Analysis
-
max time kernel
111s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
04-04-2022 20:04
Static task
static1
Behavioral task
behavioral1
Sample
Swift-PaymentInvoice20220331_pdf.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
Swift-PaymentInvoice20220331_pdf.exe
Resource
win10v2004-20220331-en
General
-
Target
Swift-PaymentInvoice20220331_pdf.exe
-
Size
520KB
-
MD5
72a9bcce9a210198f0d6a679b5bca7e4
-
SHA1
d19326cef0a76c63343fb2a762331639ed6617c2
-
SHA256
407f8e8ab8d4141df81d49cbb94e54ec89c80cd76ca0fa23b1bb2aa0ba74b0dc
-
SHA512
ec190a3a1a887f8c4cd4863c671c5da20cc24ce6cb3ed14320a07e8e0318da7833bf882843175ea6cfe29a333839adca6f2bf4c606cba2ba0a7a012bb27824c6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 904 mzdtplptw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cicc = "C:\\Users\\Admin\\AppData\\Roaming\\atet\\pbfpgpqobh.exe" mzdtplptw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1320 wrote to memory of 904 1320 Swift-PaymentInvoice20220331_pdf.exe 80 PID 1320 wrote to memory of 904 1320 Swift-PaymentInvoice20220331_pdf.exe 80 PID 1320 wrote to memory of 904 1320 Swift-PaymentInvoice20220331_pdf.exe 80 PID 904 wrote to memory of 3240 904 mzdtplptw.exe 81 PID 904 wrote to memory of 3240 904 mzdtplptw.exe 81 PID 904 wrote to memory of 3240 904 mzdtplptw.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift-PaymentInvoice20220331_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Swift-PaymentInvoice20220331_pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exeC:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe C:\Users\Admin\AppData\Local\Temp\rhthfu2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exeC:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe C:\Users\Admin\AppData\Local\Temp\rhthfu3⤵PID:3240
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD5cae134bb05999f1c66b0329fdc22ee66
SHA1499fcb0b38076ff18e273a5dd6d905889444412c
SHA25650807babb23db7da3d8ef3748d12df6bf9b7e8ee99149f915f75307fa39e82ca
SHA51247b9e22f4de9281c736227bfbd053f5d608f24143fd20aec6b7596c10713e140200d10c06c81163b5b39fe9d42c8554449fd56b2154b4fefb9d99ce11b62ed1c
-
Filesize
4KB
MD554559dc8cb88f66631b9669c4974b507
SHA124442b3b67f5ae007962321493553d135f4e44d3
SHA25680a142ebbe3093dbc71d3f1eb9a29e680825248d0c26d394e4342dcdadc98cd4
SHA512adee1025e60cff48eadccfd3903c3b03ea8ca9a769ec07fa3fb805f43f7fdd95f323eaca2c68a2e0df28fc4588e7319448f3f55c65b47e882a76868dc409e3f0
-
Filesize
4KB
MD554559dc8cb88f66631b9669c4974b507
SHA124442b3b67f5ae007962321493553d135f4e44d3
SHA25680a142ebbe3093dbc71d3f1eb9a29e680825248d0c26d394e4342dcdadc98cd4
SHA512adee1025e60cff48eadccfd3903c3b03ea8ca9a769ec07fa3fb805f43f7fdd95f323eaca2c68a2e0df28fc4588e7319448f3f55c65b47e882a76868dc409e3f0
-
Filesize
7KB
MD5feafb4af38c5b94807071b0601d22ebf
SHA10c81ca80b14892ae00e970d7631e1fa403052f9c
SHA2567c813b26af97aeac39bed9802bb5d41de0aaa255da2bc07ddc98550aeec92067
SHA5129d70489854b3c5fc3bf8f453f706c26b8a5f47628a7ec58bfd8a8b6f6eb923b7d1dbe00129e60fc82dc4e61ab1c8aafc50143396323a03acb20ce526a3c990b2