18da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61

General

Target

SWIFT_COPY00993Payment_advic4555pdf.exe
Size

2.9MB
MD5

344811104b9deac44b95852d3dbf89ec
SHA1

9ab4420fc25c66fca63aa43f17fcb956def07433
SHA256

18da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61
SHA512

ae28492c462447ff2856682080d8b68a9cb8394900431a37c58bcd959df90037c237220269db0bbdef03b5111327c8ec5ff57b683552e1886d05e034679a900e

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3036	alspeed.exe
1336	alspeed.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1336-26-0x0000000000B00000-0x0000000000ED7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\alspeed = "C:\\Users\\Admin\\AppData\\Roaming\\alspeed.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3036 set thread context of 1336	3036	alspeed.exe	82

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2372	1336	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3036	alspeed.exe
3036	alspeed.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	SWIFT_COPY00993Payment_advic4555pdf.exe
Token: SeDebugPrivilege	3036	alspeed.exe
Token: SeRestorePrivilege	2372	WerFault.exe
Token: SeBackupPrivilege	2372	WerFault.exe
Token: SeDebugPrivilege	2372	WerFault.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 1980	3636	SWIFT_COPY00993Payment_advic4555pdf.exe	78
PID 3636 wrote to memory of 1980	3636	SWIFT_COPY00993Payment_advic4555pdf.exe	78
PID 3636 wrote to memory of 1980	3636	SWIFT_COPY00993Payment_advic4555pdf.exe	78
PID 1980 wrote to memory of 2156	1980	cmd.exe	80
PID 1980 wrote to memory of 2156	1980	cmd.exe	80
PID 1980 wrote to memory of 2156	1980	cmd.exe	80
PID 3636 wrote to memory of 3036	3636	SWIFT_COPY00993Payment_advic4555pdf.exe	81
PID 3636 wrote to memory of 3036	3636	SWIFT_COPY00993Payment_advic4555pdf.exe	81
PID 3636 wrote to memory of 3036	3636	SWIFT_COPY00993Payment_advic4555pdf.exe	81
PID 3036 wrote to memory of 1336	3036	alspeed.exe	82
PID 3036 wrote to memory of 1336	3036	alspeed.exe	82
PID 3036 wrote to memory of 1336	3036	alspeed.exe	82
PID 3036 wrote to memory of 1336	3036	alspeed.exe	82
PID 3036 wrote to memory of 1336	3036	alspeed.exe	82
PID 3036 wrote to memory of 1336	3036	alspeed.exe	82
PID 3036 wrote to memory of 1336	3036	alspeed.exe	82

C:\Users\Admin\AppData\Local\Temp\SWIFT_COPY00993Payment_advic4555pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT_COPY00993Payment_advic4555pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "alspeed" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\alspeed.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "alspeed" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\alspeed.exe"
    3⤵
    - Adds Run key to start application
    PID:2156
- C:\Users\Admin\AppData\Roaming\alspeed.exe
  "C:\Users\Admin\AppData\Roaming\alspeed.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Roaming\alspeed.exe
    "C:\Users\Admin\AppData\Roaming\alspeed.exe"
    3⤵
    - Executes dropped EXE
    PID:1336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 196
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1336-26-0x0000000000B00000-0x0000000000ED7000-memory.dmp

Filesize
3.8MB

Download
memory/2372-27-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/3036-21-0x0000000004D40000-0x0000000004D4B000-memory.dmp

Filesize
44KB

Download
memory/3036-14-0x0000000073BA0000-0x000000007428E000-memory.dmp

Filesize
6.9MB

Download
memory/3036-22-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/3636-2-0x0000000073BA0000-0x000000007428E000-memory.dmp

Filesize
6.9MB

Download
memory/3636-8-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/3636-7-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/3636-6-0x0000000004B00000-0x0000000004B1E000-memory.dmp

Filesize
120KB

Download
memory/3636-5-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/3636-3-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing