Analysis
-
max time kernel
146s -
max time network
68s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10-07-2020 06:38
Static task
static1
Behavioral task
behavioral1
Sample
Swift.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Swift.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Swift.exe
-
Size
385KB
-
MD5
5a4e899e1f72d8036da67d3840d24a89
-
SHA1
138d2f78425306696c78f22d4ee83323f6af7a10
-
SHA256
3080bf75b34e9b440154d8f35f7e8c5bd111995869118a093f81b56583f7c03b
-
SHA512
9bd07135e613239c980418e703e4655a6239119dea0373188b0e6847dfe0e034726e1c3274aabe1cda5d855857dd9da08e8614b379fd4de0ab0728c16a270d45
Score
7/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1056 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1056 RegSvcs.exe 1056 RegSvcs.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Swift.exedescription pid process target process PID 3008 wrote to memory of 1056 3008 Swift.exe RegSvcs.exe PID 3008 wrote to memory of 1056 3008 Swift.exe RegSvcs.exe PID 3008 wrote to memory of 1056 3008 Swift.exe RegSvcs.exe PID 3008 wrote to memory of 1056 3008 Swift.exe RegSvcs.exe PID 3008 wrote to memory of 1056 3008 Swift.exe RegSvcs.exe PID 3008 wrote to memory of 1056 3008 Swift.exe RegSvcs.exe PID 3008 wrote to memory of 1056 3008 Swift.exe RegSvcs.exe PID 3008 wrote to memory of 1056 3008 Swift.exe RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift.exedescription pid process target process PID 3008 set thread context of 1056 3008 Swift.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift.exe"C:\Users\Admin\AppData\Local\Temp\Swift.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3008 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1056