Analysis
-
max time kernel
183s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:49
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.exe
Resource
win7-20220414-en
General
-
Target
Swift Copy.exe
-
Size
341KB
-
MD5
b864067e3fa697652752fcd54f2b0621
-
SHA1
b9c2af989e2a4665df92e734bf7e1894ad9b873f
-
SHA256
9b8107f42878501861702cac98baea7034b91231b362ce08741479aaf7c6cf4d
-
SHA512
6e37f92c0833881d8a533e5d696d536af4c10b0b835f5c65d979961a07784ea70ca9ae2942248a32251a892eef296e6c5f9f19ebf71d373320cb5e78a1d8eac5
Malware Config
Extracted
netwire
185.244.29.161:1591
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
NeiqFfto
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
true
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4256-134-0x0000000000400000-0x0000000000430000-memory.dmp netwire behavioral2/memory/4256-138-0x0000000000400000-0x0000000000430000-memory.dmp netwire behavioral2/memory/4256-142-0x0000000000400000-0x0000000000430000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
svhost.exeHost.exepid process 4256 svhost.exe 4304 Host.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Swift Copy.exesvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Swift Copy.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation svhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift Copy.exedescription pid process target process PID 3104 set thread context of 4256 3104 Swift Copy.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4444 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Swift Copy.exepid process 3104 Swift Copy.exe 3104 Swift Copy.exe 3104 Swift Copy.exe 3104 Swift Copy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Swift Copy.exedescription pid process Token: SeDebugPrivilege 3104 Swift Copy.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
Swift Copy.exesvhost.execmd.execmd.exedescription pid process target process PID 3104 wrote to memory of 4256 3104 Swift Copy.exe svhost.exe PID 3104 wrote to memory of 4256 3104 Swift Copy.exe svhost.exe PID 3104 wrote to memory of 4256 3104 Swift Copy.exe svhost.exe PID 3104 wrote to memory of 4256 3104 Swift Copy.exe svhost.exe PID 3104 wrote to memory of 4256 3104 Swift Copy.exe svhost.exe PID 3104 wrote to memory of 4256 3104 Swift Copy.exe svhost.exe PID 3104 wrote to memory of 4256 3104 Swift Copy.exe svhost.exe PID 3104 wrote to memory of 4256 3104 Swift Copy.exe svhost.exe PID 3104 wrote to memory of 4256 3104 Swift Copy.exe svhost.exe PID 3104 wrote to memory of 4256 3104 Swift Copy.exe svhost.exe PID 3104 wrote to memory of 4852 3104 Swift Copy.exe cmd.exe PID 3104 wrote to memory of 4852 3104 Swift Copy.exe cmd.exe PID 3104 wrote to memory of 4852 3104 Swift Copy.exe cmd.exe PID 4256 wrote to memory of 4304 4256 svhost.exe Host.exe PID 4256 wrote to memory of 4304 4256 svhost.exe Host.exe PID 4256 wrote to memory of 4304 4256 svhost.exe Host.exe PID 3104 wrote to memory of 760 3104 Swift Copy.exe cmd.exe PID 3104 wrote to memory of 760 3104 Swift Copy.exe cmd.exe PID 3104 wrote to memory of 760 3104 Swift Copy.exe cmd.exe PID 760 wrote to memory of 4456 760 cmd.exe reg.exe PID 760 wrote to memory of 4456 760 cmd.exe reg.exe PID 760 wrote to memory of 4456 760 cmd.exe reg.exe PID 3104 wrote to memory of 2232 3104 Swift Copy.exe cmd.exe PID 3104 wrote to memory of 2232 3104 Swift Copy.exe cmd.exe PID 3104 wrote to memory of 2232 3104 Swift Copy.exe cmd.exe PID 3104 wrote to memory of 4112 3104 Swift Copy.exe cmd.exe PID 3104 wrote to memory of 4112 3104 Swift Copy.exe cmd.exe PID 3104 wrote to memory of 4112 3104 Swift Copy.exe cmd.exe PID 4112 wrote to memory of 4444 4112 cmd.exe timeout.exe PID 4112 wrote to memory of 4444 4112 cmd.exe timeout.exe PID 4112 wrote to memory of 4444 4112 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Swift Copy.exe" "%temp%\FolderN\name.exe" /Y2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier2⤵
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exeFilesize
341KB
MD5b864067e3fa697652752fcd54f2b0621
SHA1b9c2af989e2a4665df92e734bf7e1894ad9b873f
SHA2569b8107f42878501861702cac98baea7034b91231b362ce08741479aaf7c6cf4d
SHA5126e37f92c0833881d8a533e5d696d536af4c10b0b835f5c65d979961a07784ea70ca9ae2942248a32251a892eef296e6c5f9f19ebf71d373320cb5e78a1d8eac5
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.batFilesize
204B
MD5bfcbf382f036462e63f307ca4ae280c7
SHA1ffe98d15fa5ea205220d6bc105e317253a6ea003
SHA2562c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727
SHA5121b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
2.5MB
MD50a7608db01cae07792cea95e792aa866
SHA171dff876e4d5edb6cea78fee7aa15845d4950e24
SHA256c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e
SHA512990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
2.5MB
MD50a7608db01cae07792cea95e792aa866
SHA171dff876e4d5edb6cea78fee7aa15845d4950e24
SHA256c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e
SHA512990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
2.5MB
MD50a7608db01cae07792cea95e792aa866
SHA171dff876e4d5edb6cea78fee7aa15845d4950e24
SHA256c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e
SHA512990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
2.5MB
MD50a7608db01cae07792cea95e792aa866
SHA171dff876e4d5edb6cea78fee7aa15845d4950e24
SHA256c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e
SHA512990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42
-
memory/760-144-0x0000000000000000-mapping.dmp
-
memory/2232-147-0x0000000000000000-mapping.dmp
-
memory/3104-132-0x0000000004BF0000-0x0000000004C8C000-memory.dmpFilesize
624KB
-
memory/3104-131-0x00000000001B0000-0x000000000020C000-memory.dmpFilesize
368KB
-
memory/4112-148-0x0000000000000000-mapping.dmp
-
memory/4256-134-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4256-142-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4256-138-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4256-133-0x0000000000000000-mapping.dmp
-
memory/4304-140-0x0000000000000000-mapping.dmp
-
memory/4444-150-0x0000000000000000-mapping.dmp
-
memory/4456-145-0x0000000000000000-mapping.dmp
-
memory/4852-139-0x0000000000000000-mapping.dmp