Analysis
-
max time kernel
148s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:15
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT COPY.exe
Resource
win7-20220414-en
General
-
Target
SWIFT COPY.exe
-
Size
581KB
-
MD5
da742ece94ba3ede7902f700f0f09954
-
SHA1
b9983af1eb41fee6a0bbefc06e0e263ebf1291ba
-
SHA256
28ddf0fa7f44508ea2b7c6f2de45496e5a031aa84d095c0b8c14732173073fc7
-
SHA512
95d4e5c639878043d89c8f26d4e876bb3d83728e757e61a9a9f96d0a13dc936dcd28072083552b78e382241793af63cfbbabdaf1367cddd21b3c1413bceabc3a
Malware Config
Extracted
formbook
3.9
ch62
priceground.com
protmaxvigilancia.com
allyboom.com
calimerkids.com
behproject.com
everxs.com
peertopeervaluetrading.com
asosdiscountscode.com
supersoloblitz.com
allindiaexpo.com
mountainpunks.com
lawberrys.com
myinsuranceclaimconsultants.com
autoberles.center
xn--circuitomioulla-7qb.com
beheartratemonitoringkey.live
bigcitypillows.com
tresriosresortoffers.com
ratmanrodentremoval.com
fujiaseed.com
140117.com
babyandkidexpo.com
bolduan-electronic.com
unreadytowear.com
portsaid.today
5oo50042.com
qiangbaoshou.net
hoptovine.com
coastalchiropracticcoverage.com
abeabogado.com
dancourvilleclhev.com
opebet915.com
justin-freeman.com
foodpursuits.com
pinjuanbao.com
900gamecz.com
andelmanconsulting.com
milandicic.com
airexpertservices.com
leaginac.com
strongzhen.com
gaikokujin-jinzai.com
runtu.ltd
cruisia.com
violaperitivo.com
amulyakandikonda.com
shorelaketampa.com
evyandella.com
robertodammora.info
micro-fut.com
caminhosdoacre.com
mikifamily.com
wellsassistancefargoalert.com
coyo.ltd
aldeiaterra.com
wishfuldreamnewportnews.com
maker-cnc.com
ruralvia2acceso.net
freetraffic2updatesall.win
pub-sora.com
vizcaps.com
yychsm.com
ayudameperu.com
smyeocut.win
mansiobok3.info
Signatures
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1300-59-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/1300-60-0x000000000041B6D0-mapping.dmp formbook behavioral1/memory/1300-62-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/1844-72-0x0000000000080000-0x00000000000AA000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SWIFT COPY.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SWIFT COPY.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SWIFT COPY.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 848 cmd.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SWIFT COPY.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SWIFT COPY.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 SWIFT COPY.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
SWIFT COPY.exeSWIFT COPY.exehelp.exedescription pid process target process PID 1724 set thread context of 1300 1724 SWIFT COPY.exe SWIFT COPY.exe PID 1300 set thread context of 1252 1300 SWIFT COPY.exe Explorer.EXE PID 1300 set thread context of 1252 1300 SWIFT COPY.exe Explorer.EXE PID 1844 set thread context of 1252 1844 help.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
SWIFT COPY.exehelp.exepid process 1300 SWIFT COPY.exe 1300 SWIFT COPY.exe 1300 SWIFT COPY.exe 1844 help.exe 1844 help.exe 1844 help.exe 1844 help.exe 1844 help.exe 1844 help.exe 1844 help.exe 1844 help.exe 1844 help.exe 1844 help.exe 1844 help.exe 1844 help.exe 1844 help.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
SWIFT COPY.exehelp.exepid process 1300 SWIFT COPY.exe 1300 SWIFT COPY.exe 1300 SWIFT COPY.exe 1300 SWIFT COPY.exe 1844 help.exe 1844 help.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SWIFT COPY.exehelp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1300 SWIFT COPY.exe Token: SeDebugPrivilege 1844 help.exe Token: SeShutdownPrivilege 1252 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SWIFT COPY.exeExplorer.EXEhelp.exedescription pid process target process PID 1724 wrote to memory of 1300 1724 SWIFT COPY.exe SWIFT COPY.exe PID 1724 wrote to memory of 1300 1724 SWIFT COPY.exe SWIFT COPY.exe PID 1724 wrote to memory of 1300 1724 SWIFT COPY.exe SWIFT COPY.exe PID 1724 wrote to memory of 1300 1724 SWIFT COPY.exe SWIFT COPY.exe PID 1724 wrote to memory of 1300 1724 SWIFT COPY.exe SWIFT COPY.exe PID 1724 wrote to memory of 1300 1724 SWIFT COPY.exe SWIFT COPY.exe PID 1724 wrote to memory of 1300 1724 SWIFT COPY.exe SWIFT COPY.exe PID 1252 wrote to memory of 1844 1252 Explorer.EXE help.exe PID 1252 wrote to memory of 1844 1252 Explorer.EXE help.exe PID 1252 wrote to memory of 1844 1252 Explorer.EXE help.exe PID 1252 wrote to memory of 1844 1252 Explorer.EXE help.exe PID 1844 wrote to memory of 848 1844 help.exe cmd.exe PID 1844 wrote to memory of 848 1844 help.exe cmd.exe PID 1844 wrote to memory of 848 1844 help.exe cmd.exe PID 1844 wrote to memory of 848 1844 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SWIFT COPY.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/848-73-0x0000000000000000-mapping.dmp
-
memory/1252-65-0x0000000007890000-0x00000000079CA000-memory.dmpFilesize
1.2MB
-
memory/1252-75-0x0000000004F70000-0x0000000005067000-memory.dmpFilesize
988KB
-
memory/1252-68-0x00000000039F0000-0x0000000003AB1000-memory.dmpFilesize
772KB
-
memory/1300-64-0x0000000000120000-0x0000000000134000-memory.dmpFilesize
80KB
-
memory/1300-57-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1300-62-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1300-63-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1300-60-0x000000000041B6D0-mapping.dmp
-
memory/1300-59-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1300-67-0x00000000003E0000-0x00000000003F4000-memory.dmpFilesize
80KB
-
memory/1300-56-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1724-54-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1724-55-0x0000000074140000-0x00000000746EB000-memory.dmpFilesize
5.7MB
-
memory/1844-70-0x0000000000140000-0x0000000000146000-memory.dmpFilesize
24KB
-
memory/1844-71-0x0000000000850000-0x0000000000B53000-memory.dmpFilesize
3.0MB
-
memory/1844-72-0x0000000000080000-0x00000000000AA000-memory.dmpFilesize
168KB
-
memory/1844-69-0x0000000000000000-mapping.dmp
-
memory/1844-74-0x00000000006C0000-0x0000000000753000-memory.dmpFilesize
588KB