18da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61

General

Target

SWIFT_COPY00993Payment_advic4555pdf.exe
Size

2.9MB
MD5

344811104b9deac44b95852d3dbf89ec
SHA1

9ab4420fc25c66fca63aa43f17fcb956def07433
SHA256

18da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61
SHA512

ae28492c462447ff2856682080d8b68a9cb8394900431a37c58bcd959df90037c237220269db0bbdef03b5111327c8ec5ff57b683552e1886d05e034679a900e

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

alspeed.exealspeed.exe

pid process

3036 alspeed.exe
1336 alspeed.exe

pid	process
3036	alspeed.exe
1336	alspeed.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1336-26-0x0000000000B00000-0x0000000000ED7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\alspeed = "C:\\Users\\Admin\\AppData\\Roaming\\alspeed.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

alspeed.exe

description pid process target process

PID 3036 set thread context of 1336 3036 alspeed.exe alspeed.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2372 1336 WerFault.exe alspeed.exe

description	pid	process	target process
PID 3036 set thread context of 1336	3036	alspeed.exe	alspeed.exe

pid	pid_target	process	target process
2372	1336	WerFault.exe	alspeed.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

SWIFT_COPY00993Payment_advic4555pdf.exealspeed.exeWerFault.exe

pid	process
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3636	SWIFT_COPY00993Payment_advic4555pdf.exe
3036	alspeed.exe
3036	alspeed.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

SWIFT_COPY00993Payment_advic4555pdf.exealspeed.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3636	SWIFT_COPY00993Payment_advic4555pdf.exe
Token: SeDebugPrivilege	3036	alspeed.exe
Token: SeRestorePrivilege	2372	WerFault.exe
Token: SeBackupPrivilege	2372	WerFault.exe
Token: SeDebugPrivilege	2372	WerFault.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

SWIFT_COPY00993Payment_advic4555pdf.execmd.exealspeed.exe

description	pid	process	target process
PID 3636 wrote to memory of 1980	3636	SWIFT_COPY00993Payment_advic4555pdf.exe	cmd.exe
PID 3636 wrote to memory of 1980	3636	SWIFT_COPY00993Payment_advic4555pdf.exe	cmd.exe
PID 3636 wrote to memory of 1980	3636	SWIFT_COPY00993Payment_advic4555pdf.exe	cmd.exe
PID 1980 wrote to memory of 2156	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 2156	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 2156	1980	cmd.exe	reg.exe
PID 3636 wrote to memory of 3036	3636	SWIFT_COPY00993Payment_advic4555pdf.exe	alspeed.exe
PID 3636 wrote to memory of 3036	3636	SWIFT_COPY00993Payment_advic4555pdf.exe	alspeed.exe
PID 3636 wrote to memory of 3036	3636	SWIFT_COPY00993Payment_advic4555pdf.exe	alspeed.exe
PID 3036 wrote to memory of 1336	3036	alspeed.exe	alspeed.exe
PID 3036 wrote to memory of 1336	3036	alspeed.exe	alspeed.exe
PID 3036 wrote to memory of 1336	3036	alspeed.exe	alspeed.exe
PID 3036 wrote to memory of 1336	3036	alspeed.exe	alspeed.exe
PID 3036 wrote to memory of 1336	3036	alspeed.exe	alspeed.exe
PID 3036 wrote to memory of 1336	3036	alspeed.exe	alspeed.exe
PID 3036 wrote to memory of 1336	3036	alspeed.exe	alspeed.exe

C:\Users\Admin\AppData\Local\Temp\SWIFT_COPY00993Payment_advic4555pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT_COPY00993Payment_advic4555pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "alspeed" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\alspeed.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "alspeed" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\alspeed.exe"
    3⤵
    - Adds Run key to start application
    PID:2156
- C:\Users\Admin\AppData\Roaming\alspeed.exe
  "C:\Users\Admin\AppData\Roaming\alspeed.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Roaming\alspeed.exe
    "C:\Users\Admin\AppData\Roaming\alspeed.exe"
    3⤵
    - Executes dropped EXE
    PID:1336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 196
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\alspeed.exe

MD5
344811104b9deac44b95852d3dbf89ec

SHA1
9ab4420fc25c66fca63aa43f17fcb956def07433

SHA256
18da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61

SHA512
ae28492c462447ff2856682080d8b68a9cb8394900431a37c58bcd959df90037c237220269db0bbdef03b5111327c8ec5ff57b683552e1886d05e034679a900e

Download Submit
C:\Users\Admin\AppData\Roaming\alspeed.exe

MD5
344811104b9deac44b95852d3dbf89ec

SHA1
9ab4420fc25c66fca63aa43f17fcb956def07433

SHA256
18da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61

SHA512
ae28492c462447ff2856682080d8b68a9cb8394900431a37c58bcd959df90037c237220269db0bbdef03b5111327c8ec5ff57b683552e1886d05e034679a900e

Download Submit
C:\Users\Admin\AppData\Roaming\alspeed.exe

MD5
344811104b9deac44b95852d3dbf89ec

SHA1
9ab4420fc25c66fca63aa43f17fcb956def07433

SHA256
18da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61

SHA512
ae28492c462447ff2856682080d8b68a9cb8394900431a37c58bcd959df90037c237220269db0bbdef03b5111327c8ec5ff57b683552e1886d05e034679a900e

Download Submit
memory/1336-30-0x00000000007D5230-mapping.dmp

Download
memory/1336-26-0x0000000000B00000-0x0000000000ED7000-memory.dmp

Filesize
3.8MB

Download
memory/1336-24-0x00000000007D5230-mapping.dmp

Download
memory/1980-9-0x0000000000000000-mapping.dmp

Download
memory/2156-10-0x0000000000000000-mapping.dmp

Download
memory/2372-27-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/3036-21-0x0000000004D40000-0x0000000004D4B000-memory.dmp

Filesize
44KB

Download
memory/3036-11-0x0000000000000000-mapping.dmp

Download
memory/3036-14-0x0000000073BA0000-0x000000007428E000-memory.dmp

Filesize
6.9MB

Download
memory/3036-22-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/3636-2-0x0000000073BA0000-0x000000007428E000-memory.dmp

Filesize
6.9MB

Download
memory/3636-8-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/3636-7-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/3636-6-0x0000000004B00000-0x0000000004B1E000-memory.dmp

Filesize
120KB

Download
memory/3636-5-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/3636-3-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads