Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
04-05-2021 07:01
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT 00395_IMG.exe
Resource
win7v20210408
General
-
Target
SWIFT 00395_IMG.exe
-
Size
13.4MB
-
MD5
f19e6012ff248b9b380bb420080258ce
-
SHA1
317ee43a8116aae39f3de3279620ecff4ac05b2c
-
SHA256
069a900aaa6ab5e4b9279cf5bd47e7123c37787f87ac58d6e64383685371ba52
-
SHA512
ad555d5a6bbd753825fba4a4665b4774d88f4011f3c7c6a2c0084fd40e59d66d2880b4a390cc8a172e51b67f8198d0fa481a981c916025f1642ace15c5ab1cdf
Malware Config
Extracted
xloader
2.3
http://www.seroungift.com/bbqo/
theinfluenstar.com
1800quilts.com
sonsuz-muzik.com
manilowsmodems.com
amwajcare.com
eam.email
cscosmos.com
tierraovens.com
goimtv.com
checks4d.com
beijig.com
szzyhjj.com
huanchunjx.com
catqq.one
vendasuascartas.com
cannatends.com
cytotecobatpenggugur.com
centralvalleypartners4youth.com
entreforma.com
azhathai.com
crickescore.com
thebestcoffeeshops.com
melacane.com
sunrisemoving.net
hauck-aufhauser.com
katiacontrerash.com
lavi3dscans.com
senmec23.com
photographerleadmachine.com
snowtreeendeavor.com
autosbencar.com
epoform.com
kissdstudio.com
bestdamnseamoss.com
ksdfp-zvhn.xyz
cabletvlasvegas.com
xiangyuwenhua.com
angiesgourmet.com
centerplans.com
xyl.finance
vivilhavemorgenmadnu.com
jaynefgulbin.com
californiahiker.com
hausofzou.com
velocischooner.com
boxj66.com
theboundless.life
backroadinc.com
diemapp.com
whatismychinesename.com
sebags.com
stick.plus
crwebtech.com
famefabulous.com
pubgsetpharaoh.com
northernbackflow.com
goportjitney.com
warzonetracker.net
homesteaddigestemail.com
carboncuriosity.com
sunnahaid.com
makeoverfurn.com
captisimaginem.com
puzed.net
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2700-119-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/204-126-0x0000000002F20000-0x0000000002F48000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
SWIFT 00395_IMG.exepid process 2752 SWIFT 00395_IMG.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SWIFT 00395_IMG.exesvchost.exeexplorer.exedescription pid process target process PID 2752 set thread context of 2700 2752 SWIFT 00395_IMG.exe svchost.exe PID 2700 set thread context of 3040 2700 svchost.exe Explorer.EXE PID 204 set thread context of 3040 204 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
svchost.exeexplorer.exepid process 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe 204 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
SWIFT 00395_IMG.exesvchost.exeexplorer.exepid process 2752 SWIFT 00395_IMG.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 204 explorer.exe 204 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2700 svchost.exe Token: SeDebugPrivilege 204 explorer.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
SWIFT 00395_IMG.exeExplorer.EXEexplorer.exedescription pid process target process PID 2752 wrote to memory of 2700 2752 SWIFT 00395_IMG.exe svchost.exe PID 2752 wrote to memory of 2700 2752 SWIFT 00395_IMG.exe svchost.exe PID 2752 wrote to memory of 2700 2752 SWIFT 00395_IMG.exe svchost.exe PID 2752 wrote to memory of 2700 2752 SWIFT 00395_IMG.exe svchost.exe PID 3040 wrote to memory of 204 3040 Explorer.EXE explorer.exe PID 3040 wrote to memory of 204 3040 Explorer.EXE explorer.exe PID 3040 wrote to memory of 204 3040 Explorer.EXE explorer.exe PID 204 wrote to memory of 680 204 explorer.exe cmd.exe PID 204 wrote to memory of 680 204 explorer.exe cmd.exe PID 204 wrote to memory of 680 204 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SWIFT 00395_IMG.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT 00395_IMG.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT 00395_IMG.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsh26C9.tmp\3bypcf8qb.dllMD5
71d2d0b499c40f82a6cdd1ecdc4df303
SHA1ae42e7a68b3affc5f56238fc46fb2faaad75b890
SHA2560c3c61ba24bb070c77191b1134e337148ea90e9814083ffb84edf58ee497a2ef
SHA512c64e28ca27d98e99e1132f59aa2bc8141cd49ab6ece0b9bf0539eca059eef962923a4890355482f1d22aa5902ff4ceff0da6dc3737a10a9050dda582cdbff67e
-
memory/204-123-0x0000000000000000-mapping.dmp
-
memory/204-128-0x0000000004790000-0x000000000481F000-memory.dmpFilesize
572KB
-
memory/204-127-0x00000000048A0000-0x0000000004BC0000-memory.dmpFilesize
3.1MB
-
memory/204-125-0x00000000009E0000-0x0000000000E1F000-memory.dmpFilesize
4.2MB
-
memory/204-126-0x0000000002F20000-0x0000000002F48000-memory.dmpFilesize
160KB
-
memory/680-124-0x0000000000000000-mapping.dmp
-
memory/2700-119-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2700-121-0x0000000002DF0000-0x0000000002E00000-memory.dmpFilesize
64KB
-
memory/2700-120-0x0000000003820000-0x0000000003B40000-memory.dmpFilesize
3.1MB
-
memory/2700-116-0x000000000041D040-mapping.dmp
-
memory/2752-115-0x0000000002170000-0x0000000002172000-memory.dmpFilesize
8KB
-
memory/3040-122-0x00000000057D0000-0x00000000058B3000-memory.dmpFilesize
908KB
-
memory/3040-129-0x00000000058C0000-0x0000000005A1B000-memory.dmpFilesize
1.4MB