Analysis
-
max time kernel
597s -
max time network
582s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
27-09-2021 03:06
Static task
static1
Behavioral task
behavioral1
Sample
swift_copy_MT103_pdf.exe
Resource
win7-en-20210920
General
-
Target
swift_copy_MT103_pdf.exe
-
Size
501KB
-
MD5
1c620763897a2166e17aab168bcf0d09
-
SHA1
5d3d29ab6ec3f5e4d80f188d15a97002347ea6de
-
SHA256
98cd8d900722c5903311d5c8e6a64333fa8bcda553cef3c872ba54a74c6ee47e
-
SHA512
a631295724d1896dba791db58d2d370bf1330ab57f328253294025f5695da05b7c3ec94192e48421a0c7d19899d9e3bed5aa96f61564d6183fb6857e4bf61077
Malware Config
Extracted
xloader
2.3
conv
http://www.7stepsmeal.com/conv/
hydrusgraphene.com
eastwindshomes.com
f1-holding.com
tomrings.com
nickysclosetnest.com
eckare88.com
southboundsupplies.com
asilar.net
ludiali.com
sarahasmussen.com
terreetmerphotography.com
tesserlink.com
xayxcq.com
jobforage.com
76leads.com
onyamarx.com
sandrinafloral.com
a5y7tvmr4.xyz
greatdanesuk.com
superbartendergigs.store
boca-azul.com
bullishsoftware.com
sarahsvirtualofficeteam.com
marketplacestuff.com
simphonya.com
jndzqp.com
testpcrcovid.com
iebcde.com
lfcaihua.com
calvalleysales.com
dunlapandmagee.com
carteddy.com
thelodgepotenza.com
ghoomakadh.com
electrifyitall.com
differentfm.com
ossengeconsulting.com
unisoftwaremarket.com
anhtens.com
anshangbao.com
aerie.sucks
iiotech.xyz
dawnbreakers-guild.com
operatechno.com
palacedepleasure.com
ronaldcraig.com
bangtou123.com
buildtocure.net
portaldoctortv.com
netblocks.exposed
vaiga.pro
serenitypieces.com
redefineyourwork.com
8961599.com
2meducate.com
metalandtubeimpex.com
reviewpayee.com
shopsmallbus.com
shinelogisticsllc.com
silverspiralshop.com
een.xyz
yixinliu.com
recyclewahine.com
gilltales.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/732-60-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/732-61-0x000000000041CFA0-mapping.dmp xloader behavioral1/memory/800-67-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1632 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
swift_copy_MT103_pdf.exeswift_copy_MT103_pdf.exehelp.exedescription pid process target process PID 1756 set thread context of 732 1756 swift_copy_MT103_pdf.exe swift_copy_MT103_pdf.exe PID 732 set thread context of 1204 732 swift_copy_MT103_pdf.exe Explorer.EXE PID 800 set thread context of 1204 800 help.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
swift_copy_MT103_pdf.exehelp.exepid process 732 swift_copy_MT103_pdf.exe 732 swift_copy_MT103_pdf.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
swift_copy_MT103_pdf.exehelp.exepid process 732 swift_copy_MT103_pdf.exe 732 swift_copy_MT103_pdf.exe 732 swift_copy_MT103_pdf.exe 800 help.exe 800 help.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
swift_copy_MT103_pdf.exehelp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 732 swift_copy_MT103_pdf.exe Token: SeDebugPrivilege 800 help.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
swift_copy_MT103_pdf.exeExplorer.EXEhelp.exedescription pid process target process PID 1756 wrote to memory of 732 1756 swift_copy_MT103_pdf.exe swift_copy_MT103_pdf.exe PID 1756 wrote to memory of 732 1756 swift_copy_MT103_pdf.exe swift_copy_MT103_pdf.exe PID 1756 wrote to memory of 732 1756 swift_copy_MT103_pdf.exe swift_copy_MT103_pdf.exe PID 1756 wrote to memory of 732 1756 swift_copy_MT103_pdf.exe swift_copy_MT103_pdf.exe PID 1756 wrote to memory of 732 1756 swift_copy_MT103_pdf.exe swift_copy_MT103_pdf.exe PID 1756 wrote to memory of 732 1756 swift_copy_MT103_pdf.exe swift_copy_MT103_pdf.exe PID 1756 wrote to memory of 732 1756 swift_copy_MT103_pdf.exe swift_copy_MT103_pdf.exe PID 1204 wrote to memory of 800 1204 Explorer.EXE help.exe PID 1204 wrote to memory of 800 1204 Explorer.EXE help.exe PID 1204 wrote to memory of 800 1204 Explorer.EXE help.exe PID 1204 wrote to memory of 800 1204 Explorer.EXE help.exe PID 800 wrote to memory of 1632 800 help.exe cmd.exe PID 800 wrote to memory of 1632 800 help.exe cmd.exe PID 800 wrote to memory of 1632 800 help.exe cmd.exe PID 800 wrote to memory of 1632 800 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe"C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe"C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/732-60-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/732-63-0x0000000000120000-0x0000000000130000-memory.dmpFilesize
64KB
-
memory/732-62-0x0000000000990000-0x0000000000C93000-memory.dmpFilesize
3.0MB
-
memory/732-61-0x000000000041CFA0-mapping.dmp
-
memory/800-67-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/800-65-0x0000000000000000-mapping.dmp
-
memory/800-66-0x0000000000D20000-0x0000000000D26000-memory.dmpFilesize
24KB
-
memory/800-69-0x0000000000720000-0x0000000000A23000-memory.dmpFilesize
3.0MB
-
memory/800-70-0x00000000004E0000-0x000000000056F000-memory.dmpFilesize
572KB
-
memory/1204-64-0x0000000003F00000-0x0000000003FF6000-memory.dmpFilesize
984KB
-
memory/1204-71-0x0000000006180000-0x00000000062AF000-memory.dmpFilesize
1.2MB
-
memory/1632-68-0x0000000000000000-mapping.dmp
-
memory/1756-59-0x0000000000D30000-0x0000000000D5E000-memory.dmpFilesize
184KB
-
memory/1756-58-0x00000000050E0000-0x0000000005145000-memory.dmpFilesize
404KB
-
memory/1756-57-0x00000000005C0000-0x00000000005C7000-memory.dmpFilesize
28KB
-
memory/1756-56-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/1756-54-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB