e5a4156ee51458847edcc62f79e7599175764819b37c4ac13658e04cb38de257

General

Target

Swift Copy.exe
Size

1.2MB
MD5

e2afd683ad34fdf154dbff7a1d9a7ab6
SHA1

92ba13ee1f51c3946dcb618d50189f0a34eece0a
SHA256

ac6f0e68f1eb17ffe1469d65f7dde3b2f358a9c683f00c90c3b654a5469c7a5c
SHA512

29ddf79300505d1fd4cf3792adf449d8ec7d02b6beda52c9fd3694e4fcde79165cbf19065fc42d5e57b7bfc3601942a85beb982c27f4520835f8872cfe1cedb7
SSDEEP

24576:ZPeL53QIYGaFfyNitBmM9/NifbZM5LYyq4:Z2pQWi6Ng8fbZKLYV4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

908 schtasks.exe

pid	process
908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Swift Copy.exepowershell.exe

pid	process
1980	Swift Copy.exe
1980	Swift Copy.exe
1980	Swift Copy.exe
1980	Swift Copy.exe
1980	Swift Copy.exe
1980	Swift Copy.exe
1980	Swift Copy.exe
1980	Swift Copy.exe
1980	Swift Copy.exe
1980	Swift Copy.exe
1980	Swift Copy.exe
1280	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Swift Copy.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1980 Swift Copy.exe
Token: SeDebugPrivilege 1280 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1980	Swift Copy.exe
Token: SeDebugPrivilege	1280	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Swift Copy.exe

description	pid	process	target process
PID 1980 wrote to memory of 1280	1980	Swift Copy.exe	powershell.exe
PID 1980 wrote to memory of 1280	1980	Swift Copy.exe	powershell.exe
PID 1980 wrote to memory of 1280	1980	Swift Copy.exe	powershell.exe
PID 1980 wrote to memory of 1280	1980	Swift Copy.exe	powershell.exe
PID 1980 wrote to memory of 908	1980	Swift Copy.exe	schtasks.exe
PID 1980 wrote to memory of 908	1980	Swift Copy.exe	schtasks.exe
PID 1980 wrote to memory of 908	1980	Swift Copy.exe	schtasks.exe
PID 1980 wrote to memory of 908	1980	Swift Copy.exe	schtasks.exe
PID 1980 wrote to memory of 672	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 672	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 672	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 672	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 1184	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 1184	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 1184	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 1184	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 540	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 540	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 540	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 540	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 284	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 284	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 284	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 284	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 828	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 828	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 828	1980	Swift Copy.exe	Swift Copy.exe
PID 1980 wrote to memory of 828	1980	Swift Copy.exe	Swift Copy.exe

C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ijzVNT.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ijzVNT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA21A.tmp"
2⤵
- Creates scheduled task(s)
PID:908

C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
2⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
2⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
2⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
2⤵
PID:284

C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
2⤵
PID:828

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA21A.tmp
Filesize
1KB

MD5
743c5b67d6708e1666fb7414c15df44f

SHA1
55e8f799a21b8b2a83fea05a57feab1c6f377ac3

SHA256
f563a450e579d0d163a442f73ae906ea1747da98e6b40202fc50e109879d04b2

SHA512
b83361a3c96cbb1ec53ca8c57d103c43d12e75263de50658a782c2928b04ac6e9f57bbae6c87da6495d8f85c2c1634da0feb871dfeb2135494684542477d56b9

Download Submit
memory/908-60-0x0000000000000000-mapping.dmp

Download
memory/1280-59-0x0000000000000000-mapping.dmp

Download
memory/1280-64-0x000000006E400000-0x000000006E9AB000-memory.dmp

Filesize
5.7MB

Download
memory/1280-65-0x000000006E400000-0x000000006E9AB000-memory.dmp

Filesize
5.7MB

Download
memory/1980-54-0x0000000000380000-0x00000000004C0000-memory.dmp

Filesize
1.2MB

Download
memory/1980-55-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1980-56-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/1980-57-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/1980-58-0x00000000080E0000-0x00000000081B0000-memory.dmp

Filesize
832KB

Download
memory/1980-63-0x0000000005C80000-0x0000000005CFC000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads