Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-05-2021 07:01
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT 00395_IMG.exe
Resource
win7v20210408
General
-
Target
SWIFT 00395_IMG.exe
-
Size
13.4MB
-
MD5
f19e6012ff248b9b380bb420080258ce
-
SHA1
317ee43a8116aae39f3de3279620ecff4ac05b2c
-
SHA256
069a900aaa6ab5e4b9279cf5bd47e7123c37787f87ac58d6e64383685371ba52
-
SHA512
ad555d5a6bbd753825fba4a4665b4774d88f4011f3c7c6a2c0084fd40e59d66d2880b4a390cc8a172e51b67f8198d0fa481a981c916025f1642ace15c5ab1cdf
Malware Config
Extracted
xloader
2.3
http://www.seroungift.com/bbqo/
theinfluenstar.com
1800quilts.com
sonsuz-muzik.com
manilowsmodems.com
amwajcare.com
eam.email
cscosmos.com
tierraovens.com
goimtv.com
checks4d.com
beijig.com
szzyhjj.com
huanchunjx.com
catqq.one
vendasuascartas.com
cannatends.com
cytotecobatpenggugur.com
centralvalleypartners4youth.com
entreforma.com
azhathai.com
crickescore.com
thebestcoffeeshops.com
melacane.com
sunrisemoving.net
hauck-aufhauser.com
katiacontrerash.com
lavi3dscans.com
senmec23.com
photographerleadmachine.com
snowtreeendeavor.com
autosbencar.com
epoform.com
kissdstudio.com
bestdamnseamoss.com
ksdfp-zvhn.xyz
cabletvlasvegas.com
xiangyuwenhua.com
angiesgourmet.com
centerplans.com
xyl.finance
vivilhavemorgenmadnu.com
jaynefgulbin.com
californiahiker.com
hausofzou.com
velocischooner.com
boxj66.com
theboundless.life
backroadinc.com
diemapp.com
whatismychinesename.com
sebags.com
stick.plus
crwebtech.com
famefabulous.com
pubgsetpharaoh.com
northernbackflow.com
goportjitney.com
warzonetracker.net
homesteaddigestemail.com
carboncuriosity.com
sunnahaid.com
makeoverfurn.com
captisimaginem.com
puzed.net
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2028-64-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/2004-71-0x0000000000090000-0x00000000000B8000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
SWIFT 00395_IMG.exepid process 1684 SWIFT 00395_IMG.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SWIFT 00395_IMG.exesvchost.exesvchost.exedescription pid process target process PID 1684 set thread context of 2028 1684 SWIFT 00395_IMG.exe svchost.exe PID 2028 set thread context of 1228 2028 svchost.exe Explorer.EXE PID 2004 set thread context of 1228 2004 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
svchost.exesvchost.exepid process 2028 svchost.exe 2028 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe 2004 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
SWIFT 00395_IMG.exesvchost.exesvchost.exepid process 1684 SWIFT 00395_IMG.exe 2028 svchost.exe 2028 svchost.exe 2028 svchost.exe 2004 svchost.exe 2004 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 2028 svchost.exe Token: SeDebugPrivilege 2004 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
SWIFT 00395_IMG.exeExplorer.EXEsvchost.exedescription pid process target process PID 1684 wrote to memory of 2028 1684 SWIFT 00395_IMG.exe svchost.exe PID 1684 wrote to memory of 2028 1684 SWIFT 00395_IMG.exe svchost.exe PID 1684 wrote to memory of 2028 1684 SWIFT 00395_IMG.exe svchost.exe PID 1684 wrote to memory of 2028 1684 SWIFT 00395_IMG.exe svchost.exe PID 1684 wrote to memory of 2028 1684 SWIFT 00395_IMG.exe svchost.exe PID 1228 wrote to memory of 2004 1228 Explorer.EXE svchost.exe PID 1228 wrote to memory of 2004 1228 Explorer.EXE svchost.exe PID 1228 wrote to memory of 2004 1228 Explorer.EXE svchost.exe PID 1228 wrote to memory of 2004 1228 Explorer.EXE svchost.exe PID 2004 wrote to memory of 848 2004 svchost.exe cmd.exe PID 2004 wrote to memory of 848 2004 svchost.exe cmd.exe PID 2004 wrote to memory of 848 2004 svchost.exe cmd.exe PID 2004 wrote to memory of 848 2004 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\SWIFT 00395_IMG.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT 00395_IMG.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT 00395_IMG.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2028 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵PID:848
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nss7A02.tmp\3bypcf8qb.dllMD5
71d2d0b499c40f82a6cdd1ecdc4df303
SHA1ae42e7a68b3affc5f56238fc46fb2faaad75b890
SHA2560c3c61ba24bb070c77191b1134e337148ea90e9814083ffb84edf58ee497a2ef
SHA512c64e28ca27d98e99e1132f59aa2bc8141cd49ab6ece0b9bf0539eca059eef962923a4890355482f1d22aa5902ff4ceff0da6dc3737a10a9050dda582cdbff67e
-
memory/848-69-0x0000000000000000-mapping.dmp
-
memory/1228-67-0x0000000004220000-0x000000000430B000-memory.dmpFilesize
940KB
-
memory/1228-74-0x00000000067D0000-0x0000000006958000-memory.dmpFilesize
1.5MB
-
memory/1684-60-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/1684-62-0x0000000000340000-0x0000000000342000-memory.dmpFilesize
8KB
-
memory/2004-68-0x0000000000000000-mapping.dmp
-
memory/2004-70-0x0000000000080000-0x0000000000088000-memory.dmpFilesize
32KB
-
memory/2004-71-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/2004-72-0x0000000000920000-0x0000000000C23000-memory.dmpFilesize
3.0MB
-
memory/2004-73-0x00000000004B0000-0x000000000053F000-memory.dmpFilesize
572KB
-
memory/2028-63-0x000000000041D040-mapping.dmp
-
memory/2028-65-0x0000000000AA0000-0x0000000000DA3000-memory.dmpFilesize
3.0MB
-
memory/2028-66-0x0000000000100000-0x0000000000110000-memory.dmpFilesize
64KB
-
memory/2028-64-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB