Analysis
-
max time kernel
300s -
max time network
302s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 00:26
Static task
static1
Behavioral task
behavioral1
Sample
Swift copy.exe
Resource
win7-en-20210920
General
-
Target
Swift copy.exe
-
Size
375KB
-
MD5
480c3e5e116382f76da67e92b0c06b5d
-
SHA1
77e95fea7b8afcce773e8c3592e199c71dd03172
-
SHA256
2c78fa1d90fe76c14f0a642af43c560875054e342bbb144aa9ff8f0fdbb0670f
-
SHA512
5798198704ff3b3db9d7f4037db9c4b6315faa77c2f330e70fc68c081ff9c96e7753d6ab871e4024b8d630649bbd682816fd96d4c6766164839be6b4431d985c
Malware Config
Extracted
xloader
2.5
snec
http://www.go2payme.com/snec/
sacramentoscoop.com
auroraeqp.com
ontactfactory.com
abenakigroup.com
xander-tech.com
cocaineislegal.com
carbondouze.com
louisvilleestatelawyer.com
sundaytejero.quest
arti-faqs.com
thisandthat.store
biodyne-el-salvador.com
18504seheritageoakslane.com
mfialias.xyz
whitestoneclo.com
6288117.com
oficiosuy.com
autogift.xyz
wallbabyshell.com
chaletlabaie.com
yy88kk.com
thepositiveenergycompany.com
personalexpressofertachegou.com
theoldplayground.com
aireapartmentsmsp.com
layfflj.com
xn--hss-s83bwm.com
tutoeasy.com
maintrove.com
changereferral.com
peanutl.com
portolaenterprise.com
vanscn.net
2wawaw16.me
gosatya.com
velocityphase.com
aprenda-sg-sst.com
dickinsonoutfitters.com
toptelecast-toreadtoday.info
argana.store
tagachiweb.com
bokepindoviral.com
nu865ci.com
thestogiestore.com
managexxxxx.com
japanskirt.com
leilaniheritage.com
m7chi.net
afjewelryaz.com
aset.guide
hx-banjin.com
foqenoa.store
kolkataescort.xyz
worldcrgenius.biz
stockandberry.com
ash-tag.com
orchestrated.design
point4sales.com
sattaking-delhiborder06.xyz
clear-rails.com
dentalpnid.com
ezekielgroup.com
17804maritimepoint101.com
qldrfb.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1920-124-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1920-125-0x000000000041D460-mapping.dmp xloader behavioral2/memory/588-132-0x0000000002C00000-0x0000000002C29000-memory.dmp xloader -
Executes dropped EXE 1 IoCs
Processes:
bbxczlt.exepid process 1328 bbxczlt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mstsc.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mstsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TVVHHBMXCN = "C:\\Program Files (x86)\\U_brtedw8\\bbxczlt.exe" mstsc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Swift copy.exeSwift copy.exemstsc.exedescription pid process target process PID 3284 set thread context of 1920 3284 Swift copy.exe Swift copy.exe PID 1920 set thread context of 2800 1920 Swift copy.exe Explorer.EXE PID 588 set thread context of 2800 588 mstsc.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
Explorer.EXEmstsc.exedescription ioc process File opened for modification C:\Program Files (x86)\U_brtedw8 Explorer.EXE File created C:\Program Files (x86)\U_brtedw8\bbxczlt.exe Explorer.EXE File opened for modification C:\Program Files (x86)\U_brtedw8\bbxczlt.exe Explorer.EXE File opened for modification C:\Program Files (x86)\U_brtedw8\bbxczlt.exe mstsc.exe -
Processes:
mstsc.exedescription ioc process Key created \Registry\User\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 mstsc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Swift copy.exemstsc.exepid process 1920 Swift copy.exe 1920 Swift copy.exe 1920 Swift copy.exe 1920 Swift copy.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2800 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Swift copy.exemstsc.exepid process 1920 Swift copy.exe 1920 Swift copy.exe 1920 Swift copy.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe 588 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Swift copy.exemstsc.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1920 Swift copy.exe Token: SeDebugPrivilege 588 mstsc.exe Token: SeShutdownPrivilege 2800 Explorer.EXE Token: SeCreatePagefilePrivilege 2800 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Swift copy.exeExplorer.EXEmstsc.exedescription pid process target process PID 3284 wrote to memory of 1920 3284 Swift copy.exe Swift copy.exe PID 3284 wrote to memory of 1920 3284 Swift copy.exe Swift copy.exe PID 3284 wrote to memory of 1920 3284 Swift copy.exe Swift copy.exe PID 3284 wrote to memory of 1920 3284 Swift copy.exe Swift copy.exe PID 3284 wrote to memory of 1920 3284 Swift copy.exe Swift copy.exe PID 3284 wrote to memory of 1920 3284 Swift copy.exe Swift copy.exe PID 2800 wrote to memory of 588 2800 Explorer.EXE mstsc.exe PID 2800 wrote to memory of 588 2800 Explorer.EXE mstsc.exe PID 2800 wrote to memory of 588 2800 Explorer.EXE mstsc.exe PID 588 wrote to memory of 2864 588 mstsc.exe cmd.exe PID 588 wrote to memory of 2864 588 mstsc.exe cmd.exe PID 588 wrote to memory of 2864 588 mstsc.exe cmd.exe PID 588 wrote to memory of 2780 588 mstsc.exe cmd.exe PID 588 wrote to memory of 2780 588 mstsc.exe cmd.exe PID 588 wrote to memory of 2780 588 mstsc.exe cmd.exe PID 588 wrote to memory of 1340 588 mstsc.exe Firefox.exe PID 588 wrote to memory of 1340 588 mstsc.exe Firefox.exe PID 2800 wrote to memory of 1328 2800 Explorer.EXE bbxczlt.exe PID 2800 wrote to memory of 1328 2800 Explorer.EXE bbxczlt.exe PID 2800 wrote to memory of 1328 2800 Explorer.EXE bbxczlt.exe PID 588 wrote to memory of 1340 588 mstsc.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\U_brtedw8\bbxczlt.exe"C:\Program Files (x86)\U_brtedw8\bbxczlt.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\U_brtedw8\bbxczlt.exeMD5
480c3e5e116382f76da67e92b0c06b5d
SHA177e95fea7b8afcce773e8c3592e199c71dd03172
SHA2562c78fa1d90fe76c14f0a642af43c560875054e342bbb144aa9ff8f0fdbb0670f
SHA5125798198704ff3b3db9d7f4037db9c4b6315faa77c2f330e70fc68c081ff9c96e7753d6ab871e4024b8d630649bbd682816fd96d4c6766164839be6b4431d985c
-
C:\Program Files (x86)\U_brtedw8\bbxczlt.exeMD5
480c3e5e116382f76da67e92b0c06b5d
SHA177e95fea7b8afcce773e8c3592e199c71dd03172
SHA2562c78fa1d90fe76c14f0a642af43c560875054e342bbb144aa9ff8f0fdbb0670f
SHA5125798198704ff3b3db9d7f4037db9c4b6315faa77c2f330e70fc68c081ff9c96e7753d6ab871e4024b8d630649bbd682816fd96d4c6766164839be6b4431d985c
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
memory/588-134-0x0000000004C60000-0x0000000004F80000-memory.dmpFilesize
3.1MB
-
memory/588-132-0x0000000002C00000-0x0000000002C29000-memory.dmpFilesize
164KB
-
memory/588-135-0x00000000049B0000-0x0000000004A40000-memory.dmpFilesize
576KB
-
memory/588-130-0x0000000000000000-mapping.dmp
-
memory/588-131-0x0000000000870000-0x0000000000B6C000-memory.dmpFilesize
3.0MB
-
memory/1328-147-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/1328-139-0x0000000000000000-mapping.dmp
-
memory/1920-125-0x000000000041D460-mapping.dmp
-
memory/1920-127-0x0000000001060000-0x0000000001380000-memory.dmpFilesize
3.1MB
-
memory/1920-128-0x0000000001030000-0x0000000001041000-memory.dmpFilesize
68KB
-
memory/1920-124-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2780-137-0x0000000000000000-mapping.dmp
-
memory/2800-129-0x0000000005260000-0x00000000053A6000-memory.dmpFilesize
1.3MB
-
memory/2800-136-0x0000000002900000-0x0000000002995000-memory.dmpFilesize
596KB
-
memory/2864-133-0x0000000000000000-mapping.dmp
-
memory/3284-115-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/3284-123-0x00000000084D0000-0x000000000851B000-memory.dmpFilesize
300KB
-
memory/3284-122-0x0000000008330000-0x0000000008331000-memory.dmpFilesize
4KB
-
memory/3284-121-0x0000000007FF0000-0x0000000007FF7000-memory.dmpFilesize
28KB
-
memory/3284-120-0x00000000048F0000-0x00000000048F1000-memory.dmpFilesize
4KB
-
memory/3284-119-0x0000000004870000-0x0000000004D6E000-memory.dmpFilesize
5.0MB
-
memory/3284-118-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/3284-117-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB