Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
19-04-2021 14:46
Static task
static1
Behavioral task
behavioral1
Sample
PaymentSwift copy.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PaymentSwift copy.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
PaymentSwift copy.exe
-
Size
3.4MB
-
MD5
83dd88ad8154ed07ee4bd902eb84eb2c
-
SHA1
d6c01ef92834da8a376b555eb9f6da469d3515fc
-
SHA256
b16c4aa0a8ec4b2fc3c6f5323a3bb35f9c4d26c97aeaff4aa874507ffb3339e3
-
SHA512
4064cce0cdc088b0e9611182e9a4e7d02fc01531498743458024ed40de78af6e9b827a14284627b9c33111e8bf5347e6378426b27a1c989fd8c90f294bdb1af9
Score
10/10
Malware Config
Signatures
-
BitRAT Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2004-66-0x0000000000689FA7-mapping.dmp family_bitrat behavioral1/memory/2004-65-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat behavioral1/memory/2004-68-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PaymentSwift copy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\okspeedwellxx = "\"C:\\Users\\Admin\\AppData\\Local\\okspeedwellxx.exe\"" PaymentSwift copy.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
PaymentSwift copy.exepid process 2004 PaymentSwift copy.exe 2004 PaymentSwift copy.exe 2004 PaymentSwift copy.exe 2004 PaymentSwift copy.exe 2004 PaymentSwift copy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PaymentSwift copy.exedescription pid process target process PID 2020 set thread context of 2004 2020 PaymentSwift copy.exe PaymentSwift copy.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PaymentSwift copy.exepid process 2020 PaymentSwift copy.exe 2020 PaymentSwift copy.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PaymentSwift copy.exePaymentSwift copy.exedescription pid process Token: SeDebugPrivilege 2020 PaymentSwift copy.exe Token: SeDebugPrivilege 2004 PaymentSwift copy.exe Token: SeShutdownPrivilege 2004 PaymentSwift copy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
PaymentSwift copy.exepid process 2004 PaymentSwift copy.exe 2004 PaymentSwift copy.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
PaymentSwift copy.exedescription pid process target process PID 2020 wrote to memory of 2004 2020 PaymentSwift copy.exe PaymentSwift copy.exe PID 2020 wrote to memory of 2004 2020 PaymentSwift copy.exe PaymentSwift copy.exe PID 2020 wrote to memory of 2004 2020 PaymentSwift copy.exe PaymentSwift copy.exe PID 2020 wrote to memory of 2004 2020 PaymentSwift copy.exe PaymentSwift copy.exe PID 2020 wrote to memory of 2004 2020 PaymentSwift copy.exe PaymentSwift copy.exe PID 2020 wrote to memory of 2004 2020 PaymentSwift copy.exe PaymentSwift copy.exe PID 2020 wrote to memory of 2004 2020 PaymentSwift copy.exe PaymentSwift copy.exe PID 2020 wrote to memory of 2004 2020 PaymentSwift copy.exe PaymentSwift copy.exe PID 2020 wrote to memory of 2004 2020 PaymentSwift copy.exe PaymentSwift copy.exe PID 2020 wrote to memory of 2004 2020 PaymentSwift copy.exe PaymentSwift copy.exe PID 2020 wrote to memory of 2004 2020 PaymentSwift copy.exe PaymentSwift copy.exe PID 2020 wrote to memory of 2004 2020 PaymentSwift copy.exe PaymentSwift copy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2004-66-0x0000000000689FA7-mapping.dmp
-
memory/2004-65-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/2004-67-0x0000000076281000-0x0000000076283000-memory.dmpFilesize
8KB
-
memory/2004-68-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/2020-60-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/2020-62-0x00000000003B0000-0x00000000003B2000-memory.dmpFilesize
8KB
-
memory/2020-63-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/2020-64-0x0000000000410000-0x000000000044C000-memory.dmpFilesize
240KB