Analysis
-
max time kernel
123s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:53
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Swift Copy.exe
Resource
win10v2004-20220414-en
General
-
Target
Swift Copy.exe
-
Size
337KB
-
MD5
afc0f78081dad95484a2fc7f6796e9fd
-
SHA1
04074934445e1d662102ca3a3054bf5234a3dcab
-
SHA256
a53234e64371c8586c0021df965b5cd0b23cd0f7db970a71ad686068df0bd850
-
SHA512
6b5920fb28044c520ce37b0316c4ce7d10c5a3aa8b800adca54da3e315c7abbba34c68d4ea729aa34f60898e6fae39b9f459ce4eec7ef19ec6db53da3225fb5c
Malware Config
Extracted
matiex
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
enugu042
Signatures
-
Matiex Main Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/936-64-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex behavioral1/memory/936-65-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex behavioral1/memory/936-66-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex behavioral1/memory/936-67-0x000000000046BE7E-mapping.dmp family_matiex behavioral1/memory/936-69-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex behavioral1/memory/936-71-0x0000000000400000-0x0000000000470000-memory.dmp family_matiex -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Swift Copy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Swift Copy.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Swift Copy.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Swift Copy.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 8 freegeoip.app 9 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Swift Copy.exedescription pid process target process PID 756 set thread context of 936 756 Swift Copy.exe Swift Copy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Swift Copy.exepid process 756 Swift Copy.exe 756 Swift Copy.exe 756 Swift Copy.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Swift Copy.exeSwift Copy.exedescription pid process Token: SeDebugPrivilege 756 Swift Copy.exe Token: SeDebugPrivilege 936 Swift Copy.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Swift Copy.exedescription pid process target process PID 756 wrote to memory of 1884 756 Swift Copy.exe schtasks.exe PID 756 wrote to memory of 1884 756 Swift Copy.exe schtasks.exe PID 756 wrote to memory of 1884 756 Swift Copy.exe schtasks.exe PID 756 wrote to memory of 1884 756 Swift Copy.exe schtasks.exe PID 756 wrote to memory of 936 756 Swift Copy.exe Swift Copy.exe PID 756 wrote to memory of 936 756 Swift Copy.exe Swift Copy.exe PID 756 wrote to memory of 936 756 Swift Copy.exe Swift Copy.exe PID 756 wrote to memory of 936 756 Swift Copy.exe Swift Copy.exe PID 756 wrote to memory of 936 756 Swift Copy.exe Swift Copy.exe PID 756 wrote to memory of 936 756 Swift Copy.exe Swift Copy.exe PID 756 wrote to memory of 936 756 Swift Copy.exe Swift Copy.exe PID 756 wrote to memory of 936 756 Swift Copy.exe Swift Copy.exe PID 756 wrote to memory of 936 756 Swift Copy.exe Swift Copy.exe -
outlook_office_path 1 IoCs
Processes:
Swift Copy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Swift Copy.exe -
outlook_win_path 1 IoCs
Processes:
Swift Copy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Swift Copy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VbrblCHyQq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp77DF.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp77DF.tmpFilesize
1KB
MD53eb33cb42ae87cf8b0fe99aab1c11704
SHA15a0b303e5308553a7de8102df337a87c064cbb24
SHA25666c025fa4ec2e6c1e053af2a55a0cc0eb1b198945c2b697c1b1e45e82df834c6
SHA5124cb7da5f27beb09eb73f281cab183efced6f37db4a5487a3a028e6912a6feb39be468cd605aa55fa90833933b092cbe9bde149a8811c7cde1c11913bd275b1ad
-
memory/756-57-0x0000000001F60000-0x0000000001FA8000-memory.dmpFilesize
288KB
-
memory/756-55-0x00000000755B1000-0x00000000755B3000-memory.dmpFilesize
8KB
-
memory/756-54-0x0000000000900000-0x000000000095A000-memory.dmpFilesize
360KB
-
memory/756-58-0x0000000002040000-0x00000000020B0000-memory.dmpFilesize
448KB
-
memory/756-56-0x00000000005B0000-0x00000000005C0000-memory.dmpFilesize
64KB
-
memory/936-66-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/936-61-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/936-62-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/936-64-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/936-65-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/936-67-0x000000000046BE7E-mapping.dmp
-
memory/936-69-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/936-71-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1884-59-0x0000000000000000-mapping.dmp