16a597b4fb6dd4d55f5c544c3ab6c06aab4711ddeabf71146754a268f9ea48f8 | Triage

Analysis

max time kernel
90s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2023, 15:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

document_D874_Jun_1.js
Size

5KB
MD5

f23b307aa9c2f4e7b12390248b892667
SHA1

97d4f53a0b91e049f7b59785777aa7ab679a52fe
SHA256

69f3aa2db0d3fb0c8bcc2c1a0ff90e4cfb62558eed7cef195c2d5ba0ed18aa8e
SHA512

fc61588a4e8898367f2aef7cbdc91dfce2b0913263687956bf0699906aad75ac6f790f692ae4fae442b4c48941294d24293d18aec8add5947664c9fff6e50f3f
SSDEEP

96:OleiTFtf7yLH4JfO4Jy0ealsvW1vHduGFmS8J+x:JevCYZZHjf2+x

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	3284	conhost.exe	65

Blocklisted process makes network request 3 IoCs

flow	pid	Process
11	4116	wscript.exe
12	4116	wscript.exe
13	4116	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 4712	3380	conhost.exe	90
PID 3380 wrote to memory of 4712	3380	conhost.exe	90
PID 4712 wrote to memory of 2156	4712	conhost.exe	91
PID 4712 wrote to memory of 2156	4712	conhost.exe	91
PID 2156 wrote to memory of 3956	2156	conhost.exe	92
PID 2156 wrote to memory of 3956	2156	conhost.exe	92

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\document_D874_Jun_1.js
1⤵
- Blocklisted process makes network request
PID:4116

C:\Windows\system32\conhost.exe
conhost.exe conhost.exe conhost.exe rundll32.exe C:\Users\Public\cropped.dat,next
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\system32\conhost.exe
  conhost.exe conhost.exe rundll32.exe C:\Users\Public\cropped.dat,next
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\system32\conhost.exe
    conhost.exe rundll32.exe C:\Users\Public\cropped.dat,next
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Public\cropped.dat,next
      4⤵
      PID:3956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads