Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-12-2020 09:17
Static task
static1
Behavioral task
behavioral1
Sample
SWIFTY COPY.exe
Resource
win7v20201028
General
-
Target
SWIFTY COPY.exe
-
Size
745KB
-
MD5
b848cc9c799857387b279d773e4250df
-
SHA1
13c7f4df965698c1a8b10ced41ddec295f8634bb
-
SHA256
b6247c787ec362f884203a581049a638a59a9db8dc6bac8cb88869a45704dfc9
-
SHA512
48bfc3059a52bbe2668497b68747717e97f493aac40cd7900da337c72ed2ccb7e096b6e776bfcd8c79b3f1a7049d4bf4a3cdf5475c4395412766cefc105ee7bb
Malware Config
Extracted
formbook
http://www.alsagranit.info/rhk/
luuthingoctrinam247.online
upcas.info
cmoswipefiles.com
rene-jew.com
kiddoslunchboxes.com
52wanlol.com
konstela.com
dajiangzhibo11.com
huibaoyuanhty.com
boudot.one
myinfinitycollectionagency.com
letsgetsunny.com
gruppolarta.com
factoka.com
artistspal.com
gewnrecaalouine.com
etiquetadorada.com
brememshop.com
kangyiyan.com
testcitestdpp03.com
kredit-goals.com
ujinent.net
copycatchgold.com
primospicaduras.com
qualitydiscountauto1.com
globalindustrysource.com
kergrandmaman.com
hirerevert.com
appislim.com
card-hotel-family-enjoylife.com
struckmelikeachord.com
sensesfits.store
bygabrielletiara.com
nopmirefinance.com
dfscapholdingsllc.com
cincysanitizing.com
luxuryresortranch.com
otter.coffee
yourfac.club
kemalyaz.com
longhu152.com
globale.solutions
thedetroitmasquerade.com
dynastyroyal.com
qnbpjnp.icu
cora-musica.com
testcokes.com
k-eco.net
jamjshcnsg45.com
forsythcourtseniorliving.com
smallfrytacos.com
delta8cbd.today
nfmprotecton.com
mtrlx.com
gouvrefund.com
moneybook4nurses.com
loanadminisraion.com
canadafaucetoutlet.com
pdgulu.com
lyoml.com
goimang-4gviettel.site
saimeisteel.com
replace-study.com
macomo.online
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/676-13-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/676-14-0x000000000041EB80-mapping.dmp formbook behavioral2/memory/4060-15-0x0000000000000000-mapping.dmp formbook -
Suspicious use of SetThreadContext 4 IoCs
Processes:
SWIFTY COPY.exeSWIFTY COPY.exechkdsk.exedescription pid process target process PID 816 set thread context of 676 816 SWIFTY COPY.exe SWIFTY COPY.exe PID 676 set thread context of 3048 676 SWIFTY COPY.exe Explorer.EXE PID 676 set thread context of 3048 676 SWIFTY COPY.exe Explorer.EXE PID 4060 set thread context of 3048 4060 chkdsk.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
SWIFTY COPY.exeSWIFTY COPY.exechkdsk.exepid process 816 SWIFTY COPY.exe 676 SWIFTY COPY.exe 676 SWIFTY COPY.exe 676 SWIFTY COPY.exe 676 SWIFTY COPY.exe 676 SWIFTY COPY.exe 676 SWIFTY COPY.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe 4060 chkdsk.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
SWIFTY COPY.exechkdsk.exepid process 676 SWIFTY COPY.exe 676 SWIFTY COPY.exe 676 SWIFTY COPY.exe 676 SWIFTY COPY.exe 4060 chkdsk.exe 4060 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
SWIFTY COPY.exeSWIFTY COPY.exeExplorer.EXEchkdsk.exedescription pid process Token: SeDebugPrivilege 816 SWIFTY COPY.exe Token: SeDebugPrivilege 676 SWIFTY COPY.exe Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeDebugPrivilege 4060 chkdsk.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SWIFTY COPY.exeExplorer.EXEchkdsk.exedescription pid process target process PID 816 wrote to memory of 3024 816 SWIFTY COPY.exe schtasks.exe PID 816 wrote to memory of 3024 816 SWIFTY COPY.exe schtasks.exe PID 816 wrote to memory of 3024 816 SWIFTY COPY.exe schtasks.exe PID 816 wrote to memory of 676 816 SWIFTY COPY.exe SWIFTY COPY.exe PID 816 wrote to memory of 676 816 SWIFTY COPY.exe SWIFTY COPY.exe PID 816 wrote to memory of 676 816 SWIFTY COPY.exe SWIFTY COPY.exe PID 816 wrote to memory of 676 816 SWIFTY COPY.exe SWIFTY COPY.exe PID 816 wrote to memory of 676 816 SWIFTY COPY.exe SWIFTY COPY.exe PID 816 wrote to memory of 676 816 SWIFTY COPY.exe SWIFTY COPY.exe PID 3048 wrote to memory of 4060 3048 Explorer.EXE chkdsk.exe PID 3048 wrote to memory of 4060 3048 Explorer.EXE chkdsk.exe PID 3048 wrote to memory of 4060 3048 Explorer.EXE chkdsk.exe PID 4060 wrote to memory of 1336 4060 chkdsk.exe cmd.exe PID 4060 wrote to memory of 1336 4060 chkdsk.exe cmd.exe PID 4060 wrote to memory of 1336 4060 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe"C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KpYsLCogRWR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCC.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SWIFTY COPY.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpDCC.tmpMD5
299e1e0f25240c565997fd5b6c8e2742
SHA1d52490bc08d38ad39c5afdb2c024c382b190c025
SHA2568a7e454c7ef0ca47158bfd38a5796cf22cfc6650e9364d8d1616d342e408d144
SHA5123dcecd2838804f1f7d6d4476851c9422006b71abbe964d5c9b357f1adc464b1ca64dc0d69b6f0f7317bed8688d13ceb38c1ede2f502e589ac658a9ebe6257b9b
-
memory/676-13-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/676-14-0x000000000041EB80-mapping.dmp
-
memory/816-3-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/816-5-0x0000000005460000-0x0000000005461000-memory.dmpFilesize
4KB
-
memory/816-6-0x0000000004DF0000-0x0000000004DFE000-memory.dmpFilesize
56KB
-
memory/816-7-0x0000000005990000-0x0000000005991000-memory.dmpFilesize
4KB
-
memory/816-8-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/816-9-0x0000000006110000-0x0000000006170000-memory.dmpFilesize
384KB
-
memory/816-10-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/816-2-0x0000000074070000-0x000000007475E000-memory.dmpFilesize
6.9MB
-
memory/1336-18-0x0000000000000000-mapping.dmp
-
memory/3024-11-0x0000000000000000-mapping.dmp
-
memory/3048-20-0x0000000005AA0000-0x0000000005BC9000-memory.dmpFilesize
1.2MB
-
memory/4060-16-0x0000000000C70000-0x0000000000C7A000-memory.dmpFilesize
40KB
-
memory/4060-17-0x0000000000C70000-0x0000000000C7A000-memory.dmpFilesize
40KB
-
memory/4060-15-0x0000000000000000-mapping.dmp
-
memory/4060-19-0x00000000066A0000-0x00000000067C1000-memory.dmpFilesize
1.1MB