Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-06-2022 08:34
Static task
static1
Behavioral task
behavioral1
Sample
RFQ#248.js
Resource
win7-20220414-en
General
-
Target
RFQ#248.js
-
Size
17KB
-
MD5
4239843daed582c191b581c62ad736da
-
SHA1
175e30808638fe5a79a80fb5ac96d8f3dad0888f
-
SHA256
abea4af360549efab1f16bc0d7a243a4e4597c61ee549e98a147c6f2c9db42d0
-
SHA512
8491910ff5aacfb454bdc1b95f8f1cd0a9156179ebb5409101b0ce8a4edc32cd8ed908651b6764dfde16753fb6e4a8b55c9f7243122a32e2a1b14bb7eb0932a2
Malware Config
Extracted
redline
moneyguy
45.137.22.113:59036
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\pr.exe family_redline C:\Users\Admin\AppData\Local\Temp\pr.exe family_redline behavioral1/memory/520-61-0x0000000000C30000-0x0000000000C4E000-memory.dmp family_redline -
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request 9 IoCs
Processes:
wscript.exewscript.exeflow pid process 5 1684 wscript.exe 8 904 wscript.exe 10 1684 wscript.exe 11 1684 wscript.exe 12 1684 wscript.exe 17 904 wscript.exe 22 904 wscript.exe 26 904 wscript.exe 29 904 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
pr.exepid process 520 pr.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MQaBnASytN.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MQaBnASytN.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\MQaBnASytN.js\"" wscript.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pr.exepid process 520 pr.exe 520 pr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pr.exedescription pid process Token: SeDebugPrivilege 520 pr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exedescription pid process target process PID 1684 wrote to memory of 904 1684 wscript.exe wscript.exe PID 1684 wrote to memory of 904 1684 wscript.exe wscript.exe PID 1684 wrote to memory of 904 1684 wscript.exe wscript.exe PID 1684 wrote to memory of 520 1684 wscript.exe pr.exe PID 1684 wrote to memory of 520 1684 wscript.exe pr.exe PID 1684 wrote to memory of 520 1684 wscript.exe pr.exe PID 1684 wrote to memory of 520 1684 wscript.exe pr.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ#248.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MQaBnASytN.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\pr.exe"C:\Users\Admin\AppData\Local\Temp\pr.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pr.exeFilesize
95KB
MD50ee0b6acb97539cab3193db9e342eb47
SHA19b68ffabab2cfa01911f7a85d367349ae9954b7e
SHA256165767c87876253a9f95bc650faba1540477f448e2701a2d8710e2d7867bf899
SHA512c0d595db02d2683d116934e05bd6097ac960de528d9abcdee890d07c8950b21748922d820619fbb0ce5c39bed49c550e529fd71d4feebd1018e3754b166c00ff
-
C:\Users\Admin\AppData\Local\Temp\pr.exeFilesize
95KB
MD50ee0b6acb97539cab3193db9e342eb47
SHA19b68ffabab2cfa01911f7a85d367349ae9954b7e
SHA256165767c87876253a9f95bc650faba1540477f448e2701a2d8710e2d7867bf899
SHA512c0d595db02d2683d116934e05bd6097ac960de528d9abcdee890d07c8950b21748922d820619fbb0ce5c39bed49c550e529fd71d4feebd1018e3754b166c00ff
-
C:\Users\Admin\AppData\Roaming\MQaBnASytN.jsFilesize
7KB
MD5bc1f5653b82ecd30d7a49224dfcbb392
SHA1b42b89a411527521e126e8837cc2f1dad015d78f
SHA256fbfc81f2c862e9953e61426e6c90055dd15563df151839ff7d67e1f00178ff70
SHA512d2d0299811854eeb1db0baf795f4112df9098f244f75335cc0001d229d8abef953bbfb1b0d9b4e2ca7025abdac608d872b37cfbc9d039a653a39a9bd1c2834dd
-
memory/520-58-0x0000000000000000-mapping.dmp
-
memory/520-61-0x0000000000C30000-0x0000000000C4E000-memory.dmpFilesize
120KB
-
memory/520-62-0x0000000076431000-0x0000000076433000-memory.dmpFilesize
8KB
-
memory/904-55-0x0000000000000000-mapping.dmp
-
memory/1684-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmpFilesize
8KB