Overview

overview

10

Static

static

Pallet Mou...622.js

windows7_x64

10

Pallet Mou...622.js

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    23-06-2022 05:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pallet Mould MMS Request Order-220622.js

  • Size

    323KB

  • MD5

    73a4f7e471f47640742447c9613248cb

  • SHA1

    bd554c8f425a9f688ab08917deac4a01d8812047

  • SHA256

    64e720c53e8c90e2fb1bf2480637cd245fbf71b2e1ce3f419bb062352d21a767

  • SHA512

    d48146902099a0c941bc52685dd4f4d0fab32b2d0d2ec8186616d01b19ee440b1880ba51cac02c5603c6163eea08798407e6949decbcfeb9781da3caf773cf4f

Score
10/10
redlinevjw0rmfirstfilediscoveryinfostealerpersistencespywarestealersuricatatrojanworm

Malware Config

Extracted

Family

redline

Botnet

firstfile

C2

103.153.79.195:24688

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Blocklisted process makes network request 20 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Pallet Mould MMS Request Order-220622.js"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\cTCbdmxVaY.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1540
    • C:\Users\Admin\AppData\Local\Temp\ot.exe
      "C:\Users\Admin\AppData\Local\Temp\ot.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1160

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ot.exe
    Filesize

    95KB

    MD5

    c50bf647703bcc0dff7ac82bec360565

    SHA1

    50ed555e1b6db733c1536931958c33e77c5817d6

    SHA256

    1699f740bdcdb3778ca69d53dc9c5fa58edfe1a610cbaa935c40ac73f0c0bad2

    SHA512

    81a3442c45b6b4d450cdb6fe03c406f99018b8f9faf378f9f1f35f8893d91bf7f1d5dcbae464b82e83ce529634c6ad6ceefa1369ce337c57c8aca737937f31c0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ot.exe
    Filesize

    95KB

    MD5

    c50bf647703bcc0dff7ac82bec360565

    SHA1

    50ed555e1b6db733c1536931958c33e77c5817d6

    SHA256

    1699f740bdcdb3778ca69d53dc9c5fa58edfe1a610cbaa935c40ac73f0c0bad2

    SHA512

    81a3442c45b6b4d450cdb6fe03c406f99018b8f9faf378f9f1f35f8893d91bf7f1d5dcbae464b82e83ce529634c6ad6ceefa1369ce337c57c8aca737937f31c0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\cTCbdmxVaY.js
    Filesize

    117KB

    MD5

    6f9a6d27e187b06e52400a4706bb8534

    SHA1

    287e663903d52b0cfb261826cf4c16948149aae7

    SHA256

    d7504dcb980027e4c2d23b2fe2594294e2ad424ed9c33b58496d39bde5c05d44

    SHA512

    c69ed1e4e59bc4ca19b52551cb5533921e952005fda3c8b824584c8274175dc1a1bc573cd71d373e2c496e14c0aa01ebbde222fa1aeb787bd9e82c7278ffbfb4

    Download Submit
  • memory/1160-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1160-61-0x00000000000A0000-0x00000000000BE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1160-62-0x00000000753B1000-0x00000000753B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1540-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1672-54-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp
    Filesize

    8KB

    Download