Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-06-2022 08:15
Static task
static1
Behavioral task
behavioral1
Sample
PO-Order 4500324718.js
Resource
win7-20220414-en
General
-
Target
PO-Order 4500324718.js
-
Size
13KB
-
MD5
71c88f653261f87d9cd0a4063e6fc71c
-
SHA1
87df9ea6783c73a020ded64c0078803fb8cdeaec
-
SHA256
4359703f5e67ae4318436b3c536079925851fcec08178fec87a478a56bffa3a9
-
SHA512
7a1803a75d5bff4956ba332a2e5e2dbdf8aa798ab1839bd7d860f8cc65b048260e402e401d14618a66241c292c53fa39e70093d87ffcd2e33f32a85a4617fc88
Malware Config
Extracted
redline
firstfile
103.153.79.195:24688
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ot.exe family_redline C:\Users\Admin\AppData\Local\Temp\ot.exe family_redline behavioral1/memory/1548-61-0x0000000001350000-0x000000000136E000-memory.dmp family_redline -
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request 19 IoCs
Processes:
wscript.exewscript.exeflow pid process 5 388 wscript.exe 8 2004 wscript.exe 10 388 wscript.exe 11 388 wscript.exe 12 388 wscript.exe 13 2004 wscript.exe 16 2004 wscript.exe 21 2004 wscript.exe 24 2004 wscript.exe 26 2004 wscript.exe 30 2004 wscript.exe 32 2004 wscript.exe 34 2004 wscript.exe 37 2004 wscript.exe 39 2004 wscript.exe 40 2004 wscript.exe 44 2004 wscript.exe 46 2004 wscript.exe 48 2004 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
ot.exepid process 1548 ot.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hsfqTzBPFv.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hsfqTzBPFv.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\hsfqTzBPFv.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ot.exepid process 1548 ot.exe 1548 ot.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ot.exedescription pid process Token: SeDebugPrivilege 1548 ot.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exedescription pid process target process PID 388 wrote to memory of 2004 388 wscript.exe wscript.exe PID 388 wrote to memory of 2004 388 wscript.exe wscript.exe PID 388 wrote to memory of 2004 388 wscript.exe wscript.exe PID 388 wrote to memory of 1548 388 wscript.exe ot.exe PID 388 wrote to memory of 1548 388 wscript.exe ot.exe PID 388 wrote to memory of 1548 388 wscript.exe ot.exe PID 388 wrote to memory of 1548 388 wscript.exe ot.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO-Order 4500324718.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\hsfqTzBPFv.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\ot.exe"C:\Users\Admin\AppData\Local\Temp\ot.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ot.exeFilesize
95KB
MD5c50bf647703bcc0dff7ac82bec360565
SHA150ed555e1b6db733c1536931958c33e77c5817d6
SHA2561699f740bdcdb3778ca69d53dc9c5fa58edfe1a610cbaa935c40ac73f0c0bad2
SHA51281a3442c45b6b4d450cdb6fe03c406f99018b8f9faf378f9f1f35f8893d91bf7f1d5dcbae464b82e83ce529634c6ad6ceefa1369ce337c57c8aca737937f31c0
-
C:\Users\Admin\AppData\Local\Temp\ot.exeFilesize
95KB
MD5c50bf647703bcc0dff7ac82bec360565
SHA150ed555e1b6db733c1536931958c33e77c5817d6
SHA2561699f740bdcdb3778ca69d53dc9c5fa58edfe1a610cbaa935c40ac73f0c0bad2
SHA51281a3442c45b6b4d450cdb6fe03c406f99018b8f9faf378f9f1f35f8893d91bf7f1d5dcbae464b82e83ce529634c6ad6ceefa1369ce337c57c8aca737937f31c0
-
C:\Users\Admin\AppData\Roaming\hsfqTzBPFv.jsFilesize
5KB
MD508f691eac60225d5b5b66baad24dc6fb
SHA1d8c92dd209b3a79c9186fdc972bf76184d1753f5
SHA2561e2a6e0848c3d3b2f49b1926c608af3f6202b79f9a71bf27032226256519559d
SHA5123482fdae14f6bd3c89854465102735904aae8348584e63af807983a2ccd54c3cc17becf03a1bffa22803b449e44c729158cd7a400833cc47789e7dd69f7cfeee
-
memory/388-54-0x000007FEFC451000-0x000007FEFC453000-memory.dmpFilesize
8KB
-
memory/1548-58-0x0000000000000000-mapping.dmp
-
memory/1548-61-0x0000000001350000-0x000000000136E000-memory.dmpFilesize
120KB
-
memory/1548-62-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/2004-55-0x0000000000000000-mapping.dmp