redline | 3ecba862df8a7e0e278375c4491219dd2022882c8c44870019b497ed45db415a

Analysis

max time kernel
73s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 15:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Enquiry.js
Size

4KB
MD5

b7c067e5f15d2264ab945d07589462db
SHA1

9f25636a346d6cbea1b53270e63ac042d0006034
SHA256

3ecba862df8a7e0e278375c4491219dd2022882c8c44870019b497ed45db415a
SHA512

4e2884cf13d1cef7223ef957b338f984b1ea8a2f88cb194d9c32b5d6bc47c4f7b7903ccad13d4aa10ac1fecb8581b01f3a2c10fd9b5e680b9cf5a0e360209aae
SSDEEP

96:IfIr3U6zGVyy5VMiR/cCVomAGmHJxPRICWG7zEz5Lyi0jAKQL4i0jAPq/8HScP:IfIrE6zGVyaM6/cCV6Xu67zEz6fAqEH3

Score

10^/10

redline docc infostealer

Malware Config

Extracted

Family

redline

Botnet

docc

191.101.130.28:45622

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1916-138-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	4936	wscript.exe
6	4936	wscript.exe
8	4936	wscript.exe
10	4936	wscript.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2132	HGTYHUOPKMNHB.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 1916	2132	HGTYHUOPKMNHB.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2132	HGTYHUOPKMNHB.exe
2132	HGTYHUOPKMNHB.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	HGTYHUOPKMNHB.exe
Token: SeDebugPrivilege	1916	Caspol.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2132	4936	wscript.exe	84
PID 4936 wrote to memory of 2132	4936	wscript.exe	84
PID 4936 wrote to memory of 2132	4936	wscript.exe	84
PID 2132 wrote to memory of 2220	2132	HGTYHUOPKMNHB.exe	86
PID 2132 wrote to memory of 2220	2132	HGTYHUOPKMNHB.exe	86
PID 2132 wrote to memory of 2220	2132	HGTYHUOPKMNHB.exe	86
PID 2132 wrote to memory of 1916	2132	HGTYHUOPKMNHB.exe	87
PID 2132 wrote to memory of 1916	2132	HGTYHUOPKMNHB.exe	87
PID 2132 wrote to memory of 1916	2132	HGTYHUOPKMNHB.exe	87
PID 2132 wrote to memory of 1916	2132	HGTYHUOPKMNHB.exe	87
PID 2132 wrote to memory of 1916	2132	HGTYHUOPKMNHB.exe	87
PID 2132 wrote to memory of 1916	2132	HGTYHUOPKMNHB.exe	87
PID 2132 wrote to memory of 1916	2132	HGTYHUOPKMNHB.exe	87
PID 2132 wrote to memory of 1916	2132	HGTYHUOPKMNHB.exe	87

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Enquiry.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\HGTYHUOPKMNHB.exe
  "C:\Users\Admin\AppData\Local\Temp\HGTYHUOPKMNHB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:2220
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HGTYHUOPKMNHB.exe

Filesize
49KB

MD5
0df61633eb3931ebe83f3c67f4ff843c

SHA1
22ef104755afd6a5d9d2ffd36429cf5566195f84

SHA256
bb997cbc8329ac47a1fb390fdda3c2c552446cdaf48193cd3a7eaa37df3f8a31

SHA512
74cc3ff55ed74a7430bf14c20b06fbf7e7b4c1d899eb1397b66e7f37e8369e831ffeff101acfba9f06ed34039ea8460c1b5e02be6d9a92554d7515eb9de0d8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGTYHUOPKMNHB.exe

Filesize
49KB

MD5
0df61633eb3931ebe83f3c67f4ff843c

SHA1
22ef104755afd6a5d9d2ffd36429cf5566195f84

SHA256
bb997cbc8329ac47a1fb390fdda3c2c552446cdaf48193cd3a7eaa37df3f8a31

SHA512
74cc3ff55ed74a7430bf14c20b06fbf7e7b4c1d899eb1397b66e7f37e8369e831ffeff101acfba9f06ed34039ea8460c1b5e02be6d9a92554d7515eb9de0d8ff

Download Submit
memory/1916-141-0x0000000004EB0000-0x0000000004EEC000-memory.dmp

Filesize
240KB

Download
memory/1916-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1916-139-0x0000000005540000-0x0000000005B58000-memory.dmp

Filesize
6.1MB

Download
memory/1916-140-0x0000000004E50000-0x0000000004E62000-memory.dmp

Filesize
72KB

Download
memory/1916-142-0x0000000005080000-0x000000000518A000-memory.dmp

Filesize
1.0MB

Download
memory/1916-143-0x00000000061A0000-0x0000000006362000-memory.dmp

Filesize
1.8MB

Download
memory/1916-144-0x00000000068A0000-0x0000000006DCC000-memory.dmp

Filesize
5.2MB

Download
memory/2132-135-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download