Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2022, 10:59
Static task
static1
Behavioral task
behavioral1
Sample
SZGefsAYXZ_Tadexax2223.js
Resource
win7-20220812-en
General
-
Target
SZGefsAYXZ_Tadexax2223.js
-
Size
56KB
-
MD5
b73ba6eb7f6b4fc2d4711871d55f4d30
-
SHA1
ac710b5a76921d81c1cbe5b5b8815c36536719d4
-
SHA256
136916061bfeb5df05b83ba428bcd2005dccbce2035b2b28a029274bf95a25b4
-
SHA512
98034cb31973fcff1c45cab52b993c32cb486134e62e18437074249b4b0bbdd0f47ca3b39bd01ed5370b546c72ce447632107d1afbaccf16c9392c3d3712ec0f
-
SSDEEP
1536:5YJm4ERgktGIefDKehwa8q4kDrxch7WpgIf/P4yT/P6hYpP34PzsqH+F8n1x6:KJm4FhKk82HPcU
Malware Config
Extracted
vjw0rm
http://185.157.162.75:2223
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 10 3756 wscript.exe 33 3756 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SZGefsAYXZ_Tadexax2223.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SZGefsAYXZ_Tadexax2223.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3756 wrote to memory of 1904 3756 wscript.exe 83 PID 3756 wrote to memory of 1904 3756 wscript.exe 83
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\SZGefsAYXZ_Tadexax2223.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DrKzuLzfJN.js"2⤵PID:1904
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD56603a31cf804b8bfc789e62685a39291
SHA10d3918e67b92a5ced1a9ec8bc30d3103c53b1201
SHA256a2d293790800a34a0b959815f28bc8cc8e1dea3729699936a710aed4fd8d0193
SHA51277c5ff393d6e1485e3e41b4535f4fc58078f45f585f0b9ad515e0efa5b1796337ca40fe946aff5dd9c71cabd2442c69a828e237a039d10908192933f01f0854f