Overview

overview

10

Static

static

Orders.js

windows7_x64

10

Orders.js

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    28-06-2022 09:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Orders.js

  • Size

    209KB

  • MD5

    d12479eec5fc8f1d57bf795c33feb329

  • SHA1

    23094b0e5146f82ca8493f7d7ff968640f68e9a5

  • SHA256

    d77abab32e4eeb866008a6cdafc09de31f1e73f7fbe2627fed75b4e90b22257d

  • SHA512

    f00eb36f2188a08f5bc577225135348964dfd6d9f6868aee34a8b512e55be89db0d0f2e7f5ce975ee26c1f85a571ecbcc407a2d29e4284fda713d4680014dbbd

Score
10/10
redlinevjw0rmmr ttdiscoveryinfostealerpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

redline

Botnet

Mr TT

C2

45.138.16.233:1985

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 16 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Orders.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JgXryuwtNy.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1772
    • C:\Users\Admin\AppData\Local\Temp\build.exe
      "C:\Users\Admin\AppData\Local\Temp\build.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    95KB

    MD5

    c30ab843caae4b12e9aa920c4255d643

    SHA1

    b40641463c19ff90e81ac3429fd75f2c07551bd6

    SHA256

    f98805db5cd7a1efd80f8d7ff63da61892e738a659840a490e0fb41a05b364f7

    SHA512

    74ac72cde2e955d4579928c1570c8369e6c6be5a93294c8df9fb86868a615ef5bcc8b52dfa958ba11d185c175e404b100ee46bd89c184d5a610cce9a5f16c75d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    95KB

    MD5

    c30ab843caae4b12e9aa920c4255d643

    SHA1

    b40641463c19ff90e81ac3429fd75f2c07551bd6

    SHA256

    f98805db5cd7a1efd80f8d7ff63da61892e738a659840a490e0fb41a05b364f7

    SHA512

    74ac72cde2e955d4579928c1570c8369e6c6be5a93294c8df9fb86868a615ef5bcc8b52dfa958ba11d185c175e404b100ee46bd89c184d5a610cce9a5f16c75d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\JgXryuwtNy.js
    Filesize

    15KB

    MD5

    d0cf8b0fa0bafc3a016a0fc39fb3bb1f

    SHA1

    77b341d0c31e968873d54412ce3b3a1d1d8ef8ff

    SHA256

    2c794c15de3c8db90ba429a15ae2c1e30549733990fad4405f2b8571d00b60ea

    SHA512

    c22d0867112b98d3f930936e91553bb2eb4ab597704d3976b3b1fd7f6d08b5a46a9801fffdf3bf576061eafec2851e7caeabd0b882b33dea8079c573b4f198db

    Download Submit
  • memory/828-57-0x0000000000000000-mapping.dmp
    Download
  • memory/828-61-0x00000000009D0000-0x00000000009EE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/828-62-0x0000000075F21000-0x0000000075F23000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1772-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1960-54-0x000007FEFC221000-0x000007FEFC223000-memory.dmp
    Filesize

    8KB

    Download