bb6e46eb4eb

SHA1
a692730c8ec7353c31b94a888f359edb54aaa4c8

SHA256
f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

SHA512
645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QENVVO.vbs

Filesize
2.2MB

MD5
c863717ead17c4488aa7f85b33ba8b20

SHA1
a1ecbd6e0ee64022e0e2ec358f9d33fec435e164

SHA256
355f53e53d0a8280ca4bc2e38bad3d6be7a00a3789355f09cbb822464fd8929e

SHA512
348d071ac5f156ccf25bbce538583ebcafa8b337d3ae6e5fd1a2d54ec71e99764ef4e8d9639463d9521910d29946abef371fe8c863dbbe3ac70aa035f3c2907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aug.vbs

Filesize
196KB

MD5
2725abf432ceeca35be3ac737c3f0847

SHA1
608ac3ed1248b3c35deec3ee55070d52b2c9d1a0

SHA256
6eaa55f7bd4117835ac0116d85b20fdcc35e1c461379dbac106d2c2c51d60516

SHA512
a014a6c2a10f9efe9ca85f4da5505fb2eb6071342b7f4dce0b48446d4462ba26fc1e44a1ba9833d6ab623d2d75c0643c488e46d1995fb20bfd0ed8d8f517b0e2

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe

Filesize
98KB

MD5
20390c8434f741d1abee9c8d48248bdb

SHA1
10577df5ed0ecba6a3da8552d112bd5e00e793d2

SHA256
ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3

SHA512
e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe

Filesize
98KB

MD5
20390c8434f741d1abee9c8d48248bdb

SHA1
10577df5ed0ecba6a3da8552d112bd5e00e793d2

SHA256
ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3

SHA512
e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe

Filesize
98KB

MD5
20390c8434f741d1abee9c8d48248bdb

SHA1
10577df5ed0ecba6a3da8552d112bd5e00e793d2

SHA256
ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3

SHA512
e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QENVVO.vbs

Filesize
2.2MB

MD5
c863717ead17c4488aa7f85b33ba8b20

SHA1
a1ecbd6e0ee64022e0e2ec358f9d33fec435e164

SHA256
355f53e53d0a8280ca4bc2e38bad3d6be7a00a3789355f09cbb822464fd8929e

SHA512
348d071ac5f156ccf25bbce538583ebcafa8b337d3ae6e5fd1a2d54ec71e99764ef4e8d9639463d9521910d29946abef371fe8c863dbbe3ac70aa035f3c2907e

Download Submit
memory/2476-165-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4960-172-0x0000000003760000-0x00000000037E4000-memory.dmp

Filesize
528KB

Download
memory/4960-179-0x0000000003760000-0x00000000037E4000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads