Analysis
-
max time kernel
149s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-12-2020 09:17
Static task
static1
Behavioral task
behavioral1
Sample
SWIFTY COPY.exe
Resource
win7v20201028
General
-
Target
SWIFTY COPY.exe
-
Size
745KB
-
MD5
b848cc9c799857387b279d773e4250df
-
SHA1
13c7f4df965698c1a8b10ced41ddec295f8634bb
-
SHA256
b6247c787ec362f884203a581049a638a59a9db8dc6bac8cb88869a45704dfc9
-
SHA512
48bfc3059a52bbe2668497b68747717e97f493aac40cd7900da337c72ed2ccb7e096b6e776bfcd8c79b3f1a7049d4bf4a3cdf5475c4395412766cefc105ee7bb
Malware Config
Extracted
formbook
http://www.alsagranit.info/rhk/
luuthingoctrinam247.online
upcas.info
cmoswipefiles.com
rene-jew.com
kiddoslunchboxes.com
52wanlol.com
konstela.com
dajiangzhibo11.com
huibaoyuanhty.com
boudot.one
myinfinitycollectionagency.com
letsgetsunny.com
gruppolarta.com
factoka.com
artistspal.com
gewnrecaalouine.com
etiquetadorada.com
brememshop.com
kangyiyan.com
testcitestdpp03.com
kredit-goals.com
ujinent.net
copycatchgold.com
primospicaduras.com
qualitydiscountauto1.com
globalindustrysource.com
kergrandmaman.com
hirerevert.com
appislim.com
card-hotel-family-enjoylife.com
struckmelikeachord.com
sensesfits.store
bygabrielletiara.com
nopmirefinance.com
dfscapholdingsllc.com
cincysanitizing.com
luxuryresortranch.com
otter.coffee
yourfac.club
kemalyaz.com
longhu152.com
globale.solutions
thedetroitmasquerade.com
dynastyroyal.com
qnbpjnp.icu
cora-musica.com
testcokes.com
k-eco.net
jamjshcnsg45.com
forsythcourtseniorliving.com
smallfrytacos.com
delta8cbd.today
nfmprotecton.com
mtrlx.com
gouvrefund.com
moneybook4nurses.com
loanadminisraion.com
canadafaucetoutlet.com
pdgulu.com
lyoml.com
goimang-4gviettel.site
saimeisteel.com
replace-study.com
macomo.online
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1120-9-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1120-10-0x000000000041EB80-mapping.dmp formbook behavioral1/memory/636-11-0x0000000000000000-mapping.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SWIFTY COPY.exeSWIFTY COPY.exeraserver.exedescription pid process target process PID 1640 set thread context of 1120 1640 SWIFTY COPY.exe SWIFTY COPY.exe PID 1120 set thread context of 1272 1120 SWIFTY COPY.exe Explorer.EXE PID 636 set thread context of 1272 636 raserver.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
SWIFTY COPY.exeSWIFTY COPY.exeraserver.exepid process 1640 SWIFTY COPY.exe 1120 SWIFTY COPY.exe 1120 SWIFTY COPY.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe 636 raserver.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
SWIFTY COPY.exeraserver.exepid process 1120 SWIFTY COPY.exe 1120 SWIFTY COPY.exe 1120 SWIFTY COPY.exe 636 raserver.exe 636 raserver.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SWIFTY COPY.exeSWIFTY COPY.exeraserver.exedescription pid process Token: SeDebugPrivilege 1640 SWIFTY COPY.exe Token: SeDebugPrivilege 1120 SWIFTY COPY.exe Token: SeDebugPrivilege 636 raserver.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
SWIFTY COPY.exeExplorer.EXEraserver.exedescription pid process target process PID 1640 wrote to memory of 1092 1640 SWIFTY COPY.exe schtasks.exe PID 1640 wrote to memory of 1092 1640 SWIFTY COPY.exe schtasks.exe PID 1640 wrote to memory of 1092 1640 SWIFTY COPY.exe schtasks.exe PID 1640 wrote to memory of 1092 1640 SWIFTY COPY.exe schtasks.exe PID 1640 wrote to memory of 1120 1640 SWIFTY COPY.exe SWIFTY COPY.exe PID 1640 wrote to memory of 1120 1640 SWIFTY COPY.exe SWIFTY COPY.exe PID 1640 wrote to memory of 1120 1640 SWIFTY COPY.exe SWIFTY COPY.exe PID 1640 wrote to memory of 1120 1640 SWIFTY COPY.exe SWIFTY COPY.exe PID 1640 wrote to memory of 1120 1640 SWIFTY COPY.exe SWIFTY COPY.exe PID 1640 wrote to memory of 1120 1640 SWIFTY COPY.exe SWIFTY COPY.exe PID 1640 wrote to memory of 1120 1640 SWIFTY COPY.exe SWIFTY COPY.exe PID 1272 wrote to memory of 636 1272 Explorer.EXE raserver.exe PID 1272 wrote to memory of 636 1272 Explorer.EXE raserver.exe PID 1272 wrote to memory of 636 1272 Explorer.EXE raserver.exe PID 1272 wrote to memory of 636 1272 Explorer.EXE raserver.exe PID 636 wrote to memory of 812 636 raserver.exe cmd.exe PID 636 wrote to memory of 812 636 raserver.exe cmd.exe PID 636 wrote to memory of 812 636 raserver.exe cmd.exe PID 636 wrote to memory of 812 636 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe"C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KpYsLCogRWR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD604.tmpMD5
eeacd9381e06a75083209210358324bd
SHA19c679e931e69b6818abd91885b3f9b6c7f88f8d1
SHA2565046fe22c137db9b3e6e2f1f407b024373df0cc510e14886f62fc092bdbfff7c
SHA512786e0a7511efbac69777cfa53fab668bb9280b51cc6ca29691f46ab92ea3074d924f18b5b935c104bd557721cce79f8b1675559d63a932938c1b6d30b845c9ab
-
memory/636-11-0x0000000000000000-mapping.dmp
-
memory/636-12-0x0000000000E90000-0x0000000000EAC000-memory.dmpFilesize
112KB
-
memory/636-14-0x0000000002F90000-0x0000000003051000-memory.dmpFilesize
772KB
-
memory/812-13-0x0000000000000000-mapping.dmp
-
memory/1092-7-0x0000000000000000-mapping.dmp
-
memory/1120-9-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1120-10-0x000000000041EB80-mapping.dmp
-
memory/1640-2-0x00000000745C0000-0x0000000074CAE000-memory.dmpFilesize
6.9MB
-
memory/1640-3-0x00000000010B0000-0x00000000010B1000-memory.dmpFilesize
4KB
-
memory/1640-5-0x0000000000420000-0x000000000042E000-memory.dmpFilesize
56KB
-
memory/1640-6-0x00000000006E0000-0x0000000000740000-memory.dmpFilesize
384KB