Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
03-12-2021 12:27
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT MESSAGE.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SWIFT MESSAGE.exe
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
SWIFT MESSAGE.exe
-
Size
506KB
-
MD5
94fe630521bac270adea7c1294f4ae7f
-
SHA1
d293a7fc184463352bebabdee5bc38bad3d4d17b
-
SHA256
3a8466544aac37ad923d7d14581f14647657a62f66cf1d7e05ed845f24e03111
-
SHA512
afd2add56b9af9eef92a7b65d29f0698b41f90c7cd83657189bd186a15011dac4956ec8f91159073ea4749261642df7fb6abba8cfbb7ef0c65bf960b6ad5bca4
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 812 1364 WerFault.exe SWIFT MESSAGE.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
SWIFT MESSAGE.exeWerFault.exepid process 1364 SWIFT MESSAGE.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SWIFT MESSAGE.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1364 SWIFT MESSAGE.exe Token: SeDebugPrivilege 812 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SWIFT MESSAGE.exedescription pid process target process PID 1364 wrote to memory of 812 1364 SWIFT MESSAGE.exe WerFault.exe PID 1364 wrote to memory of 812 1364 SWIFT MESSAGE.exe WerFault.exe PID 1364 wrote to memory of 812 1364 SWIFT MESSAGE.exe WerFault.exe PID 1364 wrote to memory of 812 1364 SWIFT MESSAGE.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT MESSAGE.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT MESSAGE.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 7042⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/812-61-0x0000000000000000-mapping.dmp
-
memory/812-62-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/1364-55-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/1364-57-0x0000000076231000-0x0000000076233000-memory.dmpFilesize
8KB
-
memory/1364-58-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/1364-59-0x00000000005B0000-0x00000000005B8000-memory.dmpFilesize
32KB
-
memory/1364-60-0x00000000051B0000-0x000000000521A000-memory.dmpFilesize
424KB