Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:40
Static task
static1
Behavioral task
behavioral1
Sample
swift copy.exe
Resource
win7-20220414-en
General
-
Target
swift copy.exe
-
Size
573KB
-
MD5
51ed5644fa60ea88173be008966c2c1d
-
SHA1
e73015b1433639e1a2be19d26b6a5a3b8b39dfc2
-
SHA256
eddcaacc8947b326dd6998c90175846c76375ee953074668354ac72dba27ffdf
-
SHA512
b64bcfd74a38f372c687935590624d31d759df1e913d082e490c025797f00c50f4fa2dbf961a888196f2d151f175bec6227105a6ac372071a696608a710c7c97
Malware Config
Extracted
formbook
3.9
b1v
regaloscoletivos.com
bedavasiteler.com
gutbrod-helfer.com
lfp1979.com
qtgermany.net
clevelandwebsitesolutions.com
clssport.com
mercurydrivers.com
fair1financial.com
danieleragatzu.com
airstrats.com
willowporch.com
qeampfdb.com
apexjoy.com
hortifloral.com
timessquarebagelburgers.com
jryasb.info
voicetalent.online
fgzwq.com
btobtoyz.com
bellesemijoias.com
uurvrpieqcxaihakanv.com
kendrickhomeservices.com
viralboing.com
554024.top
shoecityonline.net
crazysarm.com
vikkinetwork.com
easyredir.download
opensourcefunnels.net
leimufuzhu.com
clicklib.com
aktf4zb0.biz
thetemplate.store
lvdianhj.com
eher.ltd
karagiozis.info
sparcindustries.com
aboes.net
disturbanceatslump.com
skfee.com
kslcontracting.com
550094.top
dripmeaning.com
articlesforsmoker.com
erinsisneros.com
intocreatives.com
worldfoodventure.com
usopentennis.wiki
inspiredholycards.com
slickghost.com
airaeditora.gal
betoltop10.com
rtlzue.com
curriculum.ltd
drafter.info
resumenes850.com
vkdqrr.info
orderin.net
limeismint.com
lyontamer.net
michaelbudman.com
dsadsadasdsadsadadsa.net
gotogrs.com
cervox.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1112-62-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/1112-63-0x000000000041B640-mapping.dmp formbook behavioral1/memory/1112-65-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/2032-72-0x00000000000D0000-0x00000000000FA000-memory.dmp formbook -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/784-58-0x0000000002050000-0x0000000002088000-memory.dmp rezer0 -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
wlanext.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wlanext.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TR4TQ2EH = "C:\\Program Files (x86)\\Drfihdx\\gdienjpz.exe" wlanext.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
swift copy.exeswift copy.exewlanext.exedescription pid process target process PID 784 set thread context of 1112 784 swift copy.exe swift copy.exe PID 1112 set thread context of 1268 1112 swift copy.exe Explorer.EXE PID 2032 set thread context of 1268 2032 wlanext.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
wlanext.exedescription ioc process File opened for modification C:\Program Files (x86)\Drfihdx\gdienjpz.exe wlanext.exe -
Processes:
wlanext.exedescription ioc process Key created \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
swift copy.exeswift copy.exewlanext.exepid process 784 swift copy.exe 784 swift copy.exe 1112 swift copy.exe 1112 swift copy.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe 2032 wlanext.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
swift copy.exewlanext.exepid process 1112 swift copy.exe 1112 swift copy.exe 1112 swift copy.exe 2032 wlanext.exe 2032 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
swift copy.exeswift copy.exewlanext.exedescription pid process Token: SeDebugPrivilege 784 swift copy.exe Token: SeDebugPrivilege 1112 swift copy.exe Token: SeDebugPrivilege 2032 wlanext.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
swift copy.exeExplorer.EXEwlanext.exedescription pid process target process PID 784 wrote to memory of 1112 784 swift copy.exe swift copy.exe PID 784 wrote to memory of 1112 784 swift copy.exe swift copy.exe PID 784 wrote to memory of 1112 784 swift copy.exe swift copy.exe PID 784 wrote to memory of 1112 784 swift copy.exe swift copy.exe PID 784 wrote to memory of 1112 784 swift copy.exe swift copy.exe PID 784 wrote to memory of 1112 784 swift copy.exe swift copy.exe PID 784 wrote to memory of 1112 784 swift copy.exe swift copy.exe PID 1268 wrote to memory of 2032 1268 Explorer.EXE wlanext.exe PID 1268 wrote to memory of 2032 1268 Explorer.EXE wlanext.exe PID 1268 wrote to memory of 2032 1268 Explorer.EXE wlanext.exe PID 1268 wrote to memory of 2032 1268 Explorer.EXE wlanext.exe PID 2032 wrote to memory of 1988 2032 wlanext.exe cmd.exe PID 2032 wrote to memory of 1988 2032 wlanext.exe cmd.exe PID 2032 wrote to memory of 1988 2032 wlanext.exe cmd.exe PID 2032 wrote to memory of 1988 2032 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\swift copy.exe"C:\Users\Admin\AppData\Local\Temp\swift copy.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\swift copy.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\swift copy.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\-L601-V1\-L6logim.jpegFilesize
63KB
MD53b95c02ac49787f9e3c9b32797a35958
SHA1608ecc8d8318afb5042e1c303564eb40b97791fc
SHA25644f5b11da83d3d5adf5007c628a6bad4110bd3c653dd1c16abde58c53f1cfb80
SHA5128660327e42f6eeabc1f1115d531c3659288d0fb278507b3087dfb6a0ae9ff347d02b827f79103f30a140f5a794be44280f3e3c4277845618f747127acf4b0391
-
C:\Users\Admin\AppData\Roaming\-L601-V1\-L6logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\-L601-V1\-L6logrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
memory/784-54-0x0000000000100000-0x0000000000198000-memory.dmpFilesize
608KB
-
memory/784-55-0x00000000006C0000-0x00000000006FC000-memory.dmpFilesize
240KB
-
memory/784-56-0x0000000075701000-0x0000000075703000-memory.dmpFilesize
8KB
-
memory/784-57-0x00000000005C0000-0x00000000005C8000-memory.dmpFilesize
32KB
-
memory/784-58-0x0000000002050000-0x0000000002088000-memory.dmpFilesize
224KB
-
memory/1112-66-0x0000000000AC0000-0x0000000000DC3000-memory.dmpFilesize
3.0MB
-
memory/1112-63-0x000000000041B640-mapping.dmp
-
memory/1112-67-0x0000000000330000-0x0000000000344000-memory.dmpFilesize
80KB
-
memory/1112-59-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1112-65-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1112-60-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1112-62-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1268-75-0x0000000006690000-0x00000000067A7000-memory.dmpFilesize
1.1MB
-
memory/1268-68-0x0000000006C20000-0x0000000006D5C000-memory.dmpFilesize
1.2MB
-
memory/1988-70-0x0000000000000000-mapping.dmp
-
memory/2032-71-0x0000000000280000-0x0000000000296000-memory.dmpFilesize
88KB
-
memory/2032-74-0x0000000001D50000-0x0000000001DE3000-memory.dmpFilesize
588KB
-
memory/2032-73-0x0000000001EF0000-0x00000000021F3000-memory.dmpFilesize
3.0MB
-
memory/2032-72-0x00000000000D0000-0x00000000000FA000-memory.dmpFilesize
168KB
-
memory/2032-69-0x0000000000000000-mapping.dmp