Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 07:03
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.exe
Resource
win7
General
-
Target
Swift Copy.exe
-
Size
344KB
-
MD5
ad1c42862f698ded13eee3062d95cb1a
-
SHA1
33c0ff43434380b87fcfab0ba3ac6cde854271af
-
SHA256
b87ec3d4ae4232b0e9a0e6f42f32717242f8eabaed85c2d380737a3fa17bbf4e
-
SHA512
1fa083a7071afc9963103976d7aa4d872b4a980e3570a443aa3af34e90fce44d8151e3e0fa38fdca3159b41779846a1bb566240ef2af828d87a50d894e69205d
Malware Config
Extracted
nanocore
1.2.2.0
185.165.153.26:1985
2276abda-5081-40bb-9a10-f4ca8116bc08
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-19T23:28:11.122410736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
1985
-
default_group
Xmen
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
2276abda-5081-40bb-9a10-f4ca8116bc08
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.165.153.26
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
RegSvcs.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Swift Copy.exeRegSvcs.exedescription pid Process procid_target PID 664 wrote to memory of 3724 664 Swift Copy.exe 73 PID 664 wrote to memory of 3724 664 Swift Copy.exe 73 PID 664 wrote to memory of 3724 664 Swift Copy.exe 73 PID 664 wrote to memory of 3356 664 Swift Copy.exe 75 PID 664 wrote to memory of 3356 664 Swift Copy.exe 75 PID 664 wrote to memory of 3356 664 Swift Copy.exe 75 PID 664 wrote to memory of 3356 664 Swift Copy.exe 75 PID 664 wrote to memory of 3356 664 Swift Copy.exe 75 PID 664 wrote to memory of 3356 664 Swift Copy.exe 75 PID 664 wrote to memory of 3356 664 Swift Copy.exe 75 PID 664 wrote to memory of 3356 664 Swift Copy.exe 75 PID 3356 wrote to memory of 4008 3356 RegSvcs.exe 76 PID 3356 wrote to memory of 4008 3356 RegSvcs.exe 76 PID 3356 wrote to memory of 4008 3356 RegSvcs.exe 76 PID 3356 wrote to memory of 3180 3356 RegSvcs.exe 78 PID 3356 wrote to memory of 3180 3356 RegSvcs.exe 78 PID 3356 wrote to memory of 3180 3356 RegSvcs.exe 78 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Swift Copy.exeRegSvcs.exedescription pid Process Token: SeDebugPrivilege 664 Swift Copy.exe Token: SeDebugPrivilege 3356 RegSvcs.exe Token: SeDebugPrivilege 3356 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Swift Copy.exeRegSvcs.exepid Process 664 Swift Copy.exe 3356 RegSvcs.exe 3356 RegSvcs.exe 3356 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid Process 3356 RegSvcs.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Manager = "C:\\Program Files (x86)\\SCSI Manager\\scsimgr.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift Copy.exedescription pid Process procid_target PID 664 set thread context of 3356 664 Swift Copy.exe 75 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid Process 3724 schtasks.exe 4008 schtasks.exe 3180 schtasks.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc Process File created C:\Program Files (x86)\SCSI Manager\scsimgr.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\SCSI Manager\scsimgr.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:664 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LJVQZxzOcR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8E1D.tmp"2⤵
- Creates scheduled task(s)
PID:3724
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Adds Run entry to start application
- Drops file in Program Files directory
PID:3356 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9531.tmp"3⤵
- Creates scheduled task(s)
PID:4008
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9590.tmp"3⤵
- Creates scheduled task(s)
PID:3180
-
-
-
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe1⤵PID:1504