Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-06-2022 09:38
Static task
static1
Behavioral task
behavioral1
Sample
Orders.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Orders.js
Resource
win10v2004-20220414-en
General
-
Target
Orders.js
-
Size
209KB
-
MD5
d12479eec5fc8f1d57bf795c33feb329
-
SHA1
23094b0e5146f82ca8493f7d7ff968640f68e9a5
-
SHA256
d77abab32e4eeb866008a6cdafc09de31f1e73f7fbe2627fed75b4e90b22257d
-
SHA512
f00eb36f2188a08f5bc577225135348964dfd6d9f6868aee34a8b512e55be89db0d0f2e7f5ce975ee26c1f85a571ecbcc407a2d29e4284fda713d4680014dbbd
Malware Config
Extracted
redline
Mr TT
45.138.16.233:1985
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\build.exe family_redline C:\Users\Admin\AppData\Local\Temp\build.exe family_redline behavioral1/memory/828-61-0x00000000009D0000-0x00000000009EE000-memory.dmp family_redline -
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 5 1772 wscript.exe 8 1772 wscript.exe 9 1772 wscript.exe 11 1772 wscript.exe 13 1772 wscript.exe 14 1772 wscript.exe 16 1772 wscript.exe 17 1772 wscript.exe 18 1772 wscript.exe 20 1772 wscript.exe 21 1772 wscript.exe 22 1772 wscript.exe 24 1772 wscript.exe 25 1772 wscript.exe 26 1772 wscript.exe 28 1772 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
build.exepid process 828 build.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JgXryuwtNy.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JgXryuwtNy.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\JgXryuwtNy.js\"" wscript.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
build.exepid process 828 build.exe 828 build.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
build.exedescription pid process Token: SeDebugPrivilege 828 build.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exedescription pid process target process PID 1960 wrote to memory of 1772 1960 wscript.exe wscript.exe PID 1960 wrote to memory of 1772 1960 wscript.exe wscript.exe PID 1960 wrote to memory of 1772 1960 wscript.exe wscript.exe PID 1960 wrote to memory of 828 1960 wscript.exe build.exe PID 1960 wrote to memory of 828 1960 wscript.exe build.exe PID 1960 wrote to memory of 828 1960 wscript.exe build.exe PID 1960 wrote to memory of 828 1960 wscript.exe build.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Orders.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JgXryuwtNy.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
95KB
MD5c30ab843caae4b12e9aa920c4255d643
SHA1b40641463c19ff90e81ac3429fd75f2c07551bd6
SHA256f98805db5cd7a1efd80f8d7ff63da61892e738a659840a490e0fb41a05b364f7
SHA51274ac72cde2e955d4579928c1570c8369e6c6be5a93294c8df9fb86868a615ef5bcc8b52dfa958ba11d185c175e404b100ee46bd89c184d5a610cce9a5f16c75d
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
95KB
MD5c30ab843caae4b12e9aa920c4255d643
SHA1b40641463c19ff90e81ac3429fd75f2c07551bd6
SHA256f98805db5cd7a1efd80f8d7ff63da61892e738a659840a490e0fb41a05b364f7
SHA51274ac72cde2e955d4579928c1570c8369e6c6be5a93294c8df9fb86868a615ef5bcc8b52dfa958ba11d185c175e404b100ee46bd89c184d5a610cce9a5f16c75d
-
C:\Users\Admin\AppData\Roaming\JgXryuwtNy.jsFilesize
15KB
MD5d0cf8b0fa0bafc3a016a0fc39fb3bb1f
SHA177b341d0c31e968873d54412ce3b3a1d1d8ef8ff
SHA2562c794c15de3c8db90ba429a15ae2c1e30549733990fad4405f2b8571d00b60ea
SHA512c22d0867112b98d3f930936e91553bb2eb4ab597704d3976b3b1fd7f6d08b5a46a9801fffdf3bf576061eafec2851e7caeabd0b882b33dea8079c573b4f198db
-
memory/828-57-0x0000000000000000-mapping.dmp
-
memory/828-61-0x00000000009D0000-0x00000000009EE000-memory.dmpFilesize
120KB
-
memory/828-62-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/1772-55-0x0000000000000000-mapping.dmp
-
memory/1960-54-0x000007FEFC221000-0x000007FEFC223000-memory.dmpFilesize
8KB