3b7f5600ea7bfb0af990233fb399996066af428042afc0bdc1ed468acfee750f

General

Target

Swift copy.exe
Size

556KB
MD5

349ae61feada50c4b8ff926d5585b39c
SHA1

64992674caf8b0e0c7f36f5bdcbd15429f28be8c
SHA256

3b7f5600ea7bfb0af990233fb399996066af428042afc0bdc1ed468acfee750f
SHA512

a1a584255c610b048d53b33ded8017f23e7335a6533ec40dedfd52debfc6451941d52cc8c1b06a8690bac4daf02ae8b66ad638ea71d846253ab8669a207d0ad6

Score

10^/10

coreentity rezer0

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.roofmartlk.com
Port:
587
Username:
admin@roofmartlk.com
Password:
ad@rm123

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral2/memory/3304-9-0x00000000057D0000-0x00000000057D2000-memory.dmp	coreentity

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/3304-10-0x0000000005CD0000-0x0000000005CEA000-memory.dmp	rezer0

Executes dropped EXE 1 IoCs

Processes:

bfsvc.exe

pid process

952 bfsvc.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 icanhazip.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Swift copy.exe

description pid process target process

PID 3304 set thread context of 1940 3304 Swift copy.exe Swift copy.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

200 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Swift copy.exe

pid process

3304 Swift copy.exe
3304 Swift copy.exe
3304 Swift copy.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Swift copy.exeSwift copy.exebfsvc.exe

description pid process

Token: SeDebugPrivilege 3304 Swift copy.exe
Token: SeDebugPrivilege 1940 Swift copy.exe
Token: SeDebugPrivilege 952 bfsvc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Swift copy.exe

pid process

1940 Swift copy.exe

pid	process
952	bfsvc.exe

flow	ioc
18	icanhazip.com

description	pid	process	target process
PID 3304 set thread context of 1940	3304	Swift copy.exe	Swift copy.exe

pid	process
200	schtasks.exe

pid	process
3304	Swift copy.exe
3304	Swift copy.exe
3304	Swift copy.exe

description	pid	process
Token: SeDebugPrivilege	3304	Swift copy.exe
Token: SeDebugPrivilege	1940	Swift copy.exe
Token: SeDebugPrivilege	952	bfsvc.exe

pid	process
1940	Swift copy.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Swift copy.exeSwift copy.execmd.exe

description	pid	process	target process
PID 3304 wrote to memory of 200	3304	Swift copy.exe	schtasks.exe
PID 3304 wrote to memory of 200	3304	Swift copy.exe	schtasks.exe
PID 3304 wrote to memory of 200	3304	Swift copy.exe	schtasks.exe
PID 3304 wrote to memory of 2152	3304	Swift copy.exe	Swift copy.exe
PID 3304 wrote to memory of 2152	3304	Swift copy.exe	Swift copy.exe
PID 3304 wrote to memory of 2152	3304	Swift copy.exe	Swift copy.exe
PID 3304 wrote to memory of 1940	3304	Swift copy.exe	Swift copy.exe
PID 3304 wrote to memory of 1940	3304	Swift copy.exe	Swift copy.exe
PID 3304 wrote to memory of 1940	3304	Swift copy.exe	Swift copy.exe
PID 3304 wrote to memory of 1940	3304	Swift copy.exe	Swift copy.exe
PID 3304 wrote to memory of 1940	3304	Swift copy.exe	Swift copy.exe
PID 3304 wrote to memory of 1940	3304	Swift copy.exe	Swift copy.exe
PID 3304 wrote to memory of 1940	3304	Swift copy.exe	Swift copy.exe
PID 3304 wrote to memory of 1940	3304	Swift copy.exe	Swift copy.exe
PID 1940 wrote to memory of 1300	1940	Swift copy.exe	cmd.exe
PID 1940 wrote to memory of 1300	1940	Swift copy.exe	cmd.exe
PID 1940 wrote to memory of 1300	1940	Swift copy.exe	cmd.exe
PID 1300 wrote to memory of 952	1300	cmd.exe	bfsvc.exe
PID 1300 wrote to memory of 952	1300	cmd.exe	bfsvc.exe
PID 1300 wrote to memory of 952	1300	cmd.exe	bfsvc.exe

C:\Users\Admin\AppData\Local\Temp\Swift copy.exe
"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DIcNwDBagZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBFFA.tmp"
2⤵
- Creates scheduled task(s)
PID:200

C:\Users\Admin\AppData\Local\Temp\Swift copy.exe
"{path}"
2⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\Swift copy.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c bfsvc.exe "true" "true" "true" "true"
3⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
bfsvc.exe "true" "true" "true" "true"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
MD5
7bfcf811a47c0ca77ee2c95333f0476e

SHA1
f3580c33ae27018d627ea12ffc41fb925367524f

SHA256
f740df4d3a6c0b378116b48c1ed18a36e82938cf7dcaaba58f0ba8101f3e3531

SHA512
4386eb26bad23945ac7fe71a226a8f6a5a261f7e704e2389b360ad6f0864460137fbf95bc51abb3e90beb8328d4e854d7b5b0f04383a5460cc6dea5f28529c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
MD5
7bfcf811a47c0ca77ee2c95333f0476e

SHA1
f3580c33ae27018d627ea12ffc41fb925367524f

SHA256
f740df4d3a6c0b378116b48c1ed18a36e82938cf7dcaaba58f0ba8101f3e3531

SHA512
4386eb26bad23945ac7fe71a226a8f6a5a261f7e704e2389b360ad6f0864460137fbf95bc51abb3e90beb8328d4e854d7b5b0f04383a5460cc6dea5f28529c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBFFA.tmp
MD5
712713d8bed46af9b0423c6b4d247d9d

SHA1
febb125afb988cf60457eea4c781931e41da6ec4

SHA256
20635fcffc22200208bc0dab35bb3eedb7c3410666f57466f0de403d2f5cc68e

SHA512
22d4e0b137c90fe6e707933e9131cd94642a7c961af52eab47ce1f7a7095fdbb920e819d9e2f9dc886b34851e2920595a6bab346141cc76f7163f39266f2dcf5

Download Submit
memory/200-12-0x0000000000000000-mapping.dmp

Download
memory/952-26-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/952-25-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/952-22-0x0000000000000000-mapping.dmp

Download
memory/1300-21-0x0000000000000000-mapping.dmp

Download
memory/1940-20-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/1940-14-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1940-15-0x0000000000413BCE-mapping.dmp

Download
memory/1940-16-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/3304-10-0x0000000005CD0000-0x0000000005CEA000-memory.dmp

Filesize
104KB

Download
memory/3304-9-0x00000000057D0000-0x00000000057D2000-memory.dmp

Filesize
8KB

Download
memory/3304-11-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download
memory/3304-0-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/3304-8-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/3304-7-0x000000000A180000-0x000000000A181000-memory.dmp

Filesize
4KB

Download
memory/3304-4-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/3304-3-0x0000000001970000-0x000000000198F000-memory.dmp

Filesize
124KB

Download
memory/3304-1-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads