Analysis
-
max time kernel
170s -
max time network
185s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24/08/2022, 07:18
Static task
static1
Behavioral task
behavioral1
Sample
QvLXNFAtqb_Tadexax2223.js
Resource
win7-20220812-en
General
-
Target
QvLXNFAtqb_Tadexax2223.js
-
Size
23KB
-
MD5
ee1763127209217a0fce04f2aed9e0f1
-
SHA1
6357452db989571b53d921f9a8cfc82a3650441d
-
SHA256
4e758da9d292aa5126efb6ad52e26742985680e554f5491544a9fea1af837799
-
SHA512
5ac1cbe8b411563c84ec87ba3e97c184fb19dd84cc18b60950330864b1328ae8d4ceb616ba6e90c16a47cde4302ea8da48ca9ace94fbe9faffe41f0970b6ba99
-
SSDEEP
384:jpLqUVwuBf5oocGTQ1MNKsijegDvgjmyljNetiPg8ClyhCCy1NEM+9v8dHVgI/la:dLqQvBf5oPGTyMEsije4vgj5ciPgXyhL
Malware Config
Signatures
-
Blocklisted process makes network request 16 IoCs
flow pid Process 4 1208 wscript.exe 5 1208 wscript.exe 6 1208 wscript.exe 7 1208 wscript.exe 8 1208 wscript.exe 9 1208 wscript.exe 11 1208 wscript.exe 12 1208 wscript.exe 13 1208 wscript.exe 14 1208 wscript.exe 15 1208 wscript.exe 16 1208 wscript.exe 18 1208 wscript.exe 19 1208 wscript.exe 20 1208 wscript.exe 21 1208 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QvLXNFAtqb_Tadexax2223.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QvLXNFAtqb_Tadexax2223.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1208 wrote to memory of 624 1208 wscript.exe 28 PID 1208 wrote to memory of 624 1208 wscript.exe 28 PID 1208 wrote to memory of 624 1208 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\QvLXNFAtqb_Tadexax2223.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BoINCSmfdi.js"2⤵PID:624
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD58199ee5c636954199baf737a99ce0e47
SHA17a533e8dbacb75bd255650d4e24033c1d252e556
SHA256e8467cdda44971d238500b8776ddbd6d19454894574f135fb64349c7f863332b
SHA51222cb45d943917cf11fa6101f13ffebd869e92b8b31a8eb29bb3e16fab36fbcf919cd2dd6a6b525800887a68091f244d1e055218b09e14ac7e16c10948df903ed