Analysis
-
max time kernel
39s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-05-2022 11:31
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy05262020.pdf.exe
Resource
win7-20220414-en
General
-
Target
Swift Copy05262020.pdf.exe
-
Size
342KB
-
MD5
8380afc6e34fe722c9e16f6ee797bab8
-
SHA1
5dd6c2103053372286d09b6fdb374c1d43e23a4f
-
SHA256
1868d031ba42f5f9b2f176f218647509ebcbf1171ed0da75a594a26744d03d9a
-
SHA512
e6097dc8b5a633e0d9d8798ea1366338b7a1d64f822907c4ce5b5f9e6029438c578cb559731cdef87ad54a09f6890d76df73f2f1745248a05e18879cf782c39c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rtjwekgkjm.exepid process 760 rtjwekgkjm.exe -
Loads dropped DLL 2 IoCs
Processes:
Swift Copy05262020.pdf.exertjwekgkjm.exepid process 1648 Swift Copy05262020.pdf.exe 760 rtjwekgkjm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Swift Copy05262020.pdf.exertjwekgkjm.exedescription pid process target process PID 1648 wrote to memory of 760 1648 Swift Copy05262020.pdf.exe rtjwekgkjm.exe PID 1648 wrote to memory of 760 1648 Swift Copy05262020.pdf.exe rtjwekgkjm.exe PID 1648 wrote to memory of 760 1648 Swift Copy05262020.pdf.exe rtjwekgkjm.exe PID 1648 wrote to memory of 760 1648 Swift Copy05262020.pdf.exe rtjwekgkjm.exe PID 760 wrote to memory of 1984 760 rtjwekgkjm.exe rtjwekgkjm.exe PID 760 wrote to memory of 1984 760 rtjwekgkjm.exe rtjwekgkjm.exe PID 760 wrote to memory of 1984 760 rtjwekgkjm.exe rtjwekgkjm.exe PID 760 wrote to memory of 1984 760 rtjwekgkjm.exe rtjwekgkjm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy05262020.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy05262020.pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rtjwekgkjm.exeC:\Users\Admin\AppData\Local\Temp\rtjwekgkjm.exe C:\Users\Admin\AppData\Local\Temp\jnianqsz2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rtjwekgkjm.exeC:\Users\Admin\AppData\Local\Temp\rtjwekgkjm.exe C:\Users\Admin\AppData\Local\Temp\jnianqsz3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4263sbwwg1i7iFilesize
171KB
MD5adafc1bd6fedbe5f73992bbf31f44991
SHA105b1f01d53016cac49c99e3255a015c3a8feefee
SHA25639b7450d35e9b44a8e1a8b8bf69fed60a99532191600911a9018999b374b4989
SHA5123248e472eeefa02a8652995fe2a016cd97e62e28655aacecadc56529845afcd4ba5b6cbd99ff9f4b281c27282429a749f2c226d2cb841321a0d8ca76ab186a88
-
C:\Users\Admin\AppData\Local\Temp\jnianqszFilesize
4KB
MD552f6fa9d66c85265d119cd735e446a33
SHA126eb6660ee34dc8baec4323296780fc53f652f34
SHA256846e9ed6719f5fe6a44a25eaa9861674fed55ff1ece516c1ccc5ad5b45899608
SHA512193d343db465b5c79fca0606316336cda81785eac4ceb1cd65d9301a94cd188a9b3bf9c2ec8b4ae70e7ef3db66940fcda015600706e28ead8778c8462259b194
-
C:\Users\Admin\AppData\Local\Temp\rtjwekgkjm.exeFilesize
187KB
MD551cd1475dac44b90ecd715ee289848ba
SHA19660741ad44c4ec69abc62891bbb0aa462001d1f
SHA25688c512b70e574231d68f24689249cb30c359ea192ee667c8840c4146f7218993
SHA512541048bbbaaa14a92bf3ab7921d61ac96f335c76705ba834860ffecb88176551f16111337fb8622ce4d67fd6574d49ca7f7484db6d7567a8aa626b5ab2af3f7d
-
C:\Users\Admin\AppData\Local\Temp\rtjwekgkjm.exeFilesize
187KB
MD551cd1475dac44b90ecd715ee289848ba
SHA19660741ad44c4ec69abc62891bbb0aa462001d1f
SHA25688c512b70e574231d68f24689249cb30c359ea192ee667c8840c4146f7218993
SHA512541048bbbaaa14a92bf3ab7921d61ac96f335c76705ba834860ffecb88176551f16111337fb8622ce4d67fd6574d49ca7f7484db6d7567a8aa626b5ab2af3f7d
-
\Users\Admin\AppData\Local\Temp\rtjwekgkjm.exeFilesize
187KB
MD551cd1475dac44b90ecd715ee289848ba
SHA19660741ad44c4ec69abc62891bbb0aa462001d1f
SHA25688c512b70e574231d68f24689249cb30c359ea192ee667c8840c4146f7218993
SHA512541048bbbaaa14a92bf3ab7921d61ac96f335c76705ba834860ffecb88176551f16111337fb8622ce4d67fd6574d49ca7f7484db6d7567a8aa626b5ab2af3f7d
-
\Users\Admin\AppData\Local\Temp\rtjwekgkjm.exeFilesize
187KB
MD551cd1475dac44b90ecd715ee289848ba
SHA19660741ad44c4ec69abc62891bbb0aa462001d1f
SHA25688c512b70e574231d68f24689249cb30c359ea192ee667c8840c4146f7218993
SHA512541048bbbaaa14a92bf3ab7921d61ac96f335c76705ba834860ffecb88176551f16111337fb8622ce4d67fd6574d49ca7f7484db6d7567a8aa626b5ab2af3f7d
-
memory/760-56-0x0000000000000000-mapping.dmp
-
memory/1648-54-0x00000000755B1000-0x00000000755B3000-memory.dmpFilesize
8KB