globeimposter | 7230ed28d9881355ee196933dbc1f280059f14e8efd45d4b555f444bb083e95a

Analysis

max time kernel
142s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/02/2025, 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
Size

55KB
MD5

821883525833df75c30d68584716f6fd
SHA1

59f8739daa99175ae2a20e38048b1a5d3c5f039a
SHA256

e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5
SHA512

d457be30bc2231490e5d430c4eb545a9ef6c1f7bb3c393f28107faab4219d309c190592080aca9ef649a15ef78ddebf0d4f092b4988501b0177e18eb19386ef0
SSDEEP

768:wGvvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5WpCD+9q:JreytM3alnawrRIwxVSHMweio3dD63o

Score

10^/10

globeimposter defense_evasion discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\Videos\Open Me!.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>Mister Merlen Encrypted your File;(</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <h2><span style="text-decoration: underline; color: #000000;"><strong><em>All your files have been encrypted!<img src="https://yoursmiles.org/bsmile/fun/b0222.gif" alt="[email protected]" /></em></strong></span></h2> </div> <div class="bold">All your files have been encrypted due to a security problem with your PC.</div> <div class="bold">If you want to restore them, write us to the e-mails: <span style="color: #800000;"><a style="color: #800000;" href="mailto:[email protected]">[email protected]</a></span> and <span style="color: #ff0000;"><a style="color: #ff0000;" href="mailto:[email protected]">[email protected]</a></span> and <span style="color: #0000ff;"><a style="color: #0000ff;" href="mailto:@[email protected]">[email protected] </a></span> <span style="text-decoration: underline;"> </div>(for the fastest possible response, write to all 3 mails at once!)</span></div> <h4 class="bold"><span style="text-decoration: underline;"><em><strong>Write this ID in the title of your message:</strong></em></span></h4> <p><span style="text-decoration: underline; color: #0000ff;"><em><strong> 71 E6 32 0B 99 5B 26 95 10 29 1F 50 BE C9 2C CF A1 8D F0 0D 47 0A A3 B4 A1 3A 05 0D 93 A0 79 85 A5 FB 8A DF A2 68 AC 8B 3B BD 31 DA AF FB 40 50 67 B7 A7 77 78 BC F4 AC 93 12 D4 17 7B 5A 4E 60 DA EB 33 96 DF 8C 61 5A 8D 98 49 10 BB F3 36 67 3F 53 58 63 4A 5E 3B C4 2C D1 23 23 57 71 9C AE 59 8A BE 83 C5 5B 73 D6 D7 34 23 1A BA 60 84 1C 3C 08 75 FB 70 77 7E E7 4B 52 46 15 65 DC 18 FA 14 BE 64 49 19 A8 F3 6A F3 71 88 9B 3F 36 D5 BD CC F0 AF 58 64 2B CF 2F F2 57 92 40 37 58 E6 04 7C 0D BD B6 5F AE A8 C1 D0 F6 A1 98 65 61 D2 81 B3 6D EE 95 61 F0 E1 78 46 24 6F 56 10 68 87 94 49 5D CB FC 11 04 49 0C C7 D8 18 1F 4F CE 20 BD 66 BC CD 36 C4 8C 93 F8 5F 90 9D 39 9C 2D D7 FF CA 07 FC 81 5B A8 40 CA 29 2D 11 4D DA B3 F0 77 65 11 34 B9 5D 8F 44 F4 B8 0F 04 C8 8F 2F A2 F5 </strong></em></span></p> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 5Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </div> </body> </html> ��

Emails

alt="[email protected]"

href="mailto:[email protected]">[email protected]</a></span> and <span

href="mailto:@[email protected]">[email protected]

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Globeimposter family
globeimposter
Renames multiple (8658) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 5 IoCs

flow	pid	Process
5	2088	mshta.exe
7	2088	mshta.exe
9	2088	mshta.exe
21	2508	mshta.exe
23	2508	mshta.exe

Deletes itself 1 IoCs

pid	Process
1292	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe"	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe

Drops desktop.ini file(s) 38 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Public\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vevay	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icucnv36.dll	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00008_.WMF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199483.WMF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libinvert_plugin.dll	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Indianapolis	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\Open Me!.hta	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Efate	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\Open Me!.hta	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00808_.WMF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\rt.jar	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Technic.thmx	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02088_.WMF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105496.WMF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\AiodLite.dll	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15060_.GIF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01637_.WMF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01843_.GIF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14531_.GIF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Windows Journal\jnwppr.dll	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB3B.BDR	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLWVW.DLL	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14996_.GIF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14582_.GIF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00172_.WMF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00834_.WMF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieNewsletter.dotx	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN044.XML	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152556.WMF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153091.WMF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\vlc.mo	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.POC	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\Open Me!.hta	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.HXS	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BULLETS.DLL	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	mshta.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2088	mshta.exe
2088	mshta.exe
2088	mshta.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1292	2408	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe	32
PID 2408 wrote to memory of 1292	2408	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe	32
PID 2408 wrote to memory of 1292	2408	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe	32
PID 2408 wrote to memory of 1292	2408	e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe	32

C:\Users\Admin\AppData\Local\Temp\e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
"C:\Users\Admin\AppData\Local\Temp\e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1292

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\Open Me!.hta"
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\Desktop\Open Me!.hta"
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini

Filesize
1KB

MD5
2ab0c8bd13817ae8da3aa4adca99edae

SHA1
07da8b2a4b981a681365a5e06046f75b91f257ff

SHA256
a730b78dd42424126245b20fc8fc385175b2676d5e6eb09d575fdadbddf1e384

SHA512
806fb8a680d5119c3dcf641b33f8b3cbacc1828905a253a803c701d0b70c737699db9d7007a8eb6dcc4baeda8860da89f073b47df5319a9b56b5559e36751f71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D29372B2F1735091800869FEA508392B

Filesize
504B

MD5
81accd6be07a4599f2d4517388d729e0

SHA1
8165b005c83ab5e54e5af0888cf54321660aa3b3

SHA256
c9b29fd864940d235b1302e9e0e2f8fa6e0654906fca58837b0d9154ece65bcc

SHA512
0bb34d5667917ca6080521518ab92f3205a8d939ffec417af2f4528abca99aab5dfe3eb723b18753ebab9c01c3d8f83786d29a53f197b0014bc766705530911e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
c29320366f445f48c6ec8a6444ca17db

SHA1
448b57948441bbe27a699193e8354a5e502d15c7

SHA256
7df1b9c20ca894369a119bade5e2386347f75861ca66decedfe2813676eb1fb3

SHA512
924c29a881ed1cf2b7785fbdfa9b5e33f89412b9c81e64007e32128fc1499aaf1311548540f00f57d00910203d57fd17c1cb630a64ee410be75355cfcf593565

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D29372B2F1735091800869FEA508392B

Filesize
554B

MD5
edebd4f900afab52ba470fba332365ac

SHA1
5428cf3b6a0da5847dac938f7353c8bdf39f5750

SHA256
6bf299833d1f3e1482be2f1536f3f8e4bddbc372044daa5bc3649eec39adca34

SHA512
4bfa1eda9afd504f6d222f8b69bd3a5c2c92105ecefbc5b72ad0d6fb9d431003816734aac119e5d16752c8810b88ecb90ddd9c1af4592f0b289a0e12f317681d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\b0222[1].gif

Filesize
50KB

MD5
926d92c5744db1500c15fcdc8f9d47a3

SHA1
272ac3afbd17a804a91bca1cf0bb0bb03e9161d0

SHA256
25b6d9418d32d9289178b413da675ceee1ebaa9ec2b77febac61de066ea86bff

SHA512
3098fe75ddd74d6d2c37c81620fbb17d41e8f9e079b12fe4edfe71aaa8ad114658ac1f603039ba56b145dd906998ab322a6cf18a06f133b7c02a2d7b4094247d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE4E3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Public\Videos\Open Me!.hta

Filesize
6KB

MD5
ec688e212b8ba1c6fee993c8eb6f0522

SHA1
b1d72bdef53d2b98ec45f25827bdab655d15c09f

SHA256
fd55b30debf129eacc9ebd64aa65ca185aa8d9362911080f550a04feeb2b6694

SHA512
0ccddddb18a6acf8cefe03891603c10de208f8316cec66c123872c8fd2d75d2ba55db787a1460df2e06a0a4982d324b268c050f1cc57cdaf1783bb1443441494

Download Submit
memory/2408-0-0x0000000000400000-0x000000000040EA00-memory.dmp

Filesize
58KB

Download
memory/2408-1436-0x0000000000400000-0x000000000040EA00-memory.dmp

Filesize
58KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads