Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-05-2022 15:10
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy 05272022.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Swift Copy 05272022.exe
Resource
win10v2004-20220414-en
General
-
Target
Swift Copy 05272022.exe
-
Size
322KB
-
MD5
aac47b26622b7b112abb2cf4545409b4
-
SHA1
a1878da3ea31f946527897a759ffb1c9393fe426
-
SHA256
f46d6d7bf1c9f466498c2a11c9c96fcc594c3490db04e763f81e7552f7ae6764
-
SHA512
ec2eb8dc95fab52b7d5a8419dd4727e185b23e355de17fbbd8c512f84f07ac1822307c76f9239861ce6266f4dc71e568c7246c6321da0d02cce0674c231f3ef9
Malware Config
Extracted
xloader
2.6
ygkp
cbdlively.com
1nfo-post.com
janejohnsonlmt.com
autotradecryptoswithjack.com
mustang-international.net
dreamthorp.com
alexandratanner.net
exilings.com
gzjdgjg.com
51minzhu.com
wgv.info
raymondjamesconsult.com
omariblair.com
vaalerahealth.com
outdoorvoiceshop.com
spbo.info
blasiandating.online
c01-cdn48-oxble.xyz
mrmycology.com
installturbooax.com
duoxiyuemy.com
creativeartwithcarol.com
jasonatenphotography.net
hhcstarusa.com
91itaogo.com
itubini.com
trypetinsure.com
koushi3737.com
gujiufz.xyz
nereklam.com
greenlandtours.net
furrycutiepet.com
boredmilady.xyz
thepromenadeboutique.com
antoinevigne.com
affinityassurance.ltd
trmstudiotx.com
ganeshpyropark.com
rivaln.net
loupsychiatry.com
ballenasnegras.store
treylonburksjersey.com
cumannstaire.com
vintagemuseumct.com
reich-consulting.com
emmagabriele.com
form4506-t.net
al-muhamdi.com
ggmaprimarycare.com
q0fagmy6x5ctmxn6vykr.com
nqted.com
rebelsoflove.life
birdiecrafts.site
acrostical.info
usarealshop.com
d908.red
vspashkapolya.store
locksmith---pasadena.com
itooktheorangepill.com
findachristianbusiness.com
authorlanijames.com
cryptoreportfraud.com
idolovetheusa.com
moicapitaine.com
southwestcancer.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1324-63-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1324-64-0x000000000041F350-mapping.dmp xloader behavioral1/memory/1324-67-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1716-73-0x00000000000C0000-0x00000000000EB000-memory.dmp xloader behavioral1/memory/1716-78-0x00000000000C0000-0x00000000000EB000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
ugoumezapn.exeugoumezapn.exepid process 1852 ugoumezapn.exe 1324 ugoumezapn.exe -
Loads dropped DLL 2 IoCs
Processes:
Swift Copy 05272022.exeugoumezapn.exepid process 1208 Swift Copy 05272022.exe 1852 ugoumezapn.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
chkdsk.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run chkdsk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GBTHEFWHG8GX = "C:\\Program Files (x86)\\Htdr\\vgayjop.exe" chkdsk.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ugoumezapn.exeugoumezapn.exechkdsk.exedescription pid process target process PID 1852 set thread context of 1324 1852 ugoumezapn.exe ugoumezapn.exe PID 1324 set thread context of 1284 1324 ugoumezapn.exe Explorer.EXE PID 1716 set thread context of 1284 1716 chkdsk.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
chkdsk.exedescription ioc process File opened for modification C:\Program Files (x86)\Htdr\vgayjop.exe chkdsk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
ugoumezapn.exechkdsk.exepid process 1324 ugoumezapn.exe 1324 ugoumezapn.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
ugoumezapn.exechkdsk.exepid process 1324 ugoumezapn.exe 1324 ugoumezapn.exe 1324 ugoumezapn.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe 1716 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ugoumezapn.exechkdsk.exedescription pid process Token: SeDebugPrivilege 1324 ugoumezapn.exe Token: SeDebugPrivilege 1716 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Swift Copy 05272022.exeugoumezapn.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1208 wrote to memory of 1852 1208 Swift Copy 05272022.exe ugoumezapn.exe PID 1208 wrote to memory of 1852 1208 Swift Copy 05272022.exe ugoumezapn.exe PID 1208 wrote to memory of 1852 1208 Swift Copy 05272022.exe ugoumezapn.exe PID 1208 wrote to memory of 1852 1208 Swift Copy 05272022.exe ugoumezapn.exe PID 1852 wrote to memory of 1324 1852 ugoumezapn.exe ugoumezapn.exe PID 1852 wrote to memory of 1324 1852 ugoumezapn.exe ugoumezapn.exe PID 1852 wrote to memory of 1324 1852 ugoumezapn.exe ugoumezapn.exe PID 1852 wrote to memory of 1324 1852 ugoumezapn.exe ugoumezapn.exe PID 1852 wrote to memory of 1324 1852 ugoumezapn.exe ugoumezapn.exe PID 1852 wrote to memory of 1324 1852 ugoumezapn.exe ugoumezapn.exe PID 1852 wrote to memory of 1324 1852 ugoumezapn.exe ugoumezapn.exe PID 1284 wrote to memory of 1716 1284 Explorer.EXE chkdsk.exe PID 1284 wrote to memory of 1716 1284 Explorer.EXE chkdsk.exe PID 1284 wrote to memory of 1716 1284 Explorer.EXE chkdsk.exe PID 1284 wrote to memory of 1716 1284 Explorer.EXE chkdsk.exe PID 1716 wrote to memory of 1728 1716 chkdsk.exe cmd.exe PID 1716 wrote to memory of 1728 1716 chkdsk.exe cmd.exe PID 1716 wrote to memory of 1728 1716 chkdsk.exe cmd.exe PID 1716 wrote to memory of 1728 1716 chkdsk.exe cmd.exe PID 1716 wrote to memory of 1708 1716 chkdsk.exe Firefox.exe PID 1716 wrote to memory of 1708 1716 chkdsk.exe Firefox.exe PID 1716 wrote to memory of 1708 1716 chkdsk.exe Firefox.exe PID 1716 wrote to memory of 1708 1716 chkdsk.exe Firefox.exe PID 1716 wrote to memory of 1708 1716 chkdsk.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy 05272022.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy 05272022.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ugoumezapn.exeC:\Users\Admin\AppData\Local\Temp\ugoumezapn.exe C:\Users\Admin\AppData\Local\Temp\ytsjpl3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ugoumezapn.exeC:\Users\Admin\AppData\Local\Temp\ugoumezapn.exe C:\Users\Admin\AppData\Local\Temp\ytsjpl4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ugoumezapn.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ugoumezapn.exeFilesize
132KB
MD5c425c007ed7b3ee305dbea78ec07d10e
SHA1c254da6e0a53106504bc6f8db88e3ba0678498b6
SHA2563e839029b68aaccf0e3566d63fa34f9d165c81d365c49ef8fae6d13b1612df19
SHA512d4036e691d4155d4760172dd7b4e5cc6cf70d676735b7d9fcf652ad2002f6710dd2aeff1f500bf36aa54bc2abbc3c9cbed1fa3bf6d8fdfed5b95b79428012ee0
-
C:\Users\Admin\AppData\Local\Temp\ugoumezapn.exeFilesize
132KB
MD5c425c007ed7b3ee305dbea78ec07d10e
SHA1c254da6e0a53106504bc6f8db88e3ba0678498b6
SHA2563e839029b68aaccf0e3566d63fa34f9d165c81d365c49ef8fae6d13b1612df19
SHA512d4036e691d4155d4760172dd7b4e5cc6cf70d676735b7d9fcf652ad2002f6710dd2aeff1f500bf36aa54bc2abbc3c9cbed1fa3bf6d8fdfed5b95b79428012ee0
-
C:\Users\Admin\AppData\Local\Temp\ugoumezapn.exeFilesize
132KB
MD5c425c007ed7b3ee305dbea78ec07d10e
SHA1c254da6e0a53106504bc6f8db88e3ba0678498b6
SHA2563e839029b68aaccf0e3566d63fa34f9d165c81d365c49ef8fae6d13b1612df19
SHA512d4036e691d4155d4760172dd7b4e5cc6cf70d676735b7d9fcf652ad2002f6710dd2aeff1f500bf36aa54bc2abbc3c9cbed1fa3bf6d8fdfed5b95b79428012ee0
-
C:\Users\Admin\AppData\Local\Temp\y84jg0z3myvs1ehqFilesize
171KB
MD5213b7ae988a475d2096b03e8b58c0cba
SHA18634ccaf2a816cc81363722430de5799b52eecd8
SHA256997ba82b07c3d33f225975826ccfccabb6e13964bbc66bea8b484474fa067ccb
SHA5129c167e42900af5df67fdc0ddbbcb9024d976667bee5427be5810c5df463deaf51c5ff96930be5100953940f8c57c29c47a656026268d7fba854eaec29a429ca6
-
C:\Users\Admin\AppData\Local\Temp\ytsjplFilesize
5KB
MD5e89c8f428bf1e9512047a530ffab4cc0
SHA1dae18c62de9ad71aaace440e570e0066d9977473
SHA256b57b56853e974693eea1b67cccc726eeca122fc05587fc18cf86ad908c83ad21
SHA512b9dadf686f1132456935afa2c0b3089565a727916d09658ffe321f48bbbea49ccd0446c61ce22567b5f0a9f1b81e9897cfbe0bd8d1131a9bb079f11cb4336271
-
\Users\Admin\AppData\Local\Temp\ugoumezapn.exeFilesize
132KB
MD5c425c007ed7b3ee305dbea78ec07d10e
SHA1c254da6e0a53106504bc6f8db88e3ba0678498b6
SHA2563e839029b68aaccf0e3566d63fa34f9d165c81d365c49ef8fae6d13b1612df19
SHA512d4036e691d4155d4760172dd7b4e5cc6cf70d676735b7d9fcf652ad2002f6710dd2aeff1f500bf36aa54bc2abbc3c9cbed1fa3bf6d8fdfed5b95b79428012ee0
-
\Users\Admin\AppData\Local\Temp\ugoumezapn.exeFilesize
132KB
MD5c425c007ed7b3ee305dbea78ec07d10e
SHA1c254da6e0a53106504bc6f8db88e3ba0678498b6
SHA2563e839029b68aaccf0e3566d63fa34f9d165c81d365c49ef8fae6d13b1612df19
SHA512d4036e691d4155d4760172dd7b4e5cc6cf70d676735b7d9fcf652ad2002f6710dd2aeff1f500bf36aa54bc2abbc3c9cbed1fa3bf6d8fdfed5b95b79428012ee0
-
memory/1208-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1284-79-0x0000000006C60000-0x0000000006DD4000-memory.dmpFilesize
1.5MB
-
memory/1284-77-0x0000000006C60000-0x0000000006DD4000-memory.dmpFilesize
1.5MB
-
memory/1284-70-0x0000000006B20000-0x0000000006C5B000-memory.dmpFilesize
1.2MB
-
memory/1324-68-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1324-67-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1324-69-0x0000000000450000-0x0000000000461000-memory.dmpFilesize
68KB
-
memory/1324-64-0x000000000041F350-mapping.dmp
-
memory/1324-63-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1716-71-0x0000000000000000-mapping.dmp
-
memory/1716-72-0x0000000000180000-0x0000000000187000-memory.dmpFilesize
28KB
-
memory/1716-73-0x00000000000C0000-0x00000000000EB000-memory.dmpFilesize
172KB
-
memory/1716-75-0x0000000001F00000-0x0000000002203000-memory.dmpFilesize
3.0MB
-
memory/1716-76-0x0000000001D90000-0x0000000001E20000-memory.dmpFilesize
576KB
-
memory/1716-78-0x00000000000C0000-0x00000000000EB000-memory.dmpFilesize
172KB
-
memory/1728-74-0x0000000000000000-mapping.dmp
-
memory/1852-56-0x0000000000000000-mapping.dmp