Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2022 07:06
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT_HSBC.exe
Resource
win7-20220812-en
General
-
Target
SWIFT_HSBC.exe
-
Size
68KB
-
MD5
e9e56812742d598f57ec249696cfa90f
-
SHA1
e6c4e279fce76dd92033a583fbaca8bf792edb27
-
SHA256
b95ce5a91875b0094d2905b058b3623afd21c61e895af0b337d7a541847c961a
-
SHA512
b0077e25075b55dcd61e6fccd3ce7e4671545e2d484d8c2b0b77c219b60e7cb77c206dbc296973cdd9c3daaab70168ea29a91793417bd7f9ed01846965269070
Malware Config
Extracted
xloader
2.9
zzun
JnNtRHyNupy0GqRzAcasu7hb4rc=
Qv593NGLE7p9UNSaVkPXljAJm2QCNnc=
ePArIFWvjkkMgVEVhw4M4Jk=
26rqUwJ7dD0AiDI=
pBAxMHeK741QFw==
kHD7TPt5846pUMTX
56UnjFjHL1i0j659h3LymRnHpQj+SshC
4vKlKHflPqmWXRbrRwfPtrhb4rc=
6LBd4qButFAi
phMzGll8Ue7Fu+inq5cdnPaSugG3
NKswiQGCvZoG5FgsdHEI
rtTHnuUY8M1qVcXV
SOmECrlAt2oGAA==
L1ep9adutFAi
/UE+/AyvE6uEl28weFI=
IP+xMPQxJR4NE6TK
xvW5GN9/rqA5YUoOVt185Sf7Uw==
fRFNW9DhxL6VF7LA
KFYTfkaY741QFw==
W4JGvMBmt2oGAA==
lnoad0Hkgrwl9uXlghvqdz33UA==
1msShiu+9wisELGDjYAK
FBXFOinAK8ylnMZzi35Okw==
V8Y7/cBnt2oGAA==
VfuI0k5pSmi6+aNjIlAT2mspCZBZLGA=
de74yg89D61bSiU=
V2UPjYUvwh21qdxUr4Mf
DcFXvTxFMlyfL5JJIU0=
GldbH/CCt2oGAA==
sxdEIBwn+o+pUMTX
UmViK+1/Knr8814sdHEI
jrfKoZ6paLyeEBETgw4M4Jk=
SR27MizpGwCa19Kb1A==
2DGo9XUNxBOe19Kb1A==
7tBn2cG8jasWHE7w559Aig==
8qtAoVHxl/KGerbsfA4M4Jk=
fC3AH6Utt2oGAA==
HltlPHZ7FpSpUMTX
xd0B+Pr30gBfQGYXafOW1dOSflv+SshC
DKXWyiOecY7319Kb1A==
Pvx505EaswiHYF3z559Aig==
aJ6kaz7CWKsP9g9Ur4Mf
qcvfxb9TwUoDCrfXw/uTdSkTCJBZLGA=
I++iH8xJxFp73nyUjJOg3/PS/3W7
K1N1guwbLz0AiDI=
vp2SfavTmBXNzLeXmIoUhsB7
UlAVhgIfLT0AiDI=
6BKH5GjHt2YIo/qhA69S+5E=
6U29K+qVw5hT4gQ83A==
G9NTmhwpAwY6r4I69kT4dz33UA==
0qstoaNBmBrMlfwTKhrAtLhb4rc=
ZvMhGW52cyAAXkVV3Jc96Lhb4rc=
N9Z3/PmEt2oGAA==
ohlOhcaP741QFw==
9WF3PohVjEolhCY=
am0ek4wtmkEI9GMVhw4M4Jk=
ROotH4+jhp7vnzVdww==
uvkuFhGmJlyjpFFpi35Okw==
ICHQQTIjaxTryG8weFI=
AhIZ8uh974+pUMTX
pEBtSFHr/5s0GQ==
qAcuLnqLNeOpUMTX
bcHv6WdbHoWEylgsdHEI
Nz/rbWh3s4WFDL9uPlAhXKNz
secure-id6793-chase.com
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1464-146-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/1464-152-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/4048-156-0x0000000000F90000-0x0000000000FBC000-memory.dmp xloader behavioral2/memory/4048-159-0x0000000000F90000-0x0000000000FBC000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XZUDUFWXODD = "C:\\Program Files (x86)\\Ytvbxnz9x\\np2hqz4hzxibnx.exe" cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
np2hqz4hzxibnx.exepid process 2792 np2hqz4hzxibnx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SWIFT_HSBC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SWIFT_HSBC.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SWIFT_HSBC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idmczmd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dnrhb\\Idmczmd.exe\"" SWIFT_HSBC.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SWIFT_HSBC.exeInstallUtil.execmd.exedescription pid process target process PID 4936 set thread context of 1464 4936 SWIFT_HSBC.exe InstallUtil.exe PID 1464 set thread context of 1084 1464 InstallUtil.exe Explorer.EXE PID 4048 set thread context of 1084 4048 cmd.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
cmd.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Ytvbxnz9x\np2hqz4hzxibnx.exe cmd.exe File opened for modification C:\Program Files (x86)\Ytvbxnz9x Explorer.EXE File created C:\Program Files (x86)\Ytvbxnz9x\np2hqz4hzxibnx.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Ytvbxnz9x\np2hqz4hzxibnx.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cmd.exedescription ioc process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmd.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
powershell.exeSWIFT_HSBC.exeInstallUtil.execmd.exepid process 3000 powershell.exe 3000 powershell.exe 4936 SWIFT_HSBC.exe 4936 SWIFT_HSBC.exe 4936 SWIFT_HSBC.exe 4936 SWIFT_HSBC.exe 4936 SWIFT_HSBC.exe 4936 SWIFT_HSBC.exe 1464 InstallUtil.exe 1464 InstallUtil.exe 1464 InstallUtil.exe 1464 InstallUtil.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1084 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
InstallUtil.execmd.exepid process 1464 InstallUtil.exe 1464 InstallUtil.exe 1464 InstallUtil.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe 4048 cmd.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
SWIFT_HSBC.exepowershell.exeInstallUtil.execmd.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4936 SWIFT_HSBC.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 1464 InstallUtil.exe Token: SeDebugPrivilege 4048 cmd.exe Token: SeShutdownPrivilege 1084 Explorer.EXE Token: SeCreatePagefilePrivilege 1084 Explorer.EXE Token: SeShutdownPrivilege 1084 Explorer.EXE Token: SeCreatePagefilePrivilege 1084 Explorer.EXE Token: SeShutdownPrivilege 1084 Explorer.EXE Token: SeCreatePagefilePrivilege 1084 Explorer.EXE Token: SeShutdownPrivilege 1084 Explorer.EXE Token: SeCreatePagefilePrivilege 1084 Explorer.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
SWIFT_HSBC.exeExplorer.EXEcmd.exedescription pid process target process PID 4936 wrote to memory of 3000 4936 SWIFT_HSBC.exe powershell.exe PID 4936 wrote to memory of 3000 4936 SWIFT_HSBC.exe powershell.exe PID 4936 wrote to memory of 3000 4936 SWIFT_HSBC.exe powershell.exe PID 4936 wrote to memory of 2244 4936 SWIFT_HSBC.exe InstallUtil.exe PID 4936 wrote to memory of 2244 4936 SWIFT_HSBC.exe InstallUtil.exe PID 4936 wrote to memory of 2244 4936 SWIFT_HSBC.exe InstallUtil.exe PID 4936 wrote to memory of 1464 4936 SWIFT_HSBC.exe InstallUtil.exe PID 4936 wrote to memory of 1464 4936 SWIFT_HSBC.exe InstallUtil.exe PID 4936 wrote to memory of 1464 4936 SWIFT_HSBC.exe InstallUtil.exe PID 4936 wrote to memory of 1464 4936 SWIFT_HSBC.exe InstallUtil.exe PID 4936 wrote to memory of 1464 4936 SWIFT_HSBC.exe InstallUtil.exe PID 4936 wrote to memory of 1464 4936 SWIFT_HSBC.exe InstallUtil.exe PID 1084 wrote to memory of 4048 1084 Explorer.EXE cmd.exe PID 1084 wrote to memory of 4048 1084 Explorer.EXE cmd.exe PID 1084 wrote to memory of 4048 1084 Explorer.EXE cmd.exe PID 4048 wrote to memory of 324 4048 cmd.exe cmd.exe PID 4048 wrote to memory of 324 4048 cmd.exe cmd.exe PID 4048 wrote to memory of 324 4048 cmd.exe cmd.exe PID 4048 wrote to memory of 4156 4048 cmd.exe cmd.exe PID 4048 wrote to memory of 4156 4048 cmd.exe cmd.exe PID 4048 wrote to memory of 4156 4048 cmd.exe cmd.exe PID 4048 wrote to memory of 4576 4048 cmd.exe cmd.exe PID 4048 wrote to memory of 4576 4048 cmd.exe cmd.exe PID 4048 wrote to memory of 4576 4048 cmd.exe cmd.exe PID 4048 wrote to memory of 4536 4048 cmd.exe Firefox.exe PID 4048 wrote to memory of 4536 4048 cmd.exe Firefox.exe PID 4048 wrote to memory of 4536 4048 cmd.exe Firefox.exe PID 1084 wrote to memory of 2792 1084 Explorer.EXE np2hqz4hzxibnx.exe PID 1084 wrote to memory of 2792 1084 Explorer.EXE np2hqz4hzxibnx.exe PID 1084 wrote to memory of 2792 1084 Explorer.EXE np2hqz4hzxibnx.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SWIFT_HSBC.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT_HSBC.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAOAA=3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Ytvbxnz9x\np2hqz4hzxibnx.exe"C:\Program Files (x86)\Ytvbxnz9x\np2hqz4hzxibnx.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Ytvbxnz9x\np2hqz4hzxibnx.exeFilesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
C:\Program Files (x86)\Ytvbxnz9x\np2hqz4hzxibnx.exeFilesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
memory/324-153-0x0000000000000000-mapping.dmp
-
memory/1084-160-0x00000000028B0000-0x000000000298D000-memory.dmpFilesize
884KB
-
memory/1084-158-0x00000000028B0000-0x000000000298D000-memory.dmpFilesize
884KB
-
memory/1084-150-0x0000000002710000-0x0000000002827000-memory.dmpFilesize
1.1MB
-
memory/1464-148-0x00000000018D0000-0x0000000001C1A000-memory.dmpFilesize
3.3MB
-
memory/1464-146-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1464-145-0x0000000000000000-mapping.dmp
-
memory/1464-152-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1464-149-0x0000000001810000-0x0000000001821000-memory.dmpFilesize
68KB
-
memory/2244-144-0x0000000000000000-mapping.dmp
-
memory/2792-165-0x0000000000000000-mapping.dmp
-
memory/2792-168-0x00000000009A0000-0x00000000009AC000-memory.dmpFilesize
48KB
-
memory/3000-141-0x0000000006000000-0x000000000601A000-memory.dmpFilesize
104KB
-
memory/3000-140-0x0000000007140000-0x00000000077BA000-memory.dmpFilesize
6.5MB
-
memory/3000-134-0x0000000000000000-mapping.dmp
-
memory/3000-135-0x0000000002520000-0x0000000002556000-memory.dmpFilesize
216KB
-
memory/3000-136-0x0000000004D90000-0x00000000053B8000-memory.dmpFilesize
6.2MB
-
memory/3000-137-0x00000000053C0000-0x0000000005426000-memory.dmpFilesize
408KB
-
memory/3000-138-0x00000000054A0000-0x0000000005506000-memory.dmpFilesize
408KB
-
memory/3000-139-0x0000000005B10000-0x0000000005B2E000-memory.dmpFilesize
120KB
-
memory/4048-154-0x00000000005D0000-0x000000000062A000-memory.dmpFilesize
360KB
-
memory/4048-157-0x0000000001660000-0x00000000016F0000-memory.dmpFilesize
576KB
-
memory/4048-159-0x0000000000F90000-0x0000000000FBC000-memory.dmpFilesize
176KB
-
memory/4048-156-0x0000000000F90000-0x0000000000FBC000-memory.dmpFilesize
176KB
-
memory/4048-155-0x00000000017E0000-0x0000000001B2A000-memory.dmpFilesize
3.3MB
-
memory/4048-151-0x0000000000000000-mapping.dmp
-
memory/4156-161-0x0000000000000000-mapping.dmp
-
memory/4576-163-0x0000000000000000-mapping.dmp
-
memory/4936-143-0x0000000006FD0000-0x0000000007574000-memory.dmpFilesize
5.6MB
-
memory/4936-132-0x00000000006E0000-0x00000000006F6000-memory.dmpFilesize
88KB
-
memory/4936-142-0x0000000006980000-0x0000000006A12000-memory.dmpFilesize
584KB
-
memory/4936-133-0x0000000005E20000-0x0000000005E42000-memory.dmpFilesize
136KB