23af46401e27c0eaabcbc62e1a7593b9f51851a50c6e9e543836f26d1f61f00e

General

Target

narcissist.ink Fivem.rar
Size

1.2MB
MD5

fa09d06c81a4c19430d7fbd0b4a6dda6
SHA1

5de4b7732fc9cad8eb520f54914bc6a19d52bf4a
SHA256

23af46401e27c0eaabcbc62e1a7593b9f51851a50c6e9e543836f26d1f61f00e
SHA512

e6a0aeab007ebdf7af68996629ec6e6d5fe87da4b37e0ce29299346dcab579439ee91e367f4cb0e013126d6aec41fe1b91c8536c1a04a139627a55884670d79f
SSDEEP

24576:Y3uQhgZu+7l1w1Ee5RyjZnOajT/3AZuiWh7NTRWoBNyNZz0TF01GNqU:YVgZ17fCnyO07wZuiMTtmzKQq

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2496	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2496	vlc.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2496	vlc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2668	1644	cmd.exe	29
PID 1644 wrote to memory of 2668	1644	cmd.exe	29
PID 1644 wrote to memory of 2668	1644	cmd.exe	29
PID 2668 wrote to memory of 2560	2668	rundll32.exe	30
PID 2668 wrote to memory of 2560	2668	rundll32.exe	30
PID 2668 wrote to memory of 2560	2668	rundll32.exe	30
PID 2560 wrote to memory of 2496	2560	rundll32.exe	32
PID 2560 wrote to memory of 2496	2560	rundll32.exe	32
PID 2560 wrote to memory of 2496	2560	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\narcissist.ink Fivem.rar"
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\narcissist.ink Fivem.rar
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\narcissist.ink Fivem.rar
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\narcissist.ink Fivem.rar"
      4⤵
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2496-30-0x000007FEFB420000-0x000007FEFB454000-memory.dmp

Filesize
208KB

Download
memory/2496-29-0x000000013F9F0000-0x000000013FAE8000-memory.dmp

Filesize
992KB

Download
memory/2496-32-0x000007FEFB400000-0x000007FEFB418000-memory.dmp

Filesize
96KB

Download
memory/2496-33-0x000007FEFB3E0000-0x000007FEFB3F7000-memory.dmp

Filesize
92KB

Download
memory/2496-34-0x000007FEFB3C0000-0x000007FEFB3D1000-memory.dmp

Filesize
68KB

Download
memory/2496-35-0x000007FEFB3A0000-0x000007FEFB3B7000-memory.dmp

Filesize
92KB

Download
memory/2496-36-0x000007FEF86A0000-0x000007FEF86B1000-memory.dmp

Filesize
68KB

Download
memory/2496-37-0x000007FEF8680000-0x000007FEF869D000-memory.dmp

Filesize
116KB

Download
memory/2496-38-0x000007FEF8660000-0x000007FEF8671000-memory.dmp

Filesize
68KB

Download
memory/2496-31-0x000007FEF65D0000-0x000007FEF6886000-memory.dmp

Filesize
2.7MB

Download
memory/2496-41-0x000007FEF78B0000-0x000007FEF78F1000-memory.dmp

Filesize
260KB

Download
memory/2496-43-0x000007FEF7860000-0x000007FEF7878000-memory.dmp

Filesize
96KB

Download
memory/2496-45-0x000007FEF6CF0000-0x000007FEF6D01000-memory.dmp

Filesize
68KB

Download
memory/2496-40-0x000007FEF5090000-0x000007FEF529B000-memory.dmp

Filesize
2.0MB

Download
memory/2496-42-0x000007FEF7880000-0x000007FEF78A1000-memory.dmp

Filesize
132KB

Download
memory/2496-44-0x000007FEF7840000-0x000007FEF7851000-memory.dmp

Filesize
68KB

Download
memory/2496-46-0x000007FEF6CD0000-0x000007FEF6CE1000-memory.dmp

Filesize
68KB

Download
memory/2496-49-0x000007FEF6C70000-0x000007FEF6C88000-memory.dmp

Filesize
96KB

Download
memory/2496-57-0x000007FEF6C00000-0x000007FEF6C18000-memory.dmp

Filesize
96KB

Download
memory/2496-60-0x000007FEF4E70000-0x000007FEF4E82000-memory.dmp

Filesize
72KB

Download
memory/2496-59-0x000007FEF4E90000-0x000007FEF4EA1000-memory.dmp

Filesize
68KB

Download
memory/2496-58-0x000007FEF4EB0000-0x000007FEF4ED3000-memory.dmp

Filesize
140KB

Download
memory/2496-56-0x000007FEF4EE0000-0x000007FEF4F04000-memory.dmp

Filesize
144KB

Download
memory/2496-55-0x000007FEF4F10000-0x000007FEF4F38000-memory.dmp

Filesize
160KB

Download
memory/2496-54-0x000007FEF4F40000-0x000007FEF4F97000-memory.dmp

Filesize
348KB

Download
memory/2496-53-0x000007FEF6C20000-0x000007FEF6C31000-memory.dmp

Filesize
68KB

Download
memory/2496-52-0x000007FEF4FA0000-0x000007FEF501C000-memory.dmp

Filesize
496KB

Download
memory/2496-51-0x000007FEF5020000-0x000007FEF5087000-memory.dmp

Filesize
412KB

Download
memory/2496-50-0x000007FEF6C40000-0x000007FEF6C70000-memory.dmp

Filesize
192KB

Download
memory/2496-48-0x000007FEF6C90000-0x000007FEF6CA1000-memory.dmp

Filesize
68KB

Download
memory/2496-47-0x000007FEF6CB0000-0x000007FEF6CCB000-memory.dmp

Filesize
108KB

Download
memory/2496-39-0x000007FEF52A0000-0x000007FEF6350000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing