Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:22
Static task
static1
Behavioral task
behavioral1
Sample
Swift copy.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Swift copy.exe
Resource
win10v20201028
General
-
Target
Swift copy.exe
-
Size
556KB
-
MD5
349ae61feada50c4b8ff926d5585b39c
-
SHA1
64992674caf8b0e0c7f36f5bdcbd15429f28be8c
-
SHA256
3b7f5600ea7bfb0af990233fb399996066af428042afc0bdc1ed468acfee750f
-
SHA512
a1a584255c610b048d53b33ded8017f23e7335a6533ec40dedfd52debfc6451941d52cc8c1b06a8690bac4daf02ae8b66ad638ea71d846253ab8669a207d0ad6
Malware Config
Extracted
Protocol: smtp- Host:
mail.roofmartlk.com - Port:
587 - Username:
admin@roofmartlk.com - Password:
ad@rm123
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral2/memory/3304-9-0x00000000057D0000-0x00000000057D2000-memory.dmp coreentity -
Processes:
resource yara_rule behavioral2/memory/3304-10-0x0000000005CD0000-0x0000000005CEA000-memory.dmp rezer0 -
Executes dropped EXE 1 IoCs
Processes:
bfsvc.exepid process 952 bfsvc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 icanhazip.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift copy.exedescription pid process target process PID 3304 set thread context of 1940 3304 Swift copy.exe Swift copy.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Swift copy.exepid process 3304 Swift copy.exe 3304 Swift copy.exe 3304 Swift copy.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Swift copy.exeSwift copy.exebfsvc.exedescription pid process Token: SeDebugPrivilege 3304 Swift copy.exe Token: SeDebugPrivilege 1940 Swift copy.exe Token: SeDebugPrivilege 952 bfsvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Swift copy.exepid process 1940 Swift copy.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Swift copy.exeSwift copy.execmd.exedescription pid process target process PID 3304 wrote to memory of 200 3304 Swift copy.exe schtasks.exe PID 3304 wrote to memory of 200 3304 Swift copy.exe schtasks.exe PID 3304 wrote to memory of 200 3304 Swift copy.exe schtasks.exe PID 3304 wrote to memory of 2152 3304 Swift copy.exe Swift copy.exe PID 3304 wrote to memory of 2152 3304 Swift copy.exe Swift copy.exe PID 3304 wrote to memory of 2152 3304 Swift copy.exe Swift copy.exe PID 3304 wrote to memory of 1940 3304 Swift copy.exe Swift copy.exe PID 3304 wrote to memory of 1940 3304 Swift copy.exe Swift copy.exe PID 3304 wrote to memory of 1940 3304 Swift copy.exe Swift copy.exe PID 3304 wrote to memory of 1940 3304 Swift copy.exe Swift copy.exe PID 3304 wrote to memory of 1940 3304 Swift copy.exe Swift copy.exe PID 3304 wrote to memory of 1940 3304 Swift copy.exe Swift copy.exe PID 3304 wrote to memory of 1940 3304 Swift copy.exe Swift copy.exe PID 3304 wrote to memory of 1940 3304 Swift copy.exe Swift copy.exe PID 1940 wrote to memory of 1300 1940 Swift copy.exe cmd.exe PID 1940 wrote to memory of 1300 1940 Swift copy.exe cmd.exe PID 1940 wrote to memory of 1300 1940 Swift copy.exe cmd.exe PID 1300 wrote to memory of 952 1300 cmd.exe bfsvc.exe PID 1300 wrote to memory of 952 1300 cmd.exe bfsvc.exe PID 1300 wrote to memory of 952 1300 cmd.exe bfsvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DIcNwDBagZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBFFA.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c bfsvc.exe "true" "true" "true" "true"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bfsvc.exebfsvc.exe "true" "true" "true" "true"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bfsvc.exeMD5
7bfcf811a47c0ca77ee2c95333f0476e
SHA1f3580c33ae27018d627ea12ffc41fb925367524f
SHA256f740df4d3a6c0b378116b48c1ed18a36e82938cf7dcaaba58f0ba8101f3e3531
SHA5124386eb26bad23945ac7fe71a226a8f6a5a261f7e704e2389b360ad6f0864460137fbf95bc51abb3e90beb8328d4e854d7b5b0f04383a5460cc6dea5f28529c3b
-
C:\Users\Admin\AppData\Local\Temp\bfsvc.exeMD5
7bfcf811a47c0ca77ee2c95333f0476e
SHA1f3580c33ae27018d627ea12ffc41fb925367524f
SHA256f740df4d3a6c0b378116b48c1ed18a36e82938cf7dcaaba58f0ba8101f3e3531
SHA5124386eb26bad23945ac7fe71a226a8f6a5a261f7e704e2389b360ad6f0864460137fbf95bc51abb3e90beb8328d4e854d7b5b0f04383a5460cc6dea5f28529c3b
-
C:\Users\Admin\AppData\Local\Temp\tmpBFFA.tmpMD5
712713d8bed46af9b0423c6b4d247d9d
SHA1febb125afb988cf60457eea4c781931e41da6ec4
SHA25620635fcffc22200208bc0dab35bb3eedb7c3410666f57466f0de403d2f5cc68e
SHA51222d4e0b137c90fe6e707933e9131cd94642a7c961af52eab47ce1f7a7095fdbb920e819d9e2f9dc886b34851e2920595a6bab346141cc76f7163f39266f2dcf5
-
memory/200-12-0x0000000000000000-mapping.dmp
-
memory/952-26-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/952-25-0x0000000073300000-0x00000000739EE000-memory.dmpFilesize
6.9MB
-
memory/952-22-0x0000000000000000-mapping.dmp
-
memory/1300-21-0x0000000000000000-mapping.dmp
-
memory/1940-20-0x00000000055B0000-0x00000000055B1000-memory.dmpFilesize
4KB
-
memory/1940-14-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1940-15-0x0000000000413BCE-mapping.dmp
-
memory/1940-16-0x0000000073300000-0x00000000739EE000-memory.dmpFilesize
6.9MB
-
memory/3304-10-0x0000000005CD0000-0x0000000005CEA000-memory.dmpFilesize
104KB
-
memory/3304-9-0x00000000057D0000-0x00000000057D2000-memory.dmpFilesize
8KB
-
memory/3304-11-0x0000000005DB0000-0x0000000005DB1000-memory.dmpFilesize
4KB
-
memory/3304-0-0x0000000073300000-0x00000000739EE000-memory.dmpFilesize
6.9MB
-
memory/3304-8-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/3304-7-0x000000000A180000-0x000000000A181000-memory.dmpFilesize
4KB
-
memory/3304-4-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/3304-3-0x0000000001970000-0x000000000198F000-memory.dmpFilesize
124KB
-
memory/3304-1-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB