Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
04-05-2021 06:47
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT 00395_IMG.exe
Resource
win7v20210408
General
-
Target
SWIFT 00395_IMG.exe
-
Size
13.4MB
-
MD5
f19e6012ff248b9b380bb420080258ce
-
SHA1
317ee43a8116aae39f3de3279620ecff4ac05b2c
-
SHA256
069a900aaa6ab5e4b9279cf5bd47e7123c37787f87ac58d6e64383685371ba52
-
SHA512
ad555d5a6bbd753825fba4a4665b4774d88f4011f3c7c6a2c0084fd40e59d66d2880b4a390cc8a172e51b67f8198d0fa481a981c916025f1642ace15c5ab1cdf
Malware Config
Extracted
xloader
2.3
http://www.seroungift.com/bbqo/
theinfluenstar.com
1800quilts.com
sonsuz-muzik.com
manilowsmodems.com
amwajcare.com
eam.email
cscosmos.com
tierraovens.com
goimtv.com
checks4d.com
beijig.com
szzyhjj.com
huanchunjx.com
catqq.one
vendasuascartas.com
cannatends.com
cytotecobatpenggugur.com
centralvalleypartners4youth.com
entreforma.com
azhathai.com
crickescore.com
thebestcoffeeshops.com
melacane.com
sunrisemoving.net
hauck-aufhauser.com
katiacontrerash.com
lavi3dscans.com
senmec23.com
photographerleadmachine.com
snowtreeendeavor.com
autosbencar.com
epoform.com
kissdstudio.com
bestdamnseamoss.com
ksdfp-zvhn.xyz
cabletvlasvegas.com
xiangyuwenhua.com
angiesgourmet.com
centerplans.com
xyl.finance
vivilhavemorgenmadnu.com
jaynefgulbin.com
californiahiker.com
hausofzou.com
velocischooner.com
boxj66.com
theboundless.life
backroadinc.com
diemapp.com
whatismychinesename.com
sebags.com
stick.plus
crwebtech.com
famefabulous.com
pubgsetpharaoh.com
northernbackflow.com
goportjitney.com
warzonetracker.net
homesteaddigestemail.com
carboncuriosity.com
sunnahaid.com
makeoverfurn.com
captisimaginem.com
puzed.net
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2680-127-0x0000000002D70000-0x0000000002D98000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
SWIFT 00395_IMG.exepid process 3176 SWIFT 00395_IMG.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
SWIFT 00395_IMG.exesvchost.exewscript.exedescription pid process target process PID 3176 set thread context of 356 3176 SWIFT 00395_IMG.exe svchost.exe PID 356 set thread context of 2716 356 svchost.exe Explorer.EXE PID 356 set thread context of 2716 356 svchost.exe Explorer.EXE PID 2680 set thread context of 2716 2680 wscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
svchost.exewscript.exepid process 356 svchost.exe 356 svchost.exe 356 svchost.exe 356 svchost.exe 356 svchost.exe 356 svchost.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2716 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
SWIFT 00395_IMG.exesvchost.exewscript.exepid process 3176 SWIFT 00395_IMG.exe 3176 SWIFT 00395_IMG.exe 356 svchost.exe 356 svchost.exe 356 svchost.exe 356 svchost.exe 2680 wscript.exe 2680 wscript.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exeExplorer.EXEwscript.exedescription pid process Token: SeDebugPrivilege 356 svchost.exe Token: SeShutdownPrivilege 2716 Explorer.EXE Token: SeCreatePagefilePrivilege 2716 Explorer.EXE Token: SeShutdownPrivilege 2716 Explorer.EXE Token: SeCreatePagefilePrivilege 2716 Explorer.EXE Token: SeDebugPrivilege 2680 wscript.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2716 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
SWIFT 00395_IMG.exesvchost.exewscript.exedescription pid process target process PID 3176 wrote to memory of 356 3176 SWIFT 00395_IMG.exe svchost.exe PID 3176 wrote to memory of 356 3176 SWIFT 00395_IMG.exe svchost.exe PID 3176 wrote to memory of 356 3176 SWIFT 00395_IMG.exe svchost.exe PID 3176 wrote to memory of 356 3176 SWIFT 00395_IMG.exe svchost.exe PID 356 wrote to memory of 2680 356 svchost.exe wscript.exe PID 356 wrote to memory of 2680 356 svchost.exe wscript.exe PID 356 wrote to memory of 2680 356 svchost.exe wscript.exe PID 2680 wrote to memory of 4092 2680 wscript.exe cmd.exe PID 2680 wrote to memory of 4092 2680 wscript.exe cmd.exe PID 2680 wrote to memory of 4092 2680 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\SWIFT 00395_IMG.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT 00395_IMG.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT 00395_IMG.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:356 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"5⤵PID:4092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiE02.tmp\3bypcf8qb.dllMD5
71d2d0b499c40f82a6cdd1ecdc4df303
SHA1ae42e7a68b3affc5f56238fc46fb2faaad75b890
SHA2560c3c61ba24bb070c77191b1134e337148ea90e9814083ffb84edf58ee497a2ef
SHA512c64e28ca27d98e99e1132f59aa2bc8141cd49ab6ece0b9bf0539eca059eef962923a4890355482f1d22aa5902ff4ceff0da6dc3737a10a9050dda582cdbff67e
-
memory/356-122-0x0000000002700000-0x000000000284A000-memory.dmpFilesize
1.3MB
-
memory/356-116-0x000000000024D040-mapping.dmp
-
memory/356-119-0x0000000002E20000-0x0000000003140000-memory.dmpFilesize
3.1MB
-
memory/356-120-0x0000000002700000-0x000000000284A000-memory.dmpFilesize
1.3MB
-
memory/2680-126-0x00000000003D0000-0x00000000003F7000-memory.dmpFilesize
156KB
-
memory/2680-124-0x0000000000000000-mapping.dmp
-
memory/2680-127-0x0000000002D70000-0x0000000002D98000-memory.dmpFilesize
160KB
-
memory/2680-128-0x0000000004A70000-0x0000000004D90000-memory.dmpFilesize
3.1MB
-
memory/2680-129-0x00000000047D0000-0x000000000485F000-memory.dmpFilesize
572KB
-
memory/2716-123-0x0000000005FE0000-0x000000000612D000-memory.dmpFilesize
1.3MB
-
memory/2716-121-0x0000000002CA0000-0x0000000002D70000-memory.dmpFilesize
832KB
-
memory/2716-130-0x0000000002A70000-0x0000000002B41000-memory.dmpFilesize
836KB
-
memory/3176-115-0x0000000002230000-0x0000000002253000-memory.dmpFilesize
140KB
-
memory/4092-125-0x0000000000000000-mapping.dmp