Analysis
-
max time kernel
94s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-01-2021 08:14
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT_COPY00993Payment_advic4555pdf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SWIFT_COPY00993Payment_advic4555pdf.exe
Resource
win10v20201028
General
-
Target
SWIFT_COPY00993Payment_advic4555pdf.exe
-
Size
2.9MB
-
MD5
344811104b9deac44b95852d3dbf89ec
-
SHA1
9ab4420fc25c66fca63aa43f17fcb956def07433
-
SHA256
18da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61
-
SHA512
ae28492c462447ff2856682080d8b68a9cb8394900431a37c58bcd959df90037c237220269db0bbdef03b5111327c8ec5ff57b683552e1886d05e034679a900e
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
alspeed.exealspeed.exepid process 3036 alspeed.exe 1336 alspeed.exe -
Processes:
resource yara_rule behavioral2/memory/1336-26-0x0000000000B00000-0x0000000000ED7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\alspeed = "C:\\Users\\Admin\\AppData\\Roaming\\alspeed.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
alspeed.exedescription pid process target process PID 3036 set thread context of 1336 3036 alspeed.exe alspeed.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2372 1336 WerFault.exe alspeed.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
SWIFT_COPY00993Payment_advic4555pdf.exealspeed.exeWerFault.exepid process 3636 SWIFT_COPY00993Payment_advic4555pdf.exe 3636 SWIFT_COPY00993Payment_advic4555pdf.exe 3636 SWIFT_COPY00993Payment_advic4555pdf.exe 3636 SWIFT_COPY00993Payment_advic4555pdf.exe 3636 SWIFT_COPY00993Payment_advic4555pdf.exe 3636 SWIFT_COPY00993Payment_advic4555pdf.exe 3636 SWIFT_COPY00993Payment_advic4555pdf.exe 3636 SWIFT_COPY00993Payment_advic4555pdf.exe 3636 SWIFT_COPY00993Payment_advic4555pdf.exe 3636 SWIFT_COPY00993Payment_advic4555pdf.exe 3636 SWIFT_COPY00993Payment_advic4555pdf.exe 3636 SWIFT_COPY00993Payment_advic4555pdf.exe 3636 SWIFT_COPY00993Payment_advic4555pdf.exe 3636 SWIFT_COPY00993Payment_advic4555pdf.exe 3636 SWIFT_COPY00993Payment_advic4555pdf.exe 3036 alspeed.exe 3036 alspeed.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
SWIFT_COPY00993Payment_advic4555pdf.exealspeed.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3636 SWIFT_COPY00993Payment_advic4555pdf.exe Token: SeDebugPrivilege 3036 alspeed.exe Token: SeRestorePrivilege 2372 WerFault.exe Token: SeBackupPrivilege 2372 WerFault.exe Token: SeDebugPrivilege 2372 WerFault.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
SWIFT_COPY00993Payment_advic4555pdf.execmd.exealspeed.exedescription pid process target process PID 3636 wrote to memory of 1980 3636 SWIFT_COPY00993Payment_advic4555pdf.exe cmd.exe PID 3636 wrote to memory of 1980 3636 SWIFT_COPY00993Payment_advic4555pdf.exe cmd.exe PID 3636 wrote to memory of 1980 3636 SWIFT_COPY00993Payment_advic4555pdf.exe cmd.exe PID 1980 wrote to memory of 2156 1980 cmd.exe reg.exe PID 1980 wrote to memory of 2156 1980 cmd.exe reg.exe PID 1980 wrote to memory of 2156 1980 cmd.exe reg.exe PID 3636 wrote to memory of 3036 3636 SWIFT_COPY00993Payment_advic4555pdf.exe alspeed.exe PID 3636 wrote to memory of 3036 3636 SWIFT_COPY00993Payment_advic4555pdf.exe alspeed.exe PID 3636 wrote to memory of 3036 3636 SWIFT_COPY00993Payment_advic4555pdf.exe alspeed.exe PID 3036 wrote to memory of 1336 3036 alspeed.exe alspeed.exe PID 3036 wrote to memory of 1336 3036 alspeed.exe alspeed.exe PID 3036 wrote to memory of 1336 3036 alspeed.exe alspeed.exe PID 3036 wrote to memory of 1336 3036 alspeed.exe alspeed.exe PID 3036 wrote to memory of 1336 3036 alspeed.exe alspeed.exe PID 3036 wrote to memory of 1336 3036 alspeed.exe alspeed.exe PID 3036 wrote to memory of 1336 3036 alspeed.exe alspeed.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT_COPY00993Payment_advic4555pdf.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT_COPY00993Payment_advic4555pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "alspeed" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\alspeed.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "alspeed" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\alspeed.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\alspeed.exe"C:\Users\Admin\AppData\Roaming\alspeed.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\alspeed.exe"C:\Users\Admin\AppData\Roaming\alspeed.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1964⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\alspeed.exeMD5
344811104b9deac44b95852d3dbf89ec
SHA19ab4420fc25c66fca63aa43f17fcb956def07433
SHA25618da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61
SHA512ae28492c462447ff2856682080d8b68a9cb8394900431a37c58bcd959df90037c237220269db0bbdef03b5111327c8ec5ff57b683552e1886d05e034679a900e
-
C:\Users\Admin\AppData\Roaming\alspeed.exeMD5
344811104b9deac44b95852d3dbf89ec
SHA19ab4420fc25c66fca63aa43f17fcb956def07433
SHA25618da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61
SHA512ae28492c462447ff2856682080d8b68a9cb8394900431a37c58bcd959df90037c237220269db0bbdef03b5111327c8ec5ff57b683552e1886d05e034679a900e
-
C:\Users\Admin\AppData\Roaming\alspeed.exeMD5
344811104b9deac44b95852d3dbf89ec
SHA19ab4420fc25c66fca63aa43f17fcb956def07433
SHA25618da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61
SHA512ae28492c462447ff2856682080d8b68a9cb8394900431a37c58bcd959df90037c237220269db0bbdef03b5111327c8ec5ff57b683552e1886d05e034679a900e
-
memory/1336-30-0x00000000007D5230-mapping.dmp
-
memory/1336-26-0x0000000000B00000-0x0000000000ED7000-memory.dmpFilesize
3.8MB
-
memory/1336-24-0x00000000007D5230-mapping.dmp
-
memory/1980-9-0x0000000000000000-mapping.dmp
-
memory/2156-10-0x0000000000000000-mapping.dmp
-
memory/2372-27-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/3036-21-0x0000000004D40000-0x0000000004D4B000-memory.dmpFilesize
44KB
-
memory/3036-11-0x0000000000000000-mapping.dmp
-
memory/3036-14-0x0000000073BA0000-0x000000007428E000-memory.dmpFilesize
6.9MB
-
memory/3036-22-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/3636-2-0x0000000073BA0000-0x000000007428E000-memory.dmpFilesize
6.9MB
-
memory/3636-8-0x0000000007560000-0x0000000007561000-memory.dmpFilesize
4KB
-
memory/3636-7-0x0000000002640000-0x0000000002641000-memory.dmpFilesize
4KB
-
memory/3636-6-0x0000000004B00000-0x0000000004B1E000-memory.dmpFilesize
120KB
-
memory/3636-5-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/3636-3-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB