Analysis
-
max time kernel
162s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 07:09
Static task
static1
Behavioral task
behavioral1
Sample
Swift copy-MT103___________________________________________________________________________________________.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Swift copy-MT103___________________________________________________________________________________________.exe
Resource
win10v2004-20220812-en
General
-
Target
Swift copy-MT103___________________________________________________________________________________________.exe
-
Size
15KB
-
MD5
d423232b851ec4d05782628579167877
-
SHA1
f379b79860c17a06ba21d2ce0a388ceb8cbeb206
-
SHA256
098c30f5be90148d97ead8f3c0aadafd8ac199d1e0207f33b7bbd203f9deff27
-
SHA512
5189f4370ac555983ec7949248bb2f7797c8fc2fffa530abca01699f27fa35ab356ce7b7366a66a33521c699491fdf44150a4e4aef8f757861e95031a10f82de
-
SSDEEP
192:aQvmrcXEyNpDjqqXtT0f4iYQ+Ilmqvpunc6nQuOKBq/qgUG2CVXhOF5I27:aqXEyNpHqatTKGWZpu5QuTU/qgJJAD
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4824 4568 WerFault.exe Swift copy-MT103___________________________________________________________________________________________.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Swift copy-MT103___________________________________________________________________________________________.exedescription pid process Token: SeDebugPrivilege 4568 Swift copy-MT103___________________________________________________________________________________________.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift copy-MT103___________________________________________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\Swift copy-MT103___________________________________________________________________________________________.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 15682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4568 -ip 45681⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4568-132-0x00000000005F0000-0x00000000005FA000-memory.dmpFilesize
40KB
-
memory/4568-133-0x0000000005770000-0x0000000005D14000-memory.dmpFilesize
5.6MB
-
memory/4568-134-0x00000000051C0000-0x0000000005252000-memory.dmpFilesize
584KB
-
memory/4568-135-0x0000000005260000-0x00000000052FC000-memory.dmpFilesize
624KB
-
memory/4568-136-0x00000000051A0000-0x00000000051AA000-memory.dmpFilesize
40KB