Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:14
Static task
static1
Behavioral task
behavioral1
Sample
swift copy .exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
swift copy .exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
swift copy .exe
-
Size
496KB
-
MD5
2e949fbd641fbb0b7a2faa128ddd3540
-
SHA1
eac22a028a62c18391a452850d9c42fbb19b7fb8
-
SHA256
e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145
-
SHA512
93d326fc1f0bdace236773275b0969dc191e98979e6f353567bf8ca5479773bf8c811dd9b292136a6a1f2aa0999988c79567ef41f75dde5243ebd628582c1d78
Score
10/10
Malware Config
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4884-136-0x0000000000400000-0x000000000047E000-memory.dmp netwire behavioral2/memory/4884-137-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Modifies Installed Components in the registry 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
swift copy .exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ swift copy .exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\swift copy .exe" swift copy .exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
swift copy .exedescription pid process target process PID 3416 set thread context of 4884 3416 swift copy .exe swift copy .exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
swift copy .exepid process 3416 swift copy .exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
swift copy .exedescription pid process target process PID 3416 wrote to memory of 4884 3416 swift copy .exe swift copy .exe PID 3416 wrote to memory of 4884 3416 swift copy .exe swift copy .exe PID 3416 wrote to memory of 4884 3416 swift copy .exe swift copy .exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\swift copy .exe"C:\Users\Admin\AppData\Local\Temp\swift copy .exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\swift copy .exeC:\Users\Admin\AppData\Local\Temp\swift copy .exe"2⤵
- Adds Run key to start application
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3416-132-0x0000000000690000-0x0000000000697000-memory.dmpFilesize
28KB
-
memory/3416-134-0x00007FF8C1530000-0x00007FF8C1725000-memory.dmpFilesize
2.0MB
-
memory/3416-135-0x0000000077B80000-0x0000000077D23000-memory.dmpFilesize
1.6MB
-
memory/4884-133-0x0000000000000000-mapping.dmp
-
memory/4884-136-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/4884-137-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4884-143-0x00007FF8C1530000-0x00007FF8C1725000-memory.dmpFilesize
2.0MB
-
memory/4884-144-0x0000000077B80000-0x0000000077D23000-memory.dmpFilesize
1.6MB