Overview

overview

10

Static

static

SWIFTY COPY.exe

windows7_x64

10

SWIFTY COPY.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-12-2020 09:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWIFTY COPY.exe

  • Size

    745KB

  • MD5

    b848cc9c799857387b279d773e4250df

  • SHA1

    13c7f4df965698c1a8b10ced41ddec295f8634bb

  • SHA256

    b6247c787ec362f884203a581049a638a59a9db8dc6bac8cb88869a45704dfc9

  • SHA512

    48bfc3059a52bbe2668497b68747717e97f493aac40cd7900da337c72ed2ccb7e096b6e776bfcd8c79b3f1a7049d4bf4a3cdf5475c4395412766cefc105ee7bb

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.alsagranit.info/rhk/

Decoy

luuthingoctrinam247.online

upcas.info

cmoswipefiles.com

rene-jew.com

kiddoslunchboxes.com

52wanlol.com

konstela.com

dajiangzhibo11.com

huibaoyuanhty.com

boudot.one

myinfinitycollectionagency.com

letsgetsunny.com

gruppolarta.com

factoka.com

artistspal.com

gewnrecaalouine.com

etiquetadorada.com

brememshop.com

kangyiyan.com

testcitestdpp03.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe
      "C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KpYsLCogRWR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCC.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3024
      • C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:676
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4060
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe"
        3⤵
          PID:1336

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpDCC.tmp
      MD5

      299e1e0f25240c565997fd5b6c8e2742

      SHA1

      d52490bc08d38ad39c5afdb2c024c382b190c025

      SHA256

      8a7e454c7ef0ca47158bfd38a5796cf22cfc6650e9364d8d1616d342e408d144

      SHA512

      3dcecd2838804f1f7d6d4476851c9422006b71abbe964d5c9b357f1adc464b1ca64dc0d69b6f0f7317bed8688d13ceb38c1ede2f502e589ac658a9ebe6257b9b

      Download Submit
    • memory/676-13-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/676-14-0x000000000041EB80-mapping.dmp
      Download
    • memory/816-3-0x0000000000380000-0x0000000000381000-memory.dmp
      Filesize

      4KB

      Download
    • memory/816-5-0x0000000005460000-0x0000000005461000-memory.dmp
      Filesize

      4KB

      Download
    • memory/816-6-0x0000000004DF0000-0x0000000004DFE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/816-7-0x0000000005990000-0x0000000005991000-memory.dmp
      Filesize

      4KB

      Download
    • memory/816-8-0x0000000004F30000-0x0000000004F31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/816-9-0x0000000006110000-0x0000000006170000-memory.dmp
      Filesize

      384KB

      Download
    • memory/816-10-0x0000000006210000-0x0000000006211000-memory.dmp
      Filesize

      4KB

      Download
    • memory/816-2-0x0000000074070000-0x000000007475E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1336-18-0x0000000000000000-mapping.dmp
      Download
    • memory/3024-11-0x0000000000000000-mapping.dmp
      Download
    • memory/3048-20-0x0000000005AA0000-0x0000000005BC9000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4060-16-0x0000000000C70000-0x0000000000C7A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4060-17-0x0000000000C70000-0x0000000000C7A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4060-15-0x0000000000000000-mapping.dmp
      Download
    • memory/4060-19-0x00000000066A0000-0x00000000067C1000-memory.dmp
      Filesize

      1.1MB

      Download