Analysis
-
max time kernel
152s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-06-2022 08:40
Static task
static1
Behavioral task
behavioral1
Sample
QUOTE .js
Resource
win7-20220414-en
General
-
Target
QUOTE .js
-
Size
17KB
-
MD5
d6b787f507ee09398e2011a56d184699
-
SHA1
d34ad5be20b28078dff0e74a6deadb8198b79503
-
SHA256
ee23aac95e9bf15da275f635fe526a244290b84b92217fc99706dca802693f72
-
SHA512
fc74b69ee7f1de5b7bb386885e37836d7ea783f47ad1cb1515f2a5c56aa4320c48882cd7fffe522aee22e454a8ec7646d655738d9d2b94c2cc47487a8c617c35
Malware Config
Extracted
redline
bigcash
45.137.22.137:37747
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\em.exe family_redline C:\Users\Admin\AppData\Local\Temp\em.exe family_redline behavioral2/memory/4376-135-0x0000000000600000-0x000000000061E000-memory.dmp family_redline -
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request 7 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 2156 wscript.exe 8 920 wscript.exe 30 920 wscript.exe 38 920 wscript.exe 42 920 wscript.exe 43 920 wscript.exe 44 920 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
em.exepid process 4376 em.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\weVXcANTow.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\weVXcANTow.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\weVXcANTow.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
em.exepid process 4376 em.exe 4376 em.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
em.exedescription pid process Token: SeDebugPrivilege 4376 em.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 2156 wrote to memory of 920 2156 wscript.exe wscript.exe PID 2156 wrote to memory of 920 2156 wscript.exe wscript.exe PID 2156 wrote to memory of 4376 2156 wscript.exe em.exe PID 2156 wrote to memory of 4376 2156 wscript.exe em.exe PID 2156 wrote to memory of 4376 2156 wscript.exe em.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\QUOTE .js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\weVXcANTow.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:920 -
C:\Users\Admin\AppData\Local\Temp\em.exe"C:\Users\Admin\AppData\Local\Temp\em.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\em.exeFilesize
95KB
MD58a428a10e4b3a287b2da89c990faec37
SHA1e431372ada47439b2389ccb6cb9a22813aafd3a0
SHA2561994587aad261a1b99d6b9f4c317a5def389344142609065cf1a7ddf668686f4
SHA51224b89a2df88f97f83586852b053ad9c8c1e879ff4d2605b74f2ddcd978f706fc501c0967fcf0841f45890bf1fbec46cab56a41fbe3d5541ed662295965b0a98d
-
C:\Users\Admin\AppData\Local\Temp\em.exeFilesize
95KB
MD58a428a10e4b3a287b2da89c990faec37
SHA1e431372ada47439b2389ccb6cb9a22813aafd3a0
SHA2561994587aad261a1b99d6b9f4c317a5def389344142609065cf1a7ddf668686f4
SHA51224b89a2df88f97f83586852b053ad9c8c1e879ff4d2605b74f2ddcd978f706fc501c0967fcf0841f45890bf1fbec46cab56a41fbe3d5541ed662295965b0a98d
-
C:\Users\Admin\AppData\Roaming\weVXcANTow.jsFilesize
7KB
MD5f89eb26fbbf0c45cd8435cbed357bd70
SHA1b3169b13684f25e8a2a54121e28abbfd78d6a811
SHA2563ea50a531f40f6b3953930b14aefb043da2de693cce57194a9a6e6787c7b26d3
SHA512378b2f3d7783507447993ab0616d351c5a7e2c4ffdb4cde7889fdcac25f8bf74fb14cd0782c9a92a81d177c8e9460ad600e633669ce2085bf950ccf33f577784
-
memory/920-130-0x0000000000000000-mapping.dmp
-
memory/4376-138-0x0000000004FF0000-0x000000000502C000-memory.dmpFilesize
240KB
-
memory/4376-135-0x0000000000600000-0x000000000061E000-memory.dmpFilesize
120KB
-
memory/4376-136-0x0000000005760000-0x0000000005D78000-memory.dmpFilesize
6.1MB
-
memory/4376-137-0x0000000004F90000-0x0000000004FA2000-memory.dmpFilesize
72KB
-
memory/4376-132-0x0000000000000000-mapping.dmp
-
memory/4376-139-0x0000000005290000-0x000000000539A000-memory.dmpFilesize
1.0MB
-
memory/4376-140-0x0000000006570000-0x0000000006732000-memory.dmpFilesize
1.8MB
-
memory/4376-141-0x0000000006C70000-0x000000000719C000-memory.dmpFilesize
5.2MB
-
memory/4376-142-0x0000000006500000-0x0000000006566000-memory.dmpFilesize
408KB
-
memory/4376-143-0x0000000007750000-0x0000000007CF4000-memory.dmpFilesize
5.6MB
-
memory/4376-144-0x0000000006A70000-0x0000000006AE6000-memory.dmpFilesize
472KB
-
memory/4376-145-0x0000000006B90000-0x0000000006C22000-memory.dmpFilesize
584KB
-
memory/4376-146-0x00000000073A0000-0x00000000073BE000-memory.dmpFilesize
120KB