de7be39a81bebae20f84ad33ca89e7b0bfecc883e84cb0f694ecdf74d355f836 | Triage

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2023, 01:55

Sharing

Report Analysis Logs

General

Target

doc_F163_May_30.js
Size

4KB
MD5

9263e619fa7ffde72beae1c3c43e9f2f
SHA1

0aea217fcf6e4a1ecb61873f465139dd32021a96
SHA256

f0331b375966d894ecf1c487e1fcf3580376eccf6efad51046ed56ef40a74f1d
SHA512

a08502b8eff9f87044b20042fb7090c83e68db4a2323712cd3acb5b61ecf7ab186627d3781c80d9d9a234aef1aee2073da3a0a6b1e0a1847f7044e59e10da24f
SSDEEP

96:2BHsHDb0tCVdCEOlw6Dwiln8RMCsrFwVH6sdaI+:wMjb3mplZdaRMM9+

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	948	conhost.exe	49

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	3944	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 3796	2956	conhost.exe	84
PID 2956 wrote to memory of 3796	2956	conhost.exe	84
PID 3796 wrote to memory of 568	3796	conhost.exe	85
PID 3796 wrote to memory of 568	3796	conhost.exe	85
PID 568 wrote to memory of 3832	568	conhost.exe	86
PID 568 wrote to memory of 3832	568	conhost.exe	86

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\doc_F163_May_30.js
1⤵
- Blocklisted process makes network request
PID:3944

C:\Windows\system32\conhost.exe
conhost.exe conhost.exe conhost.exe rundll32.exe C:\Users\Public\pull.dat,next
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\system32\conhost.exe
  conhost.exe conhost.exe rundll32.exe C:\Users\Public\pull.dat,next
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\system32\conhost.exe
    conhost.exe rundll32.exe C:\Users\Public\pull.dat,next
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Public\pull.dat,next
      4⤵
      PID:3832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads