Analysis
-
max time kernel
151s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 06:53
Static task
static1
Behavioral task
behavioral1
Sample
Swift File_pdf.exe
Resource
win7v20201028
General
-
Target
Swift File_pdf.exe
-
Size
212KB
-
MD5
5db240ab92ef9f9e14f96816cce4f656
-
SHA1
2f9b2f695654dafe3e7383bf5afa71c6277a4917
-
SHA256
5be04026087a580dcf1dd996c523a3fea40d5d86f9b7f8596562dec1f7f906c7
-
SHA512
30970072756574169b05a1e7161fd8c2e36bea6496051a867c649ed0945c4f0d34ca8ba884f5a1a460737b639ee7f5e58ac53763b7924baa3cdc213d0afdca16
Malware Config
Extracted
formbook
http://www.layoutsbox.com/g832/
thevalleycatholic.com
zhiyaanmo.com
commagx4.info
hozehapps.com
arbeitskrafte.net
mlpsdigital.com
79firerescue.com
tabby.info
ghjkl456.com
yige6688.com
mejungle.net
quanahpictures.com
swifter.tech
iraems.com
personaljie.tech
mima-tech.com
jonaskold.com
taxicabairports.com
worldarenaproperties.com
rentmy.place
manorblue.com
gastouderbureaumoedernatuur.com
8wym-sa5.com
sieutool.net
unisonptnrs.com
hkyda-uk.com
uniquemaatwerk.online
geeksaudio.com
5672018.com
htmlit.net
beautyinseoul.asia
dhatusiri.com
7sa3.com
normalizingillegalbehavior.com
keystohumanconnection.com
abilitess.com
roomrain.com
greenscateringservices.com
blogisit.com
minimalyurufootballer.com
wearecdi.com
shoptype.net
lijingsx.com
51zhongfa.com
eadubai.com
aispokenhere.com
realbpc.com
leadhandout.com
pronewsystembest.club
drawplanbd.com
555lucky.net
deardhalia.com
southwellholidaycottage.com
rayhanrony.com
greatstape.com
beiser-sa.com
mestredasfrases.com
mi-tipofthemitt.com
skxrxxf7j87.com
malkompreno.com
newhorizonsalpacas.info
askquestionslaterr.com
zhu-yu.taipei
stcroixmountain.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3772-6-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/3176-13-0x00000000029C0000-0x00000000029E8000-memory.dmp xloader -
Blocklisted process makes network request 2 IoCs
Processes:
cmd.exeflow pid process 32 3176 cmd.exe 37 3176 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
Swift File_pdf.exepid process 540 Swift File_pdf.exe 540 Swift File_pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Swift File_pdf.exeSwift File_pdf.execmd.exedescription pid process target process PID 540 set thread context of 3772 540 Swift File_pdf.exe Swift File_pdf.exe PID 3772 set thread context of 3016 3772 Swift File_pdf.exe Explorer.EXE PID 3176 set thread context of 3016 3176 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Swift File_pdf.exeSwift File_pdf.execmd.exepid process 540 Swift File_pdf.exe 540 Swift File_pdf.exe 540 Swift File_pdf.exe 540 Swift File_pdf.exe 540 Swift File_pdf.exe 540 Swift File_pdf.exe 540 Swift File_pdf.exe 540 Swift File_pdf.exe 3772 Swift File_pdf.exe 3772 Swift File_pdf.exe 3772 Swift File_pdf.exe 3772 Swift File_pdf.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe 3176 cmd.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Swift File_pdf.exeSwift File_pdf.execmd.exepid process 540 Swift File_pdf.exe 3772 Swift File_pdf.exe 3772 Swift File_pdf.exe 3772 Swift File_pdf.exe 3176 cmd.exe 3176 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Swift File_pdf.execmd.exedescription pid process Token: SeDebugPrivilege 3772 Swift File_pdf.exe Token: SeDebugPrivilege 3176 cmd.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3016 Explorer.EXE 3016 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 3016 Explorer.EXE 3016 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3016 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Swift File_pdf.exeExplorer.EXEcmd.exedescription pid process target process PID 540 wrote to memory of 3772 540 Swift File_pdf.exe Swift File_pdf.exe PID 540 wrote to memory of 3772 540 Swift File_pdf.exe Swift File_pdf.exe PID 540 wrote to memory of 3772 540 Swift File_pdf.exe Swift File_pdf.exe PID 540 wrote to memory of 3772 540 Swift File_pdf.exe Swift File_pdf.exe PID 3016 wrote to memory of 3176 3016 Explorer.EXE cmd.exe PID 3016 wrote to memory of 3176 3016 Explorer.EXE cmd.exe PID 3016 wrote to memory of 3176 3016 Explorer.EXE cmd.exe PID 3176 wrote to memory of 3056 3176 cmd.exe cmd.exe PID 3176 wrote to memory of 3056 3176 cmd.exe cmd.exe PID 3176 wrote to memory of 3056 3176 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift File_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Swift File_pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift File_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Swift File_pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Swift File_pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\fd9av2kfb8l.dllMD5
1642792df35582d772a54f1e62329724
SHA12b3087fb3fec32e81ecf1642c05793b63ec9e3d4
SHA25651204afe24360091ddbcc513a98296b4da60e84034bcf3cccdc1d05afd9afac3
SHA51258e33e141b4a187968257a06d7a5a86be2e9f019f2ad9cd919fa8641cd1a9c7d45726c24ba16476ca64f728b3256d5a95e7771d5e0e66444d08521516874032f
-
\Users\Admin\AppData\Local\Temp\nsm71DB.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/3016-9-0x0000000005270000-0x00000000053D3000-memory.dmpFilesize
1.4MB
-
memory/3016-17-0x00000000053E0000-0x0000000005481000-memory.dmpFilesize
644KB
-
memory/3056-14-0x0000000000000000-mapping.dmp
-
memory/3176-12-0x0000000003620000-0x0000000003940000-memory.dmpFilesize
3.1MB
-
memory/3176-10-0x0000000000000000-mapping.dmp
-
memory/3176-11-0x0000000000860000-0x00000000008B9000-memory.dmpFilesize
356KB
-
memory/3176-13-0x00000000029C0000-0x00000000029E8000-memory.dmpFilesize
160KB
-
memory/3176-16-0x00000000033E0000-0x000000000346F000-memory.dmpFilesize
572KB
-
memory/3772-8-0x00000000009B0000-0x00000000009C0000-memory.dmpFilesize
64KB
-
memory/3772-6-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3772-7-0x0000000000BD0000-0x0000000000EF0000-memory.dmpFilesize
3.1MB
-
memory/3772-4-0x000000000041CFC0-mapping.dmp