Overview

overview

10

Static

static

PO-Order 4...718.js

windows7_x64

10

PO-Order 4...718.js

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    27-06-2022 08:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-Order 4500324718.js

  • Size

    13KB

  • MD5

    71c88f653261f87d9cd0a4063e6fc71c

  • SHA1

    87df9ea6783c73a020ded64c0078803fb8cdeaec

  • SHA256

    4359703f5e67ae4318436b3c536079925851fcec08178fec87a478a56bffa3a9

  • SHA512

    7a1803a75d5bff4956ba332a2e5e2dbdf8aa798ab1839bd7d860f8cc65b048260e402e401d14618a66241c292c53fa39e70093d87ffcd2e33f32a85a4617fc88

Score
10/10
redlinevjw0rmfirstfilediscoveryinfostealerpersistencespywarestealersuricatatrojanworm

Malware Config

Extracted

Family

redline

Botnet

firstfile

C2

103.153.79.195:24688

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Blocklisted process makes network request 19 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO-Order 4500324718.js"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\hsfqTzBPFv.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:2004
    • C:\Users\Admin\AppData\Local\Temp\ot.exe
      "C:\Users\Admin\AppData\Local\Temp\ot.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ot.exe
    Filesize

    95KB

    MD5

    c50bf647703bcc0dff7ac82bec360565

    SHA1

    50ed555e1b6db733c1536931958c33e77c5817d6

    SHA256

    1699f740bdcdb3778ca69d53dc9c5fa58edfe1a610cbaa935c40ac73f0c0bad2

    SHA512

    81a3442c45b6b4d450cdb6fe03c406f99018b8f9faf378f9f1f35f8893d91bf7f1d5dcbae464b82e83ce529634c6ad6ceefa1369ce337c57c8aca737937f31c0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ot.exe
    Filesize

    95KB

    MD5

    c50bf647703bcc0dff7ac82bec360565

    SHA1

    50ed555e1b6db733c1536931958c33e77c5817d6

    SHA256

    1699f740bdcdb3778ca69d53dc9c5fa58edfe1a610cbaa935c40ac73f0c0bad2

    SHA512

    81a3442c45b6b4d450cdb6fe03c406f99018b8f9faf378f9f1f35f8893d91bf7f1d5dcbae464b82e83ce529634c6ad6ceefa1369ce337c57c8aca737937f31c0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\hsfqTzBPFv.js
    Filesize

    5KB

    MD5

    08f691eac60225d5b5b66baad24dc6fb

    SHA1

    d8c92dd209b3a79c9186fdc972bf76184d1753f5

    SHA256

    1e2a6e0848c3d3b2f49b1926c608af3f6202b79f9a71bf27032226256519559d

    SHA512

    3482fdae14f6bd3c89854465102735904aae8348584e63af807983a2ccd54c3cc17becf03a1bffa22803b449e44c729158cd7a400833cc47789e7dd69f7cfeee

    Download Submit
  • memory/388-54-0x000007FEFC451000-0x000007FEFC453000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1548-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1548-61-0x0000000001350000-0x000000000136E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1548-62-0x0000000076C81000-0x0000000076C83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2004-55-0x0000000000000000-mapping.dmp
    Download