Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:57
Static task
static1
Behavioral task
behavioral1
Sample
swift message.exe
Resource
win7-20220414-en
General
-
Target
swift message.exe
-
Size
324KB
-
MD5
93859a46557699b2689840de0df68318
-
SHA1
2f8c20dfc3fa635c5a4c88b4edee85c18b08a94d
-
SHA256
d2795ed096e7331d84947a9ba6a1c3fae5203b50f5a3563bda0382ab84e1c8bb
-
SHA512
bf1b3bcc1564e1c22095926f8eb9848ad740685d4744af56e1fe0487f52a20ff64a9732ff1933cafddf86959db56f34034b6e1d0bc85088b3a259be64ed79ec5
Malware Config
Extracted
asyncrat
0.5.7B
Forwork
sack517.ddns.net:6565
sack517.duckdns.org:6565
AsyncMutex_dgh6775Pxz
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/736-57-0x0000000000480000-0x0000000000488000-memory.dmp coreentity -
Async RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1256-64-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1256-65-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1256-66-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1256-67-0x000000000040C75E-mapping.dmp asyncrat behavioral1/memory/1256-69-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1256-71-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
CoreCCC Packer 1 IoCs
Detects CoreCCC packer used to load .NET malware.
Processes:
resource yara_rule behavioral1/memory/736-54-0x0000000000980000-0x00000000009D6000-memory.dmp coreccc -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/736-58-0x0000000000510000-0x0000000000528000-memory.dmp rezer0 -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
swift message.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion swift message.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion swift message.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
swift message.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum swift message.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 swift message.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
swift message.exedescription pid process target process PID 736 set thread context of 1256 736 swift message.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1256 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
swift message.exedescription pid process target process PID 736 wrote to memory of 1992 736 swift message.exe schtasks.exe PID 736 wrote to memory of 1992 736 swift message.exe schtasks.exe PID 736 wrote to memory of 1992 736 swift message.exe schtasks.exe PID 736 wrote to memory of 1992 736 swift message.exe schtasks.exe PID 736 wrote to memory of 1256 736 swift message.exe MSBuild.exe PID 736 wrote to memory of 1256 736 swift message.exe MSBuild.exe PID 736 wrote to memory of 1256 736 swift message.exe MSBuild.exe PID 736 wrote to memory of 1256 736 swift message.exe MSBuild.exe PID 736 wrote to memory of 1256 736 swift message.exe MSBuild.exe PID 736 wrote to memory of 1256 736 swift message.exe MSBuild.exe PID 736 wrote to memory of 1256 736 swift message.exe MSBuild.exe PID 736 wrote to memory of 1256 736 swift message.exe MSBuild.exe PID 736 wrote to memory of 1256 736 swift message.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\swift message.exe"C:\Users\Admin\AppData\Local\Temp\swift message.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jpvofbpTWi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpED0.tmpFilesize
1KB
MD540152de67c67eeeb9ec539b1bda41c70
SHA145d9d0635358644f212060e020363054acaf4a45
SHA256f8232a024f88d14013fe408e8f91cc5afe7ffdb9ffcd230b296de3cf11c3abc0
SHA512d4bbcbc5ab0c66d8c030ba968d3aa9ee9072a84a5803dc056069d1b51f37978d291e78ea40f772590c8725f0680685e4cad6649627d8febdc7f7ce0668fe5c07
-
memory/736-57-0x0000000000480000-0x0000000000488000-memory.dmpFilesize
32KB
-
memory/736-55-0x0000000000280000-0x000000000029C000-memory.dmpFilesize
112KB
-
memory/736-54-0x0000000000980000-0x00000000009D6000-memory.dmpFilesize
344KB
-
memory/736-58-0x0000000000510000-0x0000000000528000-memory.dmpFilesize
96KB
-
memory/736-56-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB
-
memory/1256-66-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1256-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1256-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1256-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1256-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1256-67-0x000000000040C75E-mapping.dmp
-
memory/1256-69-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1256-71-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1992-59-0x0000000000000000-mapping.dmp