Analysis
-
max time kernel
135s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-06-2022 08:40
Static task
static1
Behavioral task
behavioral1
Sample
QUOTE .js
Resource
win7-20220414-en
General
-
Target
QUOTE .js
-
Size
17KB
-
MD5
d6b787f507ee09398e2011a56d184699
-
SHA1
d34ad5be20b28078dff0e74a6deadb8198b79503
-
SHA256
ee23aac95e9bf15da275f635fe526a244290b84b92217fc99706dca802693f72
-
SHA512
fc74b69ee7f1de5b7bb386885e37836d7ea783f47ad1cb1515f2a5c56aa4320c48882cd7fffe522aee22e454a8ec7646d655738d9d2b94c2cc47487a8c617c35
Malware Config
Extracted
redline
bigcash
45.137.22.137:37747
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\em.exe family_redline C:\Users\Admin\AppData\Local\Temp\em.exe family_redline behavioral1/memory/1812-61-0x0000000000F60000-0x0000000000F7E000-memory.dmp family_redline -
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request 6 IoCs
Processes:
wscript.exewscript.exeflow pid process 5 1968 wscript.exe 8 1036 wscript.exe 14 1036 wscript.exe 18 1036 wscript.exe 21 1036 wscript.exe 24 1036 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
em.exepid process 1812 em.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\weVXcANTow.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\weVXcANTow.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\weVXcANTow.js\"" wscript.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
em.exepid process 1812 em.exe 1812 em.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
em.exedescription pid process Token: SeDebugPrivilege 1812 em.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exedescription pid process target process PID 1968 wrote to memory of 1036 1968 wscript.exe wscript.exe PID 1968 wrote to memory of 1036 1968 wscript.exe wscript.exe PID 1968 wrote to memory of 1036 1968 wscript.exe wscript.exe PID 1968 wrote to memory of 1812 1968 wscript.exe em.exe PID 1968 wrote to memory of 1812 1968 wscript.exe em.exe PID 1968 wrote to memory of 1812 1968 wscript.exe em.exe PID 1968 wrote to memory of 1812 1968 wscript.exe em.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\QUOTE .js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\weVXcANTow.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\em.exe"C:\Users\Admin\AppData\Local\Temp\em.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\em.exeFilesize
95KB
MD58a428a10e4b3a287b2da89c990faec37
SHA1e431372ada47439b2389ccb6cb9a22813aafd3a0
SHA2561994587aad261a1b99d6b9f4c317a5def389344142609065cf1a7ddf668686f4
SHA51224b89a2df88f97f83586852b053ad9c8c1e879ff4d2605b74f2ddcd978f706fc501c0967fcf0841f45890bf1fbec46cab56a41fbe3d5541ed662295965b0a98d
-
C:\Users\Admin\AppData\Local\Temp\em.exeFilesize
95KB
MD58a428a10e4b3a287b2da89c990faec37
SHA1e431372ada47439b2389ccb6cb9a22813aafd3a0
SHA2561994587aad261a1b99d6b9f4c317a5def389344142609065cf1a7ddf668686f4
SHA51224b89a2df88f97f83586852b053ad9c8c1e879ff4d2605b74f2ddcd978f706fc501c0967fcf0841f45890bf1fbec46cab56a41fbe3d5541ed662295965b0a98d
-
C:\Users\Admin\AppData\Roaming\weVXcANTow.jsFilesize
7KB
MD5f89eb26fbbf0c45cd8435cbed357bd70
SHA1b3169b13684f25e8a2a54121e28abbfd78d6a811
SHA2563ea50a531f40f6b3953930b14aefb043da2de693cce57194a9a6e6787c7b26d3
SHA512378b2f3d7783507447993ab0616d351c5a7e2c4ffdb4cde7889fdcac25f8bf74fb14cd0782c9a92a81d177c8e9460ad600e633669ce2085bf950ccf33f577784
-
memory/1036-55-0x0000000000000000-mapping.dmp
-
memory/1812-58-0x0000000000000000-mapping.dmp
-
memory/1812-61-0x0000000000F60000-0x0000000000F7E000-memory.dmpFilesize
120KB
-
memory/1812-62-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1968-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmpFilesize
8KB