Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-12-2021 12:10
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy_44000.exe
Resource
win7-en-20211104
General
-
Target
Swift Copy_44000.exe
-
Size
320KB
-
MD5
03d853072e1cab50b55cce6883e5e72e
-
SHA1
a3d35ebdb90c950db690d900c57b804cb4874b4e
-
SHA256
5da3ef49a658c41da32f3258e3124c24e9641496ea1c2443d40c680a9f7b0e8c
-
SHA512
0229de62952ebc975333eb6ec25e9d47fd7f658e44661d198d17a8b6b833291b42f4f08e7ec41e574dd2dba8d58da54c0c0375e1d764bd26fe84fc3aa70d8116
Malware Config
Extracted
xloader
2.5
e8ia
http://www.helpfromjames.com/e8ia/
le-hameau-enchanteur.com
quantumsystem-au.club
engravedeeply.com
yesrecompensas.lat
cavallitowerofficials.com
800seaspray.com
skifun-jetski.com
thouartafoot.com
nft2dollar.com
petrestore.online
cjcutthecord2.com
tippimccullough.com
gadget198.xyz
djmiriam.com
bitbasepay.com
cukierniawz.com
mcclureic.xyz
inthekitchenshakinandbakin.com
busy-clicks.com
melaniemorris.online
elysiangp.com
7bkj.com
wakeanddraw.com
ascalar.com
iteraxon.com
henleygirlscricket.com
torresflooringdecorllc.com
helgquieta.quest
xesteem.com
graffity-aws.com
bolerparts.com
andriylysenko.com
bestinvest-4-you.com
frelsicycling.com
airductcleaningindianapolis.net
nlproperties.net
alkoora.xyz
sakiyaman.com
wwwsmyrnaschooldistrict.com
unitedsafetyassociation.com
fiveallianceapparel.com
edgelordkids.com
herhauling.com
intelldat.com
weprepareamerica-planet.com
webartsolution.net
yiquge.com
marraasociados.com
dentalimplantnearyou-ca.space
linemanbible.com
dunamisdispatchservicellc.com
latamoperationalinstitute.com
stpaulsschoolbagidora.com
groupninemed.com
solar-tribe.com
footairdz.com
blttsperma.quest
xfeuio.xyz
sahodyafbdchapter.com
0934800.com
dandftrading.com
gladway.net
mineriasinmercurio.com
inaampm.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4316-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4316-117-0x000000000041D4D0-mapping.dmp xloader behavioral2/memory/4436-124-0x0000000003330000-0x0000000003359000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
Swift Copy_44000.exepid process 3828 Swift Copy_44000.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Swift Copy_44000.exeSwift Copy_44000.exenetsh.exedescription pid process target process PID 3828 set thread context of 4316 3828 Swift Copy_44000.exe Swift Copy_44000.exe PID 4316 set thread context of 2672 4316 Swift Copy_44000.exe Explorer.EXE PID 4436 set thread context of 2672 4436 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Swift Copy_44000.exenetsh.exepid process 4316 Swift Copy_44000.exe 4316 Swift Copy_44000.exe 4316 Swift Copy_44000.exe 4316 Swift Copy_44000.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe 4436 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2672 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Swift Copy_44000.exenetsh.exepid process 4316 Swift Copy_44000.exe 4316 Swift Copy_44000.exe 4316 Swift Copy_44000.exe 4436 netsh.exe 4436 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Swift Copy_44000.exenetsh.exedescription pid process Token: SeDebugPrivilege 4316 Swift Copy_44000.exe Token: SeDebugPrivilege 4436 netsh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Swift Copy_44000.exeExplorer.EXEnetsh.exedescription pid process target process PID 3828 wrote to memory of 4316 3828 Swift Copy_44000.exe Swift Copy_44000.exe PID 3828 wrote to memory of 4316 3828 Swift Copy_44000.exe Swift Copy_44000.exe PID 3828 wrote to memory of 4316 3828 Swift Copy_44000.exe Swift Copy_44000.exe PID 3828 wrote to memory of 4316 3828 Swift Copy_44000.exe Swift Copy_44000.exe PID 3828 wrote to memory of 4316 3828 Swift Copy_44000.exe Swift Copy_44000.exe PID 3828 wrote to memory of 4316 3828 Swift Copy_44000.exe Swift Copy_44000.exe PID 2672 wrote to memory of 4436 2672 Explorer.EXE netsh.exe PID 2672 wrote to memory of 4436 2672 Explorer.EXE netsh.exe PID 2672 wrote to memory of 4436 2672 Explorer.EXE netsh.exe PID 4436 wrote to memory of 4424 4436 netsh.exe cmd.exe PID 4436 wrote to memory of 4424 4436 netsh.exe cmd.exe PID 4436 wrote to memory of 4424 4436 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsdF222.tmp\yktbz.dllMD5
31d640c277ad7bae2ef34f6f96a00e48
SHA179c82dc55f7809a09e743246c592b13738d82474
SHA256de7e672353424bf282a669abc6002140cd1103eed39b5ddb685ffb3b0ccffe85
SHA512d2ac29df6eeda50ca0f8252542f05a790b18d970e1d8ea7f6a2582c2dff33d948f0c616a5061c556522bc90e3cfdc69ecba0a520a8f848d577b46b220fc76934
-
memory/2672-121-0x00000000058D0000-0x0000000005A48000-memory.dmpFilesize
1.5MB
-
memory/2672-128-0x0000000007810000-0x000000000795A000-memory.dmpFilesize
1.3MB
-
memory/4316-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4316-117-0x000000000041D4D0-mapping.dmp
-
memory/4316-119-0x0000000000AA0000-0x0000000000DC0000-memory.dmpFilesize
3.1MB
-
memory/4316-120-0x00000000009D0000-0x00000000009E1000-memory.dmpFilesize
68KB
-
memory/4424-125-0x0000000000000000-mapping.dmp
-
memory/4436-124-0x0000000003330000-0x0000000003359000-memory.dmpFilesize
164KB
-
memory/4436-123-0x0000000000880000-0x000000000089E000-memory.dmpFilesize
120KB
-
memory/4436-126-0x0000000003780000-0x0000000003AA0000-memory.dmpFilesize
3.1MB
-
memory/4436-127-0x0000000003670000-0x0000000003700000-memory.dmpFilesize
576KB
-
memory/4436-122-0x0000000000000000-mapping.dmp