Malware Analysis Report

2024-10-19 09:24

Sample ID 230817-wvbvhabg78
Target ORDER-238175F.pdf.js
SHA256 7a57c3bcbdfc2482505bcf4c20885c1288635f780667a5cf4c7f0804251dd719
Tags
warzonerat wshrat infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a57c3bcbdfc2482505bcf4c20885c1288635f780667a5cf4c7f0804251dd719

Threat Level: Known bad

The file ORDER-238175F.pdf.js was found to be: Known bad.

Malicious Activity Summary

warzonerat wshrat infostealer persistence rat trojan

WSHRAT

WarzoneRat, AveMaria

Warzone RAT payload

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-17 18:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-17 18:14

Reported

2023-08-17 18:16

Platform

win7-20230712-en

Max time kernel

119s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-238175F.pdf.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-238175F.pdf.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 grapemundo.com udp
IN 103.50.163.157:443 grapemundo.com tcp
IN 103.50.163.157:443 grapemundo.com tcp
IN 103.50.163.157:443 grapemundo.com tcp
IN 103.50.163.157:443 grapemundo.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-17 18:14

Reported

2023-08-17 18:17

Platform

win10v2004-20230703-en

Max time kernel

148s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-238175F.pdf.js

Signatures

WSHRAT

trojan wshrat

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGDEJN.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGDEJN.vbs C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TGDEJN = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TGDEJN.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TGDEJN = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TGDEJN.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4564 wrote to memory of 4948 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 4564 wrote to memory of 4948 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 4948 wrote to memory of 4740 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 4948 wrote to memory of 4740 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 4740 wrote to memory of 4976 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 4740 wrote to memory of 4976 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 4740 wrote to memory of 4976 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 4976 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 4976 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 4976 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 1620 wrote to memory of 3044 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3044 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3044 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3044 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3044 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-238175F.pdf.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TGDEJN.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aug.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 grapemundo.com udp
IN 103.50.163.157:443 grapemundo.com tcp
US 8.8.8.8:53 157.163.50.103.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 170.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 122.144.47.103.in-addr.arpa udp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:49746 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\TGDEJN.vbs

MD5 57ce47f3c71f44a6e1270ba954ab3a9a
SHA1 c01261f70f0b2ef9e39b9e2a5bf75743760967d4
SHA256 2379541bc38b9a61637cee49eb60d902b1af5e27bfa4f7885218308d1024cab4
SHA512 85a0b87a248ab50e678b49e622eb1311e2df2fae4a99dea318edde735bcff17e5724dbc71341c70aa62766e1f5f1e8f139ff583f84bf7d3ff5f6bd85002fa264

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGDEJN.vbs

MD5 57ce47f3c71f44a6e1270ba954ab3a9a
SHA1 c01261f70f0b2ef9e39b9e2a5bf75743760967d4
SHA256 2379541bc38b9a61637cee49eb60d902b1af5e27bfa4f7885218308d1024cab4
SHA512 85a0b87a248ab50e678b49e622eb1311e2df2fae4a99dea318edde735bcff17e5724dbc71341c70aa62766e1f5f1e8f139ff583f84bf7d3ff5f6bd85002fa264

C:\Users\Admin\AppData\Local\Temp\aug.vbs

MD5 2725abf432ceeca35be3ac737c3f0847
SHA1 608ac3ed1248b3c35deec3ee55070d52b2c9d1a0
SHA256 6eaa55f7bd4117835ac0116d85b20fdcc35e1c461379dbac106d2c2c51d60516
SHA512 a014a6c2a10f9efe9ca85f4da5505fb2eb6071342b7f4dce0b48446d4462ba26fc1e44a1ba9833d6ab623d2d75c0643c488e46d1995fb20bfd0ed8d8f517b0e2

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

memory/3044-163-0x0000000000D60000-0x0000000000D61000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GVVED0TI\json[1].json

MD5 149c2823b7eadbfb0a82388a2ab9494f
SHA1 415fe979ce5fd0064d2557a48745a3ed1a3fbf9c
SHA256 06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869
SHA512 f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe