Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-04-2021 14:46
Static task
static1
Behavioral task
behavioral1
Sample
PaymentSwift copy.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PaymentSwift copy.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
PaymentSwift copy.exe
-
Size
3.4MB
-
MD5
83dd88ad8154ed07ee4bd902eb84eb2c
-
SHA1
d6c01ef92834da8a376b555eb9f6da469d3515fc
-
SHA256
b16c4aa0a8ec4b2fc3c6f5323a3bb35f9c4d26c97aeaff4aa874507ffb3339e3
-
SHA512
4064cce0cdc088b0e9611182e9a4e7d02fc01531498743458024ed40de78af6e9b827a14284627b9c33111e8bf5347e6378426b27a1c989fd8c90f294bdb1af9
Score
10/10
Malware Config
Signatures
-
BitRAT Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2364-119-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat behavioral2/memory/2364-120-0x0000000000689FA7-mapping.dmp family_bitrat behavioral2/memory/2364-121-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PaymentSwift copy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\okspeedwellxx = "\"C:\\Users\\Admin\\AppData\\Local\\okspeedwellxx.exe\"" PaymentSwift copy.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
PaymentSwift copy.exepid process 2364 PaymentSwift copy.exe 2364 PaymentSwift copy.exe 2364 PaymentSwift copy.exe 2364 PaymentSwift copy.exe 2364 PaymentSwift copy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PaymentSwift copy.exedescription pid process target process PID 624 set thread context of 2364 624 PaymentSwift copy.exe PaymentSwift copy.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
PaymentSwift copy.exepid process 624 PaymentSwift copy.exe 624 PaymentSwift copy.exe 624 PaymentSwift copy.exe 624 PaymentSwift copy.exe 624 PaymentSwift copy.exe 624 PaymentSwift copy.exe 624 PaymentSwift copy.exe 624 PaymentSwift copy.exe 624 PaymentSwift copy.exe 624 PaymentSwift copy.exe 624 PaymentSwift copy.exe 624 PaymentSwift copy.exe 624 PaymentSwift copy.exe 624 PaymentSwift copy.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PaymentSwift copy.exePaymentSwift copy.exedescription pid process Token: SeDebugPrivilege 624 PaymentSwift copy.exe Token: SeShutdownPrivilege 2364 PaymentSwift copy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
PaymentSwift copy.exepid process 2364 PaymentSwift copy.exe 2364 PaymentSwift copy.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
PaymentSwift copy.exedescription pid process target process PID 624 wrote to memory of 2164 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 2164 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 2164 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 1376 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 1376 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 1376 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 3032 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 3032 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 3032 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 2364 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 2364 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 2364 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 2364 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 2364 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 2364 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 2364 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 2364 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 2364 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 2364 624 PaymentSwift copy.exe PaymentSwift copy.exe PID 624 wrote to memory of 2364 624 PaymentSwift copy.exe PaymentSwift copy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"2⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"2⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"2⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/624-114-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/624-116-0x00000000017A0000-0x00000000017A2000-memory.dmpFilesize
8KB
-
memory/624-117-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/624-118-0x0000000005610000-0x000000000564C000-memory.dmpFilesize
240KB
-
memory/2364-119-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/2364-120-0x0000000000689FA7-mapping.dmp
-
memory/2364-121-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB