Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:57
Static task
static1
Behavioral task
behavioral1
Sample
swift message.exe
Resource
win7-20220414-en
General
-
Target
swift message.exe
-
Size
324KB
-
MD5
93859a46557699b2689840de0df68318
-
SHA1
2f8c20dfc3fa635c5a4c88b4edee85c18b08a94d
-
SHA256
d2795ed096e7331d84947a9ba6a1c3fae5203b50f5a3563bda0382ab84e1c8bb
-
SHA512
bf1b3bcc1564e1c22095926f8eb9848ad740685d4744af56e1fe0487f52a20ff64a9732ff1933cafddf86959db56f34034b6e1d0bc85088b3a259be64ed79ec5
Malware Config
Extracted
asyncrat
0.5.7B
Forwork
sack517.ddns.net:6565
sack517.duckdns.org:6565
AsyncMutex_dgh6775Pxz
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3080-139-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
CoreCCC Packer 1 IoCs
Detects CoreCCC packer used to load .NET malware.
Processes:
resource yara_rule behavioral2/memory/980-130-0x0000000000100000-0x0000000000156000-memory.dmp coreccc -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
swift message.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion swift message.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion swift message.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
swift message.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation swift message.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
swift message.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 swift message.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum swift message.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
swift message.exedescription pid process target process PID 980 set thread context of 3080 980 swift message.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
swift message.exepid process 980 swift message.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
swift message.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 980 swift message.exe Token: SeDebugPrivilege 3080 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
swift message.exedescription pid process target process PID 980 wrote to memory of 204 980 swift message.exe schtasks.exe PID 980 wrote to memory of 204 980 swift message.exe schtasks.exe PID 980 wrote to memory of 204 980 swift message.exe schtasks.exe PID 980 wrote to memory of 3080 980 swift message.exe MSBuild.exe PID 980 wrote to memory of 3080 980 swift message.exe MSBuild.exe PID 980 wrote to memory of 3080 980 swift message.exe MSBuild.exe PID 980 wrote to memory of 3080 980 swift message.exe MSBuild.exe PID 980 wrote to memory of 3080 980 swift message.exe MSBuild.exe PID 980 wrote to memory of 3080 980 swift message.exe MSBuild.exe PID 980 wrote to memory of 3080 980 swift message.exe MSBuild.exe PID 980 wrote to memory of 3080 980 swift message.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\swift message.exe"C:\Users\Admin\AppData\Local\Temp\swift message.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jpvofbpTWi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E17.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1E17.tmpFilesize
1KB
MD53d3abeca7a65458a0b6438f99269621d
SHA12001142a8917c7db7bb53e50caa1e34a4e3f6b57
SHA256b213bdf0fd76608738b120fa9c9aaef89b689750ff5c2468729e9bd1fe00071b
SHA51255a42ecf249b9b2ae0ee926231ba8db31c90b9950631559eb9bc08d89d79888d8ab695244627b3d3e5d96ccfc2080833d65c4a94058f66e5ca770c10b596a179
-
memory/204-136-0x0000000000000000-mapping.dmp
-
memory/980-130-0x0000000000100000-0x0000000000156000-memory.dmpFilesize
344KB
-
memory/980-131-0x00000000095A0000-0x0000000009B44000-memory.dmpFilesize
5.6MB
-
memory/980-132-0x0000000004C70000-0x0000000004D02000-memory.dmpFilesize
584KB
-
memory/980-133-0x0000000004AC0000-0x0000000004ACA000-memory.dmpFilesize
40KB
-
memory/980-134-0x00000000092F0000-0x000000000938C000-memory.dmpFilesize
624KB
-
memory/980-135-0x0000000009390000-0x00000000093F6000-memory.dmpFilesize
408KB
-
memory/3080-138-0x0000000000000000-mapping.dmp
-
memory/3080-139-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB