Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
02-12-2021 09:21
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT_ADVICE.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SWIFT_ADVICE.exe
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
SWIFT_ADVICE.exe
-
Size
672KB
-
MD5
5dcc94e34045484495dcc1bc6f1c6921
-
SHA1
a590f9f5ff0bcbbbc768d329ab3395bcf12f4e63
-
SHA256
06ab16b86393e1eafa3f3b3c0c3a67804135b8cc9332d932a019ad98468191cb
-
SHA512
ba75c9ddae7a16abed772eb22c59f23de86a7858a2000d8fccd894cfd8e2b10e4ac36f92793c383af356346b7ec79a0b05f1e700abc80afdd6182f253ae7d488
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1416 1360 WerFault.exe SWIFT_ADVICE.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
SWIFT_ADVICE.exeWerFault.exepid process 1360 SWIFT_ADVICE.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SWIFT_ADVICE.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1360 SWIFT_ADVICE.exe Token: SeDebugPrivilege 1416 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SWIFT_ADVICE.exedescription pid process target process PID 1360 wrote to memory of 1416 1360 SWIFT_ADVICE.exe WerFault.exe PID 1360 wrote to memory of 1416 1360 SWIFT_ADVICE.exe WerFault.exe PID 1360 wrote to memory of 1416 1360 SWIFT_ADVICE.exe WerFault.exe PID 1360 wrote to memory of 1416 1360 SWIFT_ADVICE.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT_ADVICE.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT_ADVICE.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 7042⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1360-55-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1360-57-0x0000000074F61000-0x0000000074F63000-memory.dmpFilesize
8KB
-
memory/1360-58-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/1360-59-0x00000000004E0000-0x00000000004E8000-memory.dmpFilesize
32KB
-
memory/1360-60-0x0000000005180000-0x0000000005214000-memory.dmpFilesize
592KB
-
memory/1416-61-0x0000000000000000-mapping.dmp
-
memory/1416-62-0x0000000000910000-0x00000000009BE000-memory.dmpFilesize
696KB