Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2022, 07:18
Static task
static1
Behavioral task
behavioral1
Sample
QvLXNFAtqb_Tadexax2223.js
Resource
win7-20220812-en
General
-
Target
QvLXNFAtqb_Tadexax2223.js
-
Size
23KB
-
MD5
ee1763127209217a0fce04f2aed9e0f1
-
SHA1
6357452db989571b53d921f9a8cfc82a3650441d
-
SHA256
4e758da9d292aa5126efb6ad52e26742985680e554f5491544a9fea1af837799
-
SHA512
5ac1cbe8b411563c84ec87ba3e97c184fb19dd84cc18b60950330864b1328ae8d4ceb616ba6e90c16a47cde4302ea8da48ca9ace94fbe9faffe41f0970b6ba99
-
SSDEEP
384:jpLqUVwuBf5oocGTQ1MNKsijegDvgjmyljNetiPg8ClyhCCy1NEM+9v8dHVgI/la:dLqQvBf5oPGTyMEsije4vgj5ciPgXyhL
Malware Config
Signatures
-
Blocklisted process makes network request 9 IoCs
flow pid Process 9 2412 wscript.exe 21 2412 wscript.exe 25 2412 wscript.exe 28 2412 wscript.exe 36 2412 wscript.exe 39 2412 wscript.exe 50 2412 wscript.exe 55 2412 wscript.exe 62 2412 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QvLXNFAtqb_Tadexax2223.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QvLXNFAtqb_Tadexax2223.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2412 wrote to memory of 1288 2412 wscript.exe 83 PID 2412 wrote to memory of 1288 2412 wscript.exe 83
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\QvLXNFAtqb_Tadexax2223.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BoINCSmfdi.js"2⤵PID:1288
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD58199ee5c636954199baf737a99ce0e47
SHA17a533e8dbacb75bd255650d4e24033c1d252e556
SHA256e8467cdda44971d238500b8776ddbd6d19454894574f135fb64349c7f863332b
SHA51222cb45d943917cf11fa6101f13ffebd869e92b8b31a8eb29bb3e16fab36fbcf919cd2dd6a6b525800887a68091f244d1e055218b09e14ac7e16c10948df903ed