e0e130031ddaebb509d8d90a35250a521e074a1d2be5b7d6ff5aad66422a3898

Resubmissions

02/06/2023, 13:35 UTC

230602-qvz97sbf23 10

02/06/2023, 13:33 UTC

230602-qtmygsbe97 10

Analysis

max time kernel
81s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2023, 13:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

document_A614_Jun_2.js
Size

4KB
MD5

230443f8af047c8b4597903328500b43
SHA1

ce7861a9fca90884c3e34ef99507a59fd636153f
SHA256

c6aab235f1835b6a4ac64c0293f9814c0bac0f5b99e5ae345ad1c1dee5e5c408
SHA512

ca3dec226aedd3fff58daefdc35fa49fd8639cdb9e5f9b8d097799b3a1e5d12230ef85b3d32e249e0066ee0a2345ed6a7019a7bffa8123fd8e0008a9d8d2273d
SSDEEP

96:tt6seA96t3/y/H/CgWn2JUeSVKFmopZ4z2V9:tt6TA96t3/y/H/CB2IVkWz+

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	2484	conhost.exe	21

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2432	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 4032	3860	conhost.exe	91
PID 3860 wrote to memory of 4032	3860	conhost.exe	91
PID 4032 wrote to memory of 468	4032	conhost.exe	92
PID 4032 wrote to memory of 468	4032	conhost.exe	92
PID 468 wrote to memory of 2648	468	conhost.exe	93
PID 468 wrote to memory of 2648	468	conhost.exe	93

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\document_A614_Jun_2.js
1⤵
- Blocklisted process makes network request
PID:2432

C:\Windows\system32\conhost.exe
conhost.exe conhost.exe conhost.exe rundll32.exe C:\Users\Public\quiescence.dat,next
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Windows\system32\conhost.exe
  conhost.exe conhost.exe rundll32.exe C:\Users\Public\quiescence.dat,next
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\system32\conhost.exe
    conhost.exe rundll32.exe C:\Users\Public\quiescence.dat,next
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Public\quiescence.dat,next
      4⤵
      PID:2648

Network

DNS

176.122.125.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

176.122.125.40.in-addr.arpa

IN PTR

Response
DNS

97.97.242.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.97.242.52.in-addr.arpa

IN PTR

Response
GET

http://151.236.28.95/aTBf/E106

wscript.exe

Remote address:

151.236.28.95:80

Request

GET /aTBf/E106 HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 151.236.28.95
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 02 Jun 2023 13:33:41 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

95.28.236.151.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.28.236.151.in-addr.arpa

IN PTR

Response

95.28.236.151.in-addr.arpa

IN PTR

�
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

2.36.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.36.159.162.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

1.208.79.178.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.208.79.178.in-addr.arpa

IN PTR

Response

1.208.79.178.in-addr.arpa

IN PTR

https-178-79-208-1amsllnwnet
DNS

64.13.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.13.109.52.in-addr.arpa

IN PTR

Response
DNS

assets.msn.com

Remote address:

8.8.8.8:53

Request

assets.msn.com

IN A

Response

assets.msn.com

IN CNAME

assets.msn.com.edgekey.net

assets.msn.com.edgekey.net

IN CNAME

e28578.d.akamaiedge.net

e28578.d.akamaiedge.net

IN A

23.73.0.187

e28578.d.akamaiedge.net

IN A

23.73.0.135

e28578.d.akamaiedge.net

IN A

23.73.0.144

e28578.d.akamaiedge.net

IN A

23.73.0.149

e28578.d.akamaiedge.net

IN A

23.73.0.161

e28578.d.akamaiedge.net

IN A

23.73.0.171
GET

https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=0691743d-9860-4180-b0e1-7a4475a2fb86&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask

Remote address:

23.73.0.187:443

Request

GET /serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=0691743d-9860-4180-b0e1-7a4475a2fb86&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask HTTP/2.0
host: assets.msn.com
x-search-account: None
accept-encoding: gzip, deflate
x-device-machineid: {46CAA714-52CC-4AB9-A019-1AE3E3C36027}
x-userageclass: Unknown
x-bm-market: US
x-bm-dateformat: M/d/yyyy
x-device-ossku: 48
x-bm-dtz: 0
x-deviceid: 0100B2E609000CC3
x-bm-windowsflights: FX:117B9872,FX:119E26AD,FX:11D898D7,FX:11DB147C,FX:11DE505A,FX:11E11E97,FX:11E3E2BA,FX:11E50151,FX:11E9EE98,FX:11F1992A,FX:11F4161E,FX:11F41B68,FX:11FB0F2F,FX:1201B330,FX:1202B7FC,FX:120BB68E,FX:121A20E1,FX:121BF15F,FX:121E5EC8,FX:122D8E86,FX:123031A3,FX:1231B88B,FX:123371B1,FX:1233C945,FX:123D7C31,FX:1240013C,FX:1246E4A3,FX:1248306D,FX:124B38D0,FX:1250080B,FX:125A7FDA,FX:1264FA75,FX:126DBC22,FX:127159BE,FX:12769734,FX:127C935B,FX:127DC03A,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:129135BB
sitename: www.msn.com
x-bm-theme: 000000;0078d7
muid: D4EAFA4AA86940188882725C6E2EF215
x-agent-deviceid: 0100B2E609000CC3
x-bm-onlinesearchdisabled: true
x-bm-cbt: 1685712892
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.2.19041; 10.0.0.0.19041.1288) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
x-device-isoptin: false
accept-language: en-US, en
x-device-touch: false
x-device-clientsession: EC17BA4A6070474F93AC9230391220EA
cookie: MUID=D4EAFA4AA86940188882725C6E2EF215

Response

HTTP/2.0 200

content-type: application/json; charset=utf-8
server: Kestrel
access-control-allow-credentials: true
access-control-allow-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
access-control-allow-methods: PUT,PATCH,POST,GET,OPTIONS,DELETE
access-control-allow-origin: *.msn.com
access-control-expose-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
content-encoding: gzip
ddd-authenticatedwithjwtflow: False
ddd-usertype: AnonymousMuid
ddd-tmpl: winbadge:1;coldStartUpsell:1;lowT:0;daucoldcap:1;tbn:0;TeaserTemp_cold:1;coldStart:1;lowC:0;partialResponse:1
ddd-feednewsitemcount: 0
x-wpo-activityid: F6CFAB71-7301-4E81-A0BF-6A32FA10F572|2023-06-02T13:34:54.3449131Z|fabric:/wpo|WEU|WPO_149
ddd-activityid: f6cfab71-7301-4e81-a0bf-6a32fa10f572
ddd-strategyexecutionlatency: 00:00:00.2291378
ddd-debugid: f6cfab71-7301-4e81-a0bf-6a32fa10f572|2023-06-02T13:34:54.3525806Z|fabric:/winfeed|WEU|WinFeed_514
onewebservicelatency: 231
x-msedge-responseinfo: 231
x-ceto-ref: 6479effe2a6b48bfa89e89bd92622a08|2023-06-02T13:34:54.112Z
expires: Fri, 02 Jun 2023 13:34:54 GMT
date: Fri, 02 Jun 2023 13:34:54 GMT
content-length: 19634
akamai-request-bc: [a=23.72.255.59,b=1397156755,c=g,n=NL__HAARLEM,o=20940],[a=20.23.114.34,c=o]
server-timing: clientrtt; dur=2, clienttt; dur=, origin; dur=237 , cdntime; dur=-237
akamai-cache-status: Miss from child
akamai-server-ip: 23.72.255.59
akamai-request-id: 5346eb93
x-as-suppresssetcookie: 1
cache-control: private, max-age=0
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":0.1}
timing-allow-origin: *
vary: Origin
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

187.0.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

187.0.73.23.in-addr.arpa

IN PTR

Response

187.0.73.23.in-addr.arpa

IN PTR

a23-73-0-187deploystaticakamaitechnologiescom

52.242.97.97:443

tls

1.6kB
9
151.236.28.95:80

http://151.236.28.95/aTBf/E106

http

wscript.exe

602 B
375 B
6
4

HTTP Request

GET http://151.236.28.95/aTBf/E106

HTTP Response

200
40.125.122.176:443

260 B
5
20.189.173.14:443

322 B
7
8.247.211.254:80

322 B
7
23.73.0.187:443

https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=0691743d-9860-4180-b0e1-7a4475a2fb86&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask

tls, http2

3.3kB
29.5kB
35
34

HTTP Request

GET https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=0691743d-9860-4180-b0e1-7a4475a2fb86&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask

HTTP Response

200
8.247.211.254:80

276 B
6
173.223.113.164:443

276 B
6

8.8.8.8:53

176.122.125.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

176.122.125.40.in-addr.arpa
8.8.8.8:53

97.97.242.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.97.242.52.in-addr.arpa
8.8.8.8:53

95.28.236.151.in-addr.arpa

dns

72 B
86 B
1
1

DNS Request

95.28.236.151.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

2.36.159.162.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

2.36.159.162.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

1.208.79.178.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

1.208.79.178.in-addr.arpa
8.8.8.8:53

64.13.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

64.13.109.52.in-addr.arpa
8.8.8.8:53

assets.msn.com

dns

60 B
230 B
1
1

DNS Request

assets.msn.com

DNS Response

23.73.0.187

23.73.0.135

23.73.0.144

23.73.0.149

23.73.0.161

23.73.0.171
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

187.0.73.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

187.0.73.23.in-addr.arpa

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.