Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
17-08-2023 18:14
Static task
static1
Behavioral task
behavioral1
Sample
ORDER-238175F.pdf.js
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
ORDER-238175F.pdf.js
Resource
win10v2004-20230703-en
General
-
Target
ORDER-238175F.pdf.js
-
Size
7KB
-
MD5
71223537f79596646a8938dd2346b649
-
SHA1
e0746a857f5aa62fff78070bd3b97db2ddfe559a
-
SHA256
7a57c3bcbdfc2482505bcf4c20885c1288635f780667a5cf4c7f0804251dd719
-
SHA512
a6850d1eed527874e8b93aa29fa76df11faa7147392db4bb8acf255f4cef028ebfddec329c8f8d0c2e3010f0f0b05b650558108583ae28a0913a849c6dff33ab
-
SSDEEP
192:RrhdeJCAgeSP5NvpaQKz6epeZeyqOeLDe2t5De2OeLDeTeaeIC:dvpBiRjj
Malware Config
Extracted
warzonerat
chongmei33.publicvm.com:49746
Extracted
wshrat
http://chongmei33.publicvm.com:7045
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat C:\Users\Admin\AppData\Local\Tempwinlogon.exe warzonerat C:\ProgramData\images.exe warzonerat C:\ProgramData\images.exe warzonerat -
Blocklisted process makes network request 29 IoCs
Processes:
wscript.exeWScript.exeflow pid process 6 4564 wscript.exe 8 4564 wscript.exe 14 4564 wscript.exe 25 4948 WScript.exe 27 4948 WScript.exe 36 4948 WScript.exe 40 4948 WScript.exe 42 4948 WScript.exe 53 4948 WScript.exe 55 4948 WScript.exe 56 4948 WScript.exe 58 4948 WScript.exe 60 4948 WScript.exe 62 4948 WScript.exe 66 4948 WScript.exe 69 4948 WScript.exe 71 4948 WScript.exe 74 4948 WScript.exe 77 4948 WScript.exe 78 4948 WScript.exe 79 4948 WScript.exe 80 4948 WScript.exe 82 4948 WScript.exe 84 4948 WScript.exe 85 4948 WScript.exe 87 4948 WScript.exe 89 4948 WScript.exe 95 4948 WScript.exe 97 4948 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGDEJN.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGDEJN.vbs WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
Tempwinlogon.exeimages.exepid process 4976 Tempwinlogon.exe 1620 images.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
WScript.exeTempwinlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TGDEJN = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TGDEJN.vbs\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TGDEJN = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TGDEJN.vbs\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" Tempwinlogon.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
wscript.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings wscript.exe Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings WScript.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
wscript.exeWScript.exeWScript.exeTempwinlogon.exeimages.exedescription pid process target process PID 4564 wrote to memory of 4948 4564 wscript.exe WScript.exe PID 4564 wrote to memory of 4948 4564 wscript.exe WScript.exe PID 4948 wrote to memory of 4740 4948 WScript.exe WScript.exe PID 4948 wrote to memory of 4740 4948 WScript.exe WScript.exe PID 4740 wrote to memory of 4976 4740 WScript.exe Tempwinlogon.exe PID 4740 wrote to memory of 4976 4740 WScript.exe Tempwinlogon.exe PID 4740 wrote to memory of 4976 4740 WScript.exe Tempwinlogon.exe PID 4976 wrote to memory of 1620 4976 Tempwinlogon.exe images.exe PID 4976 wrote to memory of 1620 4976 Tempwinlogon.exe images.exe PID 4976 wrote to memory of 1620 4976 Tempwinlogon.exe images.exe PID 1620 wrote to memory of 3044 1620 images.exe cmd.exe PID 1620 wrote to memory of 3044 1620 images.exe cmd.exe PID 1620 wrote to memory of 3044 1620 images.exe cmd.exe PID 1620 wrote to memory of 3044 1620 images.exe cmd.exe PID 1620 wrote to memory of 3044 1620 images.exe cmd.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-238175F.pdf.js1⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TGDEJN.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aug.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"6⤵PID:3044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD520390c8434f741d1abee9c8d48248bdb
SHA110577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b
-
Filesize
98KB
MD520390c8434f741d1abee9c8d48248bdb
SHA110577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b
-
Filesize
323B
MD5149c2823b7eadbfb0a82388a2ab9494f
SHA1415fe979ce5fd0064d2557a48745a3ed1a3fbf9c
SHA25606fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869
SHA512f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe
-
Filesize
2.0MB
MD557ce47f3c71f44a6e1270ba954ab3a9a
SHA1c01261f70f0b2ef9e39b9e2a5bf75743760967d4
SHA2562379541bc38b9a61637cee49eb60d902b1af5e27bfa4f7885218308d1024cab4
SHA51285a0b87a248ab50e678b49e622eb1311e2df2fae4a99dea318edde735bcff17e5724dbc71341c70aa62766e1f5f1e8f139ff583f84bf7d3ff5f6bd85002fa264
-
Filesize
196KB
MD52725abf432ceeca35be3ac737c3f0847
SHA1608ac3ed1248b3c35deec3ee55070d52b2c9d1a0
SHA2566eaa55f7bd4117835ac0116d85b20fdcc35e1c461379dbac106d2c2c51d60516
SHA512a014a6c2a10f9efe9ca85f4da5505fb2eb6071342b7f4dce0b48446d4462ba26fc1e44a1ba9833d6ab623d2d75c0643c488e46d1995fb20bfd0ed8d8f517b0e2
-
Filesize
98KB
MD520390c8434f741d1abee9c8d48248bdb
SHA110577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b
-
Filesize
98KB
MD520390c8434f741d1abee9c8d48248bdb
SHA110577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b
-
Filesize
98KB
MD520390c8434f741d1abee9c8d48248bdb
SHA110577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b
-
Filesize
2.0MB
MD557ce47f3c71f44a6e1270ba954ab3a9a
SHA1c01261f70f0b2ef9e39b9e2a5bf75743760967d4
SHA2562379541bc38b9a61637cee49eb60d902b1af5e27bfa4f7885218308d1024cab4
SHA51285a0b87a248ab50e678b49e622eb1311e2df2fae4a99dea318edde735bcff17e5724dbc71341c70aa62766e1f5f1e8f139ff583f84bf7d3ff5f6bd85002fa264