Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-06-2022 08:34
Static task
static1
Behavioral task
behavioral1
Sample
RFQ#248.js
Resource
win7-20220414-en
General
-
Target
RFQ#248.js
-
Size
17KB
-
MD5
4239843daed582c191b581c62ad736da
-
SHA1
175e30808638fe5a79a80fb5ac96d8f3dad0888f
-
SHA256
abea4af360549efab1f16bc0d7a243a4e4597c61ee549e98a147c6f2c9db42d0
-
SHA512
8491910ff5aacfb454bdc1b95f8f1cd0a9156179ebb5409101b0ce8a4edc32cd8ed908651b6764dfde16753fb6e4a8b55c9f7243122a32e2a1b14bb7eb0932a2
Malware Config
Extracted
redline
moneyguy
45.137.22.113:59036
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\pr.exe family_redline C:\Users\Admin\AppData\Local\Temp\pr.exe family_redline behavioral2/memory/4556-135-0x0000000000A20000-0x0000000000A3E000-memory.dmp family_redline -
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request 10 IoCs
Processes:
wscript.exewscript.exeflow pid process 4 3124 wscript.exe 6 3124 wscript.exe 8 3124 wscript.exe 10 3660 wscript.exe 12 3124 wscript.exe 29 3660 wscript.exe 57 3660 wscript.exe 96 3660 wscript.exe 172 3660 wscript.exe 190 3660 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
pr.exepid process 4556 pr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MQaBnASytN.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MQaBnASytN.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\MQaBnASytN.js\"" wscript.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pr.exepid process 4556 pr.exe 4556 pr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pr.exedescription pid process Token: SeDebugPrivilege 4556 pr.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 3124 wrote to memory of 3660 3124 wscript.exe wscript.exe PID 3124 wrote to memory of 3660 3124 wscript.exe wscript.exe PID 3124 wrote to memory of 4556 3124 wscript.exe pr.exe PID 3124 wrote to memory of 4556 3124 wscript.exe pr.exe PID 3124 wrote to memory of 4556 3124 wscript.exe pr.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ#248.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MQaBnASytN.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\pr.exe"C:\Users\Admin\AppData\Local\Temp\pr.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pr.exeFilesize
95KB
MD50ee0b6acb97539cab3193db9e342eb47
SHA19b68ffabab2cfa01911f7a85d367349ae9954b7e
SHA256165767c87876253a9f95bc650faba1540477f448e2701a2d8710e2d7867bf899
SHA512c0d595db02d2683d116934e05bd6097ac960de528d9abcdee890d07c8950b21748922d820619fbb0ce5c39bed49c550e529fd71d4feebd1018e3754b166c00ff
-
C:\Users\Admin\AppData\Local\Temp\pr.exeFilesize
95KB
MD50ee0b6acb97539cab3193db9e342eb47
SHA19b68ffabab2cfa01911f7a85d367349ae9954b7e
SHA256165767c87876253a9f95bc650faba1540477f448e2701a2d8710e2d7867bf899
SHA512c0d595db02d2683d116934e05bd6097ac960de528d9abcdee890d07c8950b21748922d820619fbb0ce5c39bed49c550e529fd71d4feebd1018e3754b166c00ff
-
C:\Users\Admin\AppData\Roaming\MQaBnASytN.jsFilesize
7KB
MD5bc1f5653b82ecd30d7a49224dfcbb392
SHA1b42b89a411527521e126e8837cc2f1dad015d78f
SHA256fbfc81f2c862e9953e61426e6c90055dd15563df151839ff7d67e1f00178ff70
SHA512d2d0299811854eeb1db0baf795f4112df9098f244f75335cc0001d229d8abef953bbfb1b0d9b4e2ca7025abdac608d872b37cfbc9d039a653a39a9bd1c2834dd
-
memory/3660-130-0x0000000000000000-mapping.dmp
-
memory/4556-138-0x0000000005400000-0x000000000543C000-memory.dmpFilesize
240KB
-
memory/4556-135-0x0000000000A20000-0x0000000000A3E000-memory.dmpFilesize
120KB
-
memory/4556-136-0x0000000005B30000-0x0000000006148000-memory.dmpFilesize
6.1MB
-
memory/4556-137-0x00000000053A0000-0x00000000053B2000-memory.dmpFilesize
72KB
-
memory/4556-132-0x0000000000000000-mapping.dmp
-
memory/4556-139-0x00000000056B0000-0x00000000057BA000-memory.dmpFilesize
1.0MB
-
memory/4556-140-0x00000000069A0000-0x0000000006B62000-memory.dmpFilesize
1.8MB
-
memory/4556-141-0x00000000070A0000-0x00000000075CC000-memory.dmpFilesize
5.2MB
-
memory/4556-142-0x0000000006920000-0x0000000006986000-memory.dmpFilesize
408KB
-
memory/4556-143-0x0000000007B80000-0x0000000008124000-memory.dmpFilesize
5.6MB
-
memory/4556-144-0x0000000006EA0000-0x0000000006F32000-memory.dmpFilesize
584KB
-
memory/4556-145-0x0000000006FC0000-0x0000000007036000-memory.dmpFilesize
472KB
-
memory/4556-146-0x0000000007060000-0x000000000707E000-memory.dmpFilesize
120KB