07acc12e69740e8d0f4b2cd48d231ee331a7d418239ad2e53e65a3a429dab79f | Triage

Analysis

max time kernel
100s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2023, 11:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

05038899.js
Size

5KB
MD5

18ba5f25f3233abbaf015d90814edbd6
SHA1

514470e780b63ffec5649a0d0db23c7a23f60bba
SHA256

07acc12e69740e8d0f4b2cd48d231ee331a7d418239ad2e53e65a3a429dab79f
SHA512

9864eb698a4614a93707eb554d9e2b64bb7ad9b7c359737221144f2c6ca420ed04d36f4b0039f779fa74a6121f4fce5ec5a0742b612bd0311ea36837ccb9be26
SSDEEP

96:xKhq+BmdEpt1emnYnCC/RU0sT5dFm0567HGmon:xKI+B0EpjBHu2n

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	1160	conhost.exe	53

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2132	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 2724	3932	conhost.exe	89
PID 3932 wrote to memory of 2724	3932	conhost.exe	89
PID 2724 wrote to memory of 1976	2724	conhost.exe	90
PID 2724 wrote to memory of 1976	2724	conhost.exe	90
PID 1976 wrote to memory of 4788	1976	conhost.exe	91
PID 1976 wrote to memory of 4788	1976	conhost.exe	91

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\05038899.js
1⤵
- Blocklisted process makes network request
PID:2132

C:\Windows\system32\conhost.exe
conhost.exe conhost.exe conhost.exe rundll32.exe C:\Users\Public\distantly.dat,next
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\system32\conhost.exe
  conhost.exe conhost.exe rundll32.exe C:\Users\Public\distantly.dat,next
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\conhost.exe
    conhost.exe rundll32.exe C:\Users\Public\distantly.dat,next
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Public\distantly.dat,next
      4⤵
      PID:4788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads