Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-11-2021 16:29
Static task
static1
Behavioral task
behavioral1
Sample
TT_SWIFT_Export Order_noref S10SMG00318021.exe
Resource
win7-en-20211104
General
-
Target
TT_SWIFT_Export Order_noref S10SMG00318021.exe
-
Size
653KB
-
MD5
fff91c58119d3cd7f68457e8565f7116
-
SHA1
4201eb7214bd3658889739e4856412b8063e0405
-
SHA256
f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745
-
SHA512
c05cf9e0ed2aad4c08b394d97fc1257d273aa8dd51a45487ba51ff5973ab7b2227aba7ea1e1e8e9daf7416aaea418b06edfa29ff93665f6d3cc5b1a392dbed92
Malware Config
Extracted
xloader
2.5
46uq
http://www.liberia-infos.net/46uq/
beardeddentguy.com
envirobombs.com
mintbox.pro
xiangpusun.com
pyjama-france.com
mendocinocountylive.com
innovativepropsolutions.com
hpsaddlerock.com
qrmaindonesia.com
liphelp.com
archaeaenergy.info
18446744073709551615.com
littlecreekacresri.com
elderlycareacademy.com
drshivanieyecare.com
ashibumi.com
stevenalexandergolf.com
adoratv.net
visitnewrichmond.com
fxbvanpool.com
aarondecker.online
environmentalkivul.com
cardsncrepes.com
hopdongdientu-viettel.com
thebroughtguarantee.com
howtofindahotniche.com
1678600.win
pityana.com
akconsultoria.com
markazkreasindo.com
ronniecapitol.com
tailsontour.com
abros88.com
laboratoriodentaltj.com
fuckingmom86.xyz
5pz59.com
centralmadu.com
ispecwar.com
otetransportanddispatching.com
cartaovirtual.net
hsadmin.xyz
xn--12c2bed4dxay5cxdh1s.online
oki-net.com
scenekidfancams.com
preciousmugs.com
754711.com
helpigservices.com
blueharepress.com
xmshzs.com
lovelycharlestonhomes.com
wamhsh.com
burlesquercize.com
oppoexch.com
ditjai.tech
the-hausd-group.com
loosebland.website
syntheticloot.net
gzfusco.com
www-by.com
farraztravel.com
beheld3d.art
douyababy.space
elcuerpohumano.xyz
3soap.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1428-139-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1428-140-0x000000000041D4B0-mapping.dmp xloader behavioral2/memory/696-373-0x0000000002A30000-0x0000000002A59000-memory.dmp xloader -
Suspicious use of SetThreadContext 4 IoCs
Processes:
TT_SWIFT_Export Order_noref S10SMG00318021.exeTT_SWIFT_Export Order_noref S10SMG00318021.execscript.exedescription pid process target process PID 3820 set thread context of 1428 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe TT_SWIFT_Export Order_noref S10SMG00318021.exe PID 1428 set thread context of 2672 1428 TT_SWIFT_Export Order_noref S10SMG00318021.exe Explorer.EXE PID 1428 set thread context of 2672 1428 TT_SWIFT_Export Order_noref S10SMG00318021.exe Explorer.EXE PID 696 set thread context of 2672 696 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
TT_SWIFT_Export Order_noref S10SMG00318021.exepowershell.exepowershell.exeTT_SWIFT_Export Order_noref S10SMG00318021.execscript.exepid process 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe 4504 powershell.exe 656 powershell.exe 1428 TT_SWIFT_Export Order_noref S10SMG00318021.exe 1428 TT_SWIFT_Export Order_noref S10SMG00318021.exe 1428 TT_SWIFT_Export Order_noref S10SMG00318021.exe 1428 TT_SWIFT_Export Order_noref S10SMG00318021.exe 4504 powershell.exe 656 powershell.exe 4504 powershell.exe 656 powershell.exe 1428 TT_SWIFT_Export Order_noref S10SMG00318021.exe 1428 TT_SWIFT_Export Order_noref S10SMG00318021.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe 696 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2672 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
TT_SWIFT_Export Order_noref S10SMG00318021.execscript.exepid process 1428 TT_SWIFT_Export Order_noref S10SMG00318021.exe 1428 TT_SWIFT_Export Order_noref S10SMG00318021.exe 1428 TT_SWIFT_Export Order_noref S10SMG00318021.exe 1428 TT_SWIFT_Export Order_noref S10SMG00318021.exe 696 cscript.exe 696 cscript.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
TT_SWIFT_Export Order_noref S10SMG00318021.exepowershell.exepowershell.exeTT_SWIFT_Export Order_noref S10SMG00318021.execscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe Token: SeDebugPrivilege 4504 powershell.exe Token: SeDebugPrivilege 656 powershell.exe Token: SeDebugPrivilege 1428 TT_SWIFT_Export Order_noref S10SMG00318021.exe Token: SeDebugPrivilege 696 cscript.exe Token: SeShutdownPrivilege 2672 Explorer.EXE Token: SeCreatePagefilePrivilege 2672 Explorer.EXE Token: SeShutdownPrivilege 2672 Explorer.EXE Token: SeCreatePagefilePrivilege 2672 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
TT_SWIFT_Export Order_noref S10SMG00318021.exeExplorer.EXEdescription pid process target process PID 3820 wrote to memory of 4504 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe powershell.exe PID 3820 wrote to memory of 4504 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe powershell.exe PID 3820 wrote to memory of 4504 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe powershell.exe PID 3820 wrote to memory of 656 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe powershell.exe PID 3820 wrote to memory of 656 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe powershell.exe PID 3820 wrote to memory of 656 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe powershell.exe PID 3820 wrote to memory of 1000 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe schtasks.exe PID 3820 wrote to memory of 1000 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe schtasks.exe PID 3820 wrote to memory of 1000 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe schtasks.exe PID 3820 wrote to memory of 1428 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe TT_SWIFT_Export Order_noref S10SMG00318021.exe PID 3820 wrote to memory of 1428 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe TT_SWIFT_Export Order_noref S10SMG00318021.exe PID 3820 wrote to memory of 1428 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe TT_SWIFT_Export Order_noref S10SMG00318021.exe PID 3820 wrote to memory of 1428 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe TT_SWIFT_Export Order_noref S10SMG00318021.exe PID 3820 wrote to memory of 1428 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe TT_SWIFT_Export Order_noref S10SMG00318021.exe PID 3820 wrote to memory of 1428 3820 TT_SWIFT_Export Order_noref S10SMG00318021.exe TT_SWIFT_Export Order_noref S10SMG00318021.exe PID 2672 wrote to memory of 696 2672 Explorer.EXE cscript.exe PID 2672 wrote to memory of 696 2672 Explorer.EXE cscript.exe PID 2672 wrote to memory of 696 2672 Explorer.EXE cscript.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TT_SWIFT_Export Order_noref S10SMG00318021.exe"C:\Users\Admin\AppData\Local\Temp\TT_SWIFT_Export Order_noref S10SMG00318021.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TT_SWIFT_Export Order_noref S10SMG00318021.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AnsPejV.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnsPejV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD194.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\TT_SWIFT_Export Order_noref S10SMG00318021.exe"C:\Users\Admin\AppData\Local\Temp\TT_SWIFT_Export Order_noref S10SMG00318021.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
ef33e78aa7b685f14328bbcd093cef5c
SHA1e6dacd3e68ea5a592b0417834c90654038d539b4
SHA2569e5c2646edabfa71f0e78d96a62abcb2f83fcb4a0f6890088f48132706adfff9
SHA512bd1b33e964162c9b55ddfcf86b4827d182507f9190b1acf864d37ed73b1185349b348e09bdab255545e5f5c1b1b737e57f80ab3968505a6e27e932c681137b8c
-
C:\Users\Admin\AppData\Local\Temp\tmpD194.tmpMD5
8e378b65e7c9a6cdb40619d3ab813bd6
SHA11ff067a68cb62a9df7598382deeaab5e0ac31f24
SHA256225e124b35dbc54df83450dbdbf0d59f0e75f2fd1f3c5d993e6e63115c769348
SHA5125057926b62dfe5573d208d425742278bb5aac1d693ee4cd533e6f310fe166b9fb4182d1c1504de3a224f9491f8df12de0ced4b8cbfec95b8e3c96333052dd873
-
memory/656-161-0x0000000008620000-0x0000000008621000-memory.dmpFilesize
4KB
-
memory/656-208-0x00000000070F3000-0x00000000070F4000-memory.dmpFilesize
4KB
-
memory/656-157-0x0000000007F10000-0x0000000007F11000-memory.dmpFilesize
4KB
-
memory/656-155-0x00000000070F2000-0x00000000070F3000-memory.dmpFilesize
4KB
-
memory/656-153-0x00000000070F0000-0x00000000070F1000-memory.dmpFilesize
4KB
-
memory/656-177-0x00000000095D0000-0x0000000009603000-memory.dmpFilesize
204KB
-
memory/656-130-0x0000000000000000-mapping.dmp
-
memory/656-135-0x00000000010A0000-0x00000000010A1000-memory.dmpFilesize
4KB
-
memory/656-184-0x000000007F340000-0x000000007F341000-memory.dmpFilesize
4KB
-
memory/656-134-0x00000000010A0000-0x00000000010A1000-memory.dmpFilesize
4KB
-
memory/656-163-0x00000000010A0000-0x00000000010A1000-memory.dmpFilesize
4KB
-
memory/696-357-0x0000000000000000-mapping.dmp
-
memory/696-419-0x00000000047C0000-0x0000000004AE0000-memory.dmpFilesize
3.1MB
-
memory/696-622-0x0000000004610000-0x00000000046A0000-memory.dmpFilesize
576KB
-
memory/696-370-0x0000000000300000-0x0000000000327000-memory.dmpFilesize
156KB
-
memory/696-373-0x0000000002A30000-0x0000000002A59000-memory.dmpFilesize
164KB
-
memory/1000-132-0x0000000000000000-mapping.dmp
-
memory/1428-139-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1428-140-0x000000000041D4B0-mapping.dmp
-
memory/1428-284-0x0000000000F00000-0x0000000000F11000-memory.dmpFilesize
68KB
-
memory/1428-154-0x0000000000CA0000-0x0000000000CB1000-memory.dmpFilesize
68KB
-
memory/1428-150-0x0000000000F80000-0x00000000012A0000-memory.dmpFilesize
3.1MB
-
memory/2672-287-0x00000000070F0000-0x0000000007269000-memory.dmpFilesize
1.5MB
-
memory/2672-156-0x00000000058D0000-0x0000000005A13000-memory.dmpFilesize
1.3MB
-
memory/2672-625-0x00000000032C0000-0x00000000033AC000-memory.dmpFilesize
944KB
-
memory/3820-124-0x0000000005C10000-0x0000000005C11000-memory.dmpFilesize
4KB
-
memory/3820-125-0x0000000005DB0000-0x0000000005E0A000-memory.dmpFilesize
360KB
-
memory/3820-123-0x0000000004FF3000-0x0000000004FF5000-memory.dmpFilesize
8KB
-
memory/3820-126-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/3820-115-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/3820-122-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/3820-121-0x00000000050A0000-0x00000000050A8000-memory.dmpFilesize
32KB
-
memory/3820-120-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/3820-119-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/3820-118-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/3820-117-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/4504-129-0x0000000003710000-0x0000000003711000-memory.dmpFilesize
4KB
-
memory/4504-187-0x000000007E1F0000-0x000000007E1F1000-memory.dmpFilesize
4KB
-
memory/4504-164-0x0000000003710000-0x0000000003711000-memory.dmpFilesize
4KB
-
memory/4504-193-0x00000000098D0000-0x00000000098D1000-memory.dmpFilesize
4KB
-
memory/4504-207-0x0000000003793000-0x0000000003794000-memory.dmpFilesize
4KB
-
memory/4504-159-0x00000000082C0000-0x00000000082C1000-memory.dmpFilesize
4KB
-
memory/4504-151-0x0000000003792000-0x0000000003793000-memory.dmpFilesize
4KB
-
memory/4504-147-0x0000000003790000-0x0000000003791000-memory.dmpFilesize
4KB
-
memory/4504-148-0x0000000008480000-0x0000000008481000-memory.dmpFilesize
4KB
-
memory/4504-144-0x0000000008230000-0x0000000008231000-memory.dmpFilesize
4KB
-
memory/4504-143-0x00000000081C0000-0x00000000081C1000-memory.dmpFilesize
4KB
-
memory/4504-141-0x00000000079A0000-0x00000000079A1000-memory.dmpFilesize
4KB
-
memory/4504-133-0x0000000007B20000-0x0000000007B21000-memory.dmpFilesize
4KB
-
memory/4504-131-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/4504-128-0x0000000003710000-0x0000000003711000-memory.dmpFilesize
4KB
-
memory/4504-127-0x0000000000000000-mapping.dmp