Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2023, 15:38
Static task
static1
Behavioral task
behavioral1
Sample
AgreementCancellation 167193 May 30.js
Resource
win7-20230220-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
AgreementCancellation 167193 May 30.js
Resource
win10v2004-20230220-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
AgreementCancellation 167193 May 30.js
-
Size
20KB
-
MD5
7a4e72ec640e4347cdfa399d73f037ad
-
SHA1
2fb3aa0cf9e6d2e5715e2f15ae718fd0d6d89dd1
-
SHA256
98606c7b9e2a89831243196ef122a706f458305e9fe8eb7ba3b20b64c81432b0
-
SHA512
6aa413c73674a52b4aa4851d3f8063a7815eca6d20cc24f4d84ae3adf13dc0de08c81bb413d39e62c289099f5a9c220ec4e50829abd5c32bfcfbd3c7f4a2d5e0
-
SSDEEP
384:iYQHX4qY25wrr6CBv0PTDuCCqYZfXEkZks6LTw/QfVWbjPGeMm9cy872RGmz:XQH55wiCBeCqcfXpQfVWlrc1aRGmz
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 6 1736 msiexec.exe 10 1736 msiexec.exe 23 1736 msiexec.exe 30 1736 msiexec.exe 33 1736 msiexec.exe 35 1736 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1952 wscript.exe Token: SeIncreaseQuotaPrivilege 1952 wscript.exe Token: SeSecurityPrivilege 1736 msiexec.exe Token: SeCreateTokenPrivilege 1952 wscript.exe Token: SeAssignPrimaryTokenPrivilege 1952 wscript.exe Token: SeLockMemoryPrivilege 1952 wscript.exe Token: SeIncreaseQuotaPrivilege 1952 wscript.exe Token: SeMachineAccountPrivilege 1952 wscript.exe Token: SeTcbPrivilege 1952 wscript.exe Token: SeSecurityPrivilege 1952 wscript.exe Token: SeTakeOwnershipPrivilege 1952 wscript.exe Token: SeLoadDriverPrivilege 1952 wscript.exe Token: SeSystemProfilePrivilege 1952 wscript.exe Token: SeSystemtimePrivilege 1952 wscript.exe Token: SeProfSingleProcessPrivilege 1952 wscript.exe Token: SeIncBasePriorityPrivilege 1952 wscript.exe Token: SeCreatePagefilePrivilege 1952 wscript.exe Token: SeCreatePermanentPrivilege 1952 wscript.exe Token: SeBackupPrivilege 1952 wscript.exe Token: SeRestorePrivilege 1952 wscript.exe Token: SeShutdownPrivilege 1952 wscript.exe Token: SeDebugPrivilege 1952 wscript.exe Token: SeAuditPrivilege 1952 wscript.exe Token: SeSystemEnvironmentPrivilege 1952 wscript.exe Token: SeChangeNotifyPrivilege 1952 wscript.exe Token: SeRemoteShutdownPrivilege 1952 wscript.exe Token: SeUndockPrivilege 1952 wscript.exe Token: SeSyncAgentPrivilege 1952 wscript.exe Token: SeEnableDelegationPrivilege 1952 wscript.exe Token: SeManageVolumePrivilege 1952 wscript.exe Token: SeImpersonatePrivilege 1952 wscript.exe Token: SeCreateGlobalPrivilege 1952 wscript.exe Token: SeShutdownPrivilege 1952 wscript.exe Token: SeIncreaseQuotaPrivilege 1952 wscript.exe Token: SeCreateTokenPrivilege 1952 wscript.exe Token: SeAssignPrimaryTokenPrivilege 1952 wscript.exe Token: SeLockMemoryPrivilege 1952 wscript.exe Token: SeIncreaseQuotaPrivilege 1952 wscript.exe Token: SeMachineAccountPrivilege 1952 wscript.exe Token: SeTcbPrivilege 1952 wscript.exe Token: SeSecurityPrivilege 1952 wscript.exe Token: SeTakeOwnershipPrivilege 1952 wscript.exe Token: SeLoadDriverPrivilege 1952 wscript.exe Token: SeSystemProfilePrivilege 1952 wscript.exe Token: SeSystemtimePrivilege 1952 wscript.exe Token: SeProfSingleProcessPrivilege 1952 wscript.exe Token: SeIncBasePriorityPrivilege 1952 wscript.exe Token: SeCreatePagefilePrivilege 1952 wscript.exe Token: SeCreatePermanentPrivilege 1952 wscript.exe Token: SeBackupPrivilege 1952 wscript.exe Token: SeRestorePrivilege 1952 wscript.exe Token: SeShutdownPrivilege 1952 wscript.exe Token: SeDebugPrivilege 1952 wscript.exe Token: SeAuditPrivilege 1952 wscript.exe Token: SeSystemEnvironmentPrivilege 1952 wscript.exe Token: SeChangeNotifyPrivilege 1952 wscript.exe Token: SeRemoteShutdownPrivilege 1952 wscript.exe Token: SeUndockPrivilege 1952 wscript.exe Token: SeSyncAgentPrivilege 1952 wscript.exe Token: SeEnableDelegationPrivilege 1952 wscript.exe Token: SeManageVolumePrivilege 1952 wscript.exe Token: SeImpersonatePrivilege 1952 wscript.exe Token: SeCreateGlobalPrivilege 1952 wscript.exe Token: SeShutdownPrivilege 1952 wscript.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 1952 wscript.exe 1952 wscript.exe 1952 wscript.exe 1952 wscript.exe 1952 wscript.exe 1952 wscript.exe 1952 wscript.exe 1952 wscript.exe 1952 wscript.exe 1952 wscript.exe 1952 wscript.exe 1952 wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\AgreementCancellation 167193 May 30.js"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1952
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1736