Analysis

  • max time kernel
    111s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220331-en
  • submitted
    04-04-2022 20:04

General

  • Target

    Swift-PaymentInvoice20220331_pdf.exe

  • Size

    520KB

  • MD5

    72a9bcce9a210198f0d6a679b5bca7e4

  • SHA1

    d19326cef0a76c63343fb2a762331639ed6617c2

  • SHA256

    407f8e8ab8d4141df81d49cbb94e54ec89c80cd76ca0fa23b1bb2aa0ba74b0dc

  • SHA512

    ec190a3a1a887f8c4cd4863c671c5da20cc24ce6cb3ed14320a07e8e0318da7833bf882843175ea6cfe29a333839adca6f2bf4c606cba2ba0a7a012bb27824c6

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Swift-PaymentInvoice20220331_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift-PaymentInvoice20220331_pdf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe
      C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe C:\Users\Admin\AppData\Local\Temp\rhthfu
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe
        C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe C:\Users\Admin\AppData\Local\Temp\rhthfu
        3⤵
          PID:3240

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\e8l6g8amyw8

      Filesize

      281KB

      MD5

      cae134bb05999f1c66b0329fdc22ee66

      SHA1

      499fcb0b38076ff18e273a5dd6d905889444412c

      SHA256

      50807babb23db7da3d8ef3748d12df6bf9b7e8ee99149f915f75307fa39e82ca

      SHA512

      47b9e22f4de9281c736227bfbd053f5d608f24143fd20aec6b7596c10713e140200d10c06c81163b5b39fe9d42c8554449fd56b2154b4fefb9d99ce11b62ed1c

    • C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe

      Filesize

      4KB

      MD5

      54559dc8cb88f66631b9669c4974b507

      SHA1

      24442b3b67f5ae007962321493553d135f4e44d3

      SHA256

      80a142ebbe3093dbc71d3f1eb9a29e680825248d0c26d394e4342dcdadc98cd4

      SHA512

      adee1025e60cff48eadccfd3903c3b03ea8ca9a769ec07fa3fb805f43f7fdd95f323eaca2c68a2e0df28fc4588e7319448f3f55c65b47e882a76868dc409e3f0

    • C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe

      Filesize

      4KB

      MD5

      54559dc8cb88f66631b9669c4974b507

      SHA1

      24442b3b67f5ae007962321493553d135f4e44d3

      SHA256

      80a142ebbe3093dbc71d3f1eb9a29e680825248d0c26d394e4342dcdadc98cd4

      SHA512

      adee1025e60cff48eadccfd3903c3b03ea8ca9a769ec07fa3fb805f43f7fdd95f323eaca2c68a2e0df28fc4588e7319448f3f55c65b47e882a76868dc409e3f0

    • C:\Users\Admin\AppData\Local\Temp\rhthfu

      Filesize

      7KB

      MD5

      feafb4af38c5b94807071b0601d22ebf

      SHA1

      0c81ca80b14892ae00e970d7631e1fa403052f9c

      SHA256

      7c813b26af97aeac39bed9802bb5d41de0aaa255da2bc07ddc98550aeec92067

      SHA512

      9d70489854b3c5fc3bf8f453f706c26b8a5f47628a7ec58bfd8a8b6f6eb923b7d1dbe00129e60fc82dc4e61ab1c8aafc50143396323a03acb20ce526a3c990b2