Overview

overview

7

Static

static

Swift Ref ...12.exe

windows7_x64

7

Swift Ref ...12.exe

windows10_x64

7

Analysis

  • max time kernel
    126s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    09/07/2020, 06:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Swift Ref MIDLGD12.exe

  • Size

    736KB

  • MD5

    c28235bbc53bae06c5feabaabb972b67

  • SHA1

    954956e83f086c591af8f2f7514aa35a7e0cf7d4

  • SHA256

    976629ac91461654a2eef821bc19b42d547cf584c571cb214a90f7b8e7098341

  • SHA512

    c4ea0fe6ef78f67a30ad9ef62b51f176d8723cdd4b120c456473837f8f71f31a078c4cdfa34acdbcf1b63d3cbf9c7fd594d0534b1349e6c8c91b3ab4f76a80a6

Score
7/10
spyware

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Swift Ref MIDLGD12.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift Ref MIDLGD12.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetThreadContext
    PID:1612
    • C:\Users\Admin\AppData\Local\Temp\Swift Ref MIDLGD12.exe
      "{path}"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:2760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2760-0-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download