Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28-06-2022 02:58
Static task
static1
Behavioral task
behavioral1
Sample
Pre Order July.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Pre Order July.js
Resource
win10v2004-20220414-en
General
-
Target
Pre Order July.js
-
Size
215KB
-
MD5
2e159cf4f5924625a4eaa85394878bf3
-
SHA1
9d5f3c428d9681fe05804b24bc38b6131c3bef19
-
SHA256
4f21d283e1fec9f76d4855d6dc903a18f356ee0f71334f8dc5780047a9f1ad86
-
SHA512
7fad1197e2c0f216e75986ba7044c1f02ebb01c8b2175ace3156a5d88f065b8c49da1ba3c2310200bd1bf9bb51b76a6a1f01cc4de8a73dc87dddd0443b7ba072
Malware Config
Extracted
redline
Mr TT
45.138.16.233:1985
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\build.exe family_redline C:\Users\Admin\AppData\Local\Temp\build.exe family_redline behavioral2/memory/384-135-0x0000000000B20000-0x0000000000B3E000-memory.dmp family_redline -
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 5 2932 wscript.exe 15 2932 wscript.exe 22 2932 wscript.exe 23 2932 wscript.exe 31 2932 wscript.exe 37 2932 wscript.exe 40 2932 wscript.exe 43 2932 wscript.exe 44 2932 wscript.exe 45 2932 wscript.exe 48 2932 wscript.exe 49 2932 wscript.exe 50 2932 wscript.exe 51 2932 wscript.exe 52 2932 wscript.exe 53 2932 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
build.exepid process 384 build.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JnljuzseMt.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JnljuzseMt.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\JnljuzseMt.js\"" wscript.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
build.exepid process 384 build.exe 384 build.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
build.exedescription pid process Token: SeDebugPrivilege 384 build.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 2348 wrote to memory of 2932 2348 wscript.exe wscript.exe PID 2348 wrote to memory of 2932 2348 wscript.exe wscript.exe PID 2348 wrote to memory of 384 2348 wscript.exe build.exe PID 2348 wrote to memory of 384 2348 wscript.exe build.exe PID 2348 wrote to memory of 384 2348 wscript.exe build.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Pre Order July.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JnljuzseMt.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
95KB
MD5c30ab843caae4b12e9aa920c4255d643
SHA1b40641463c19ff90e81ac3429fd75f2c07551bd6
SHA256f98805db5cd7a1efd80f8d7ff63da61892e738a659840a490e0fb41a05b364f7
SHA51274ac72cde2e955d4579928c1570c8369e6c6be5a93294c8df9fb86868a615ef5bcc8b52dfa958ba11d185c175e404b100ee46bd89c184d5a610cce9a5f16c75d
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
95KB
MD5c30ab843caae4b12e9aa920c4255d643
SHA1b40641463c19ff90e81ac3429fd75f2c07551bd6
SHA256f98805db5cd7a1efd80f8d7ff63da61892e738a659840a490e0fb41a05b364f7
SHA51274ac72cde2e955d4579928c1570c8369e6c6be5a93294c8df9fb86868a615ef5bcc8b52dfa958ba11d185c175e404b100ee46bd89c184d5a610cce9a5f16c75d
-
C:\Users\Admin\AppData\Roaming\JnljuzseMt.jsFilesize
17KB
MD59d7e8289bbdbe8e180ea8f34b27272df
SHA1a8b81ca2f4f2d0d3860e1f89bb5b26b205f5c296
SHA2568a7822ef6de75f7369f813589d517863961930d61b284a5b0825186e4e2a7f8b
SHA512f30392ee5ee2b24bb0edc334e745c06d31b892b44aa8a1533ebb1364e92652f0a9b207bc7231b2c790416bf00017269f9056f52b3ac1c5955ffd3aca681541e2
-
memory/384-138-0x00000000053C0000-0x00000000053FC000-memory.dmpFilesize
240KB
-
memory/384-140-0x0000000006970000-0x0000000006B32000-memory.dmpFilesize
1.8MB
-
memory/384-135-0x0000000000B20000-0x0000000000B3E000-memory.dmpFilesize
120KB
-
memory/384-136-0x0000000005B00000-0x0000000006118000-memory.dmpFilesize
6.1MB
-
memory/384-137-0x0000000005360000-0x0000000005372000-memory.dmpFilesize
72KB
-
memory/384-146-0x0000000006F60000-0x0000000006F7E000-memory.dmpFilesize
120KB
-
memory/384-139-0x0000000005670000-0x000000000577A000-memory.dmpFilesize
1.0MB
-
memory/384-132-0x0000000000000000-mapping.dmp
-
memory/384-141-0x0000000007070000-0x000000000759C000-memory.dmpFilesize
5.2MB
-
memory/384-142-0x0000000007B50000-0x00000000080F4000-memory.dmpFilesize
5.6MB
-
memory/384-143-0x0000000006B40000-0x0000000006BA6000-memory.dmpFilesize
408KB
-
memory/384-144-0x0000000006E30000-0x0000000006EA6000-memory.dmpFilesize
472KB
-
memory/384-145-0x0000000006FA0000-0x0000000007032000-memory.dmpFilesize
584KB
-
memory/2932-130-0x0000000000000000-mapping.dmp