Overview

overview

10

Static

static

Pre Order July.js

windows7_x64

10

Pre Order July.js

windows10-2004_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    28-06-2022 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pre Order July.js

  • Size

    215KB

  • MD5

    2e159cf4f5924625a4eaa85394878bf3

  • SHA1

    9d5f3c428d9681fe05804b24bc38b6131c3bef19

  • SHA256

    4f21d283e1fec9f76d4855d6dc903a18f356ee0f71334f8dc5780047a9f1ad86

  • SHA512

    7fad1197e2c0f216e75986ba7044c1f02ebb01c8b2175ace3156a5d88f065b8c49da1ba3c2310200bd1bf9bb51b76a6a1f01cc4de8a73dc87dddd0443b7ba072

Score
10/10
redlinevjw0rmmr ttdiscoveryinfostealerpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

redline

Botnet

Mr TT

C2

45.138.16.233:1985

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 16 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Pre Order July.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JnljuzseMt.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:2932
    • C:\Users\Admin\AppData\Local\Temp\build.exe
      "C:\Users\Admin\AppData\Local\Temp\build.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    95KB

    MD5

    c30ab843caae4b12e9aa920c4255d643

    SHA1

    b40641463c19ff90e81ac3429fd75f2c07551bd6

    SHA256

    f98805db5cd7a1efd80f8d7ff63da61892e738a659840a490e0fb41a05b364f7

    SHA512

    74ac72cde2e955d4579928c1570c8369e6c6be5a93294c8df9fb86868a615ef5bcc8b52dfa958ba11d185c175e404b100ee46bd89c184d5a610cce9a5f16c75d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    95KB

    MD5

    c30ab843caae4b12e9aa920c4255d643

    SHA1

    b40641463c19ff90e81ac3429fd75f2c07551bd6

    SHA256

    f98805db5cd7a1efd80f8d7ff63da61892e738a659840a490e0fb41a05b364f7

    SHA512

    74ac72cde2e955d4579928c1570c8369e6c6be5a93294c8df9fb86868a615ef5bcc8b52dfa958ba11d185c175e404b100ee46bd89c184d5a610cce9a5f16c75d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\JnljuzseMt.js
    Filesize

    17KB

    MD5

    9d7e8289bbdbe8e180ea8f34b27272df

    SHA1

    a8b81ca2f4f2d0d3860e1f89bb5b26b205f5c296

    SHA256

    8a7822ef6de75f7369f813589d517863961930d61b284a5b0825186e4e2a7f8b

    SHA512

    f30392ee5ee2b24bb0edc334e745c06d31b892b44aa8a1533ebb1364e92652f0a9b207bc7231b2c790416bf00017269f9056f52b3ac1c5955ffd3aca681541e2

    Download Submit
  • memory/384-138-0x00000000053C0000-0x00000000053FC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/384-140-0x0000000006970000-0x0000000006B32000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/384-135-0x0000000000B20000-0x0000000000B3E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/384-136-0x0000000005B00000-0x0000000006118000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/384-137-0x0000000005360000-0x0000000005372000-memory.dmp
    Filesize

    72KB

    Download
  • memory/384-146-0x0000000006F60000-0x0000000006F7E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/384-139-0x0000000005670000-0x000000000577A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/384-132-0x0000000000000000-mapping.dmp
    Download
  • memory/384-141-0x0000000007070000-0x000000000759C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/384-142-0x0000000007B50000-0x00000000080F4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/384-143-0x0000000006B40000-0x0000000006BA6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/384-144-0x0000000006E30000-0x0000000006EA6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/384-145-0x0000000006FA0000-0x0000000007032000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2932-130-0x0000000000000000-mapping.dmp
    Download