Overview

overview

10

Static

static

Pre Order July.js

windows7_x64

10

Pre Order July.js

windows10-2004_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    28-06-2022 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pre Order July.js

  • Size

    215KB

  • MD5

    2e159cf4f5924625a4eaa85394878bf3

  • SHA1

    9d5f3c428d9681fe05804b24bc38b6131c3bef19

  • SHA256

    4f21d283e1fec9f76d4855d6dc903a18f356ee0f71334f8dc5780047a9f1ad86

  • SHA512

    7fad1197e2c0f216e75986ba7044c1f02ebb01c8b2175ace3156a5d88f065b8c49da1ba3c2310200bd1bf9bb51b76a6a1f01cc4de8a73dc87dddd0443b7ba072

Score
10/10
redlinevjw0rmmr ttdiscoveryinfostealerpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

redline

Botnet

Mr TT

C2

45.138.16.233:1985

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 16 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Pre Order July.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JnljuzseMt.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1428
    • C:\Users\Admin\AppData\Local\Temp\build.exe
      "C:\Users\Admin\AppData\Local\Temp\build.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1272

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    95KB

    MD5

    c30ab843caae4b12e9aa920c4255d643

    SHA1

    b40641463c19ff90e81ac3429fd75f2c07551bd6

    SHA256

    f98805db5cd7a1efd80f8d7ff63da61892e738a659840a490e0fb41a05b364f7

    SHA512

    74ac72cde2e955d4579928c1570c8369e6c6be5a93294c8df9fb86868a615ef5bcc8b52dfa958ba11d185c175e404b100ee46bd89c184d5a610cce9a5f16c75d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    95KB

    MD5

    c30ab843caae4b12e9aa920c4255d643

    SHA1

    b40641463c19ff90e81ac3429fd75f2c07551bd6

    SHA256

    f98805db5cd7a1efd80f8d7ff63da61892e738a659840a490e0fb41a05b364f7

    SHA512

    74ac72cde2e955d4579928c1570c8369e6c6be5a93294c8df9fb86868a615ef5bcc8b52dfa958ba11d185c175e404b100ee46bd89c184d5a610cce9a5f16c75d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\JnljuzseMt.js
    Filesize

    17KB

    MD5

    9d7e8289bbdbe8e180ea8f34b27272df

    SHA1

    a8b81ca2f4f2d0d3860e1f89bb5b26b205f5c296

    SHA256

    8a7822ef6de75f7369f813589d517863961930d61b284a5b0825186e4e2a7f8b

    SHA512

    f30392ee5ee2b24bb0edc334e745c06d31b892b44aa8a1533ebb1364e92652f0a9b207bc7231b2c790416bf00017269f9056f52b3ac1c5955ffd3aca681541e2

    Download Submit

  • memory/1172-54-0x000007FEFBBD1000-0x000007FEFBBD3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1272-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1272-61-0x0000000000170000-0x000000000018E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1272-62-0x0000000076191000-0x0000000076193000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1428-55-0x0000000000000000-mapping.dmp

    Download