Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
03-12-2021 12:10
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy_44000.exe
Resource
win7-en-20211104
General
-
Target
Swift Copy_44000.exe
-
Size
320KB
-
MD5
03d853072e1cab50b55cce6883e5e72e
-
SHA1
a3d35ebdb90c950db690d900c57b804cb4874b4e
-
SHA256
5da3ef49a658c41da32f3258e3124c24e9641496ea1c2443d40c680a9f7b0e8c
-
SHA512
0229de62952ebc975333eb6ec25e9d47fd7f658e44661d198d17a8b6b833291b42f4f08e7ec41e574dd2dba8d58da54c0c0375e1d764bd26fe84fc3aa70d8116
Malware Config
Extracted
xloader
2.5
e8ia
http://www.helpfromjames.com/e8ia/
le-hameau-enchanteur.com
quantumsystem-au.club
engravedeeply.com
yesrecompensas.lat
cavallitowerofficials.com
800seaspray.com
skifun-jetski.com
thouartafoot.com
nft2dollar.com
petrestore.online
cjcutthecord2.com
tippimccullough.com
gadget198.xyz
djmiriam.com
bitbasepay.com
cukierniawz.com
mcclureic.xyz
inthekitchenshakinandbakin.com
busy-clicks.com
melaniemorris.online
elysiangp.com
7bkj.com
wakeanddraw.com
ascalar.com
iteraxon.com
henleygirlscricket.com
torresflooringdecorllc.com
helgquieta.quest
xesteem.com
graffity-aws.com
bolerparts.com
andriylysenko.com
bestinvest-4-you.com
frelsicycling.com
airductcleaningindianapolis.net
nlproperties.net
alkoora.xyz
sakiyaman.com
wwwsmyrnaschooldistrict.com
unitedsafetyassociation.com
fiveallianceapparel.com
edgelordkids.com
herhauling.com
intelldat.com
weprepareamerica-planet.com
webartsolution.net
yiquge.com
marraasociados.com
dentalimplantnearyou-ca.space
linemanbible.com
dunamisdispatchservicellc.com
latamoperationalinstitute.com
stpaulsschoolbagidora.com
groupninemed.com
solar-tribe.com
footairdz.com
blttsperma.quest
xfeuio.xyz
sahodyafbdchapter.com
0934800.com
dandftrading.com
gladway.net
mineriasinmercurio.com
inaampm.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1100-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1100-58-0x000000000041D4D0-mapping.dmp xloader behavioral1/memory/1664-65-0x00000000000D0000-0x00000000000F9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1140 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
Swift Copy_44000.exepid process 1052 Swift Copy_44000.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Swift Copy_44000.exeSwift Copy_44000.execscript.exedescription pid process target process PID 1052 set thread context of 1100 1052 Swift Copy_44000.exe Swift Copy_44000.exe PID 1100 set thread context of 1220 1100 Swift Copy_44000.exe Explorer.EXE PID 1664 set thread context of 1220 1664 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Swift Copy_44000.execscript.exepid process 1100 Swift Copy_44000.exe 1100 Swift Copy_44000.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe 1664 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Swift Copy_44000.execscript.exepid process 1100 Swift Copy_44000.exe 1100 Swift Copy_44000.exe 1100 Swift Copy_44000.exe 1664 cscript.exe 1664 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Swift Copy_44000.execscript.exedescription pid process Token: SeDebugPrivilege 1100 Swift Copy_44000.exe Token: SeDebugPrivilege 1664 cscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Swift Copy_44000.exeExplorer.EXEcscript.exedescription pid process target process PID 1052 wrote to memory of 1100 1052 Swift Copy_44000.exe Swift Copy_44000.exe PID 1052 wrote to memory of 1100 1052 Swift Copy_44000.exe Swift Copy_44000.exe PID 1052 wrote to memory of 1100 1052 Swift Copy_44000.exe Swift Copy_44000.exe PID 1052 wrote to memory of 1100 1052 Swift Copy_44000.exe Swift Copy_44000.exe PID 1052 wrote to memory of 1100 1052 Swift Copy_44000.exe Swift Copy_44000.exe PID 1052 wrote to memory of 1100 1052 Swift Copy_44000.exe Swift Copy_44000.exe PID 1052 wrote to memory of 1100 1052 Swift Copy_44000.exe Swift Copy_44000.exe PID 1220 wrote to memory of 1664 1220 Explorer.EXE cscript.exe PID 1220 wrote to memory of 1664 1220 Explorer.EXE cscript.exe PID 1220 wrote to memory of 1664 1220 Explorer.EXE cscript.exe PID 1220 wrote to memory of 1664 1220 Explorer.EXE cscript.exe PID 1664 wrote to memory of 1140 1664 cscript.exe cmd.exe PID 1664 wrote to memory of 1140 1664 cscript.exe cmd.exe PID 1664 wrote to memory of 1140 1664 cscript.exe cmd.exe PID 1664 wrote to memory of 1140 1664 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiC84F.tmp\yktbz.dllMD5
31d640c277ad7bae2ef34f6f96a00e48
SHA179c82dc55f7809a09e743246c592b13738d82474
SHA256de7e672353424bf282a669abc6002140cd1103eed39b5ddb685ffb3b0ccffe85
SHA512d2ac29df6eeda50ca0f8252542f05a790b18d970e1d8ea7f6a2582c2dff33d948f0c616a5061c556522bc90e3cfdc69ecba0a520a8f848d577b46b220fc76934
-
memory/1052-55-0x0000000074E51000-0x0000000074E53000-memory.dmpFilesize
8KB
-
memory/1100-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1100-58-0x000000000041D4D0-mapping.dmp
-
memory/1100-60-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1100-61-0x00000000003E0000-0x00000000003F1000-memory.dmpFilesize
68KB
-
memory/1140-67-0x0000000000000000-mapping.dmp
-
memory/1220-62-0x0000000003CD0000-0x0000000003D81000-memory.dmpFilesize
708KB
-
memory/1220-69-0x0000000003E90000-0x0000000003F30000-memory.dmpFilesize
640KB
-
memory/1664-64-0x0000000000720000-0x0000000000742000-memory.dmpFilesize
136KB
-
memory/1664-65-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/1664-66-0x0000000002020000-0x0000000002323000-memory.dmpFilesize
3.0MB
-
memory/1664-63-0x0000000000000000-mapping.dmp
-
memory/1664-68-0x0000000000490000-0x0000000000520000-memory.dmpFilesize
576KB