Overview

overview

10

Static

static

Swift copy.exe

windows7_x64

10

Swift copy.exe

windows10_x64

10

Analysis

  • max time kernel
    15s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Swift copy.exe

  • Size

    556KB

  • MD5

    349ae61feada50c4b8ff926d5585b39c

  • SHA1

    64992674caf8b0e0c7f36f5bdcbd15429f28be8c

  • SHA256

    3b7f5600ea7bfb0af990233fb399996066af428042afc0bdc1ed468acfee750f

  • SHA512

    a1a584255c610b048d53b33ded8017f23e7335a6533ec40dedfd52debfc6451941d52cc8c1b06a8690bac4daf02ae8b66ad638ea71d846253ab8669a207d0ad6

Score
10/10
coreentityrezer0

Malware Config

Signatures

  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • rezer0 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Swift copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DIcNwDBagZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAD21.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1504
    • C:\Users\Admin\AppData\Local\Temp\Swift copy.exe
      "{path}"
      2⤵
        PID:1540
      • C:\Users\Admin\AppData\Local\Temp\Swift copy.exe
        "{path}"
        2⤵
          PID:1708
        • C:\Users\Admin\AppData\Local\Temp\Swift copy.exe
          "{path}"
          2⤵
            PID:1544
          • C:\Users\Admin\AppData\Local\Temp\Swift copy.exe
            "{path}"
            2⤵
              PID:1648
            • C:\Users\Admin\AppData\Local\Temp\Swift copy.exe
              "{path}"
              2⤵
                PID:1768

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpAD21.tmp
              MD5

              0a2593ededfafe3c4c2957b17ac050e6

              SHA1

              e2f12b8101302d0c40f68b24430efe92d212f01c

              SHA256

              da3ec718fea2ac84902962585291e128cffa5b8f8e3982e8fdad6cb86c4d7c43

              SHA512

              858cee6e8fdf58693e6ad5715adc1cab7c16082e22449c3ac356acc648c35101ebcbb879bda397621c092e98a27e15c5e64a3bc61a8eab2371c36d440840a32d

              Download Submit
            • memory/1504-13-0x0000000000000000-mapping.dmp
              Download
            • memory/1876-0-0x00000000749E0000-0x00000000750CE000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/1876-1-0x0000000000380000-0x0000000000381000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1876-3-0x0000000001D90000-0x0000000001DAF000-memory.dmp
              Filesize

              124KB

              Download
            • memory/1876-9-0x0000000000530000-0x0000000000571000-memory.dmp
              Filesize

              260KB

              Download
            • memory/1876-11-0x0000000000550000-0x0000000000552000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1876-12-0x0000000000570000-0x000000000058A000-memory.dmp
              Filesize

              104KB

              Download