Some hunting opportunities for:
https://www.virustotal.com/gui/file/13846a9778f224ae692edddcc90746d0e619f872733c2c880188c36797b2c4e7
@k3dg3 and pointed out by @gossithedog #ZippyReads
PDF LNK file uses cerutil -decode and .hta. fetches .zip file payload and connects to C2.
michaelpagerecruitment-ukoffers(d)com
r3(d)o(d)lencr(d)org
For anyone using SentinelOne here's a few easy ways to find this.
The initial execution of the LNK file: IndicatorName = "SuspiciousCmdFromLnk"
IndicatorName = "SuspiciousCmdFromLnk" AND SrcProcCmdLine Contains Anycase "certutil"
documented here on my GIT:
Cmdline Telemetry
"C:\Windows\System32\cmd.exe" /c if exist C:\Users\<user>\AppData\Local\Temp\temp1_job_offer.zip\job_descr_10_22.pdf.lnk (certutil.exe -decode C:\Users\<user>\AppData\Local\Temp\temp1_job_offer.zip\job_descr_10_22.pdf.lnk C:\Users\<user>\AppData\Local\Temp\.hta&start C:\Users\<user>\AppData\Local\Temp\.hta)else (certutil -decode job_descr_10_22.pdf.lnk C:\Users\<user>\AppData\Local\Temp\.hta&start C:\Users\<user>\AppData\Local\Temp\.hta)
@acquiredsec @k3dg3 @gossithedog r3.o.lencr.org is a legitimate Let's Encrypt endpoint.
What’s lencr.org? lencr.org is a domain name owned by Let’s Encrypt. We use it to host data that is referenced inside the certificates we issue. Why is my computer fetching this data? Is it malicious? No, the data on lencr.org is never malicious. When a device connects to lencr.org, it’s because client software on that device (like a web browser or an app) connected to another site, saw a Let’s Encrypt certificate, and is trying to verify that it’s valid.
Acquiredsec
Apicultor 🐝