Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22-11-2022 11:47
Static task
static1
Behavioral task
behavioral1
Sample
Swift.exe
Resource
win7-20220812-en
General
-
Target
Swift.exe
-
Size
221KB
-
MD5
0202c53a04751949b148ac5eab59030e
-
SHA1
32febcf0ec3e26a2852a677a1e0f80a520844ee4
-
SHA256
ad6df53019d5d8930fce4ad4a7e0d15a08d9771b3cff97b7c06bf3df364c17a4
-
SHA512
07ea4cb41cbd1860ee7a9ff87b949372735f62e4e3dab916b2cc0493e5f1748cf64534afe454c81c06982d9b2c7e6a7bedaa72132b381c3f24da746cfec1dab6
-
SSDEEP
6144:MEa0Nyh7Uk49DgIyU3wmtax8+3AdmVsrPW1QBho5p:XUUk49DgIyU3Bp4HVQs4o7
Malware Config
Extracted
formbook
4.1
b31b
deltafxtrading.com
alisonangl.com
cdfqs.com
easyentry.vip
dentalinfodomain.com
hiphoppianyc.com
pools-62911.com
supportteam26589.site
delldaypa.one
szanody.com
diaper-basket.art
ffscollab.com
freediverconnect.com
namesbrun.com
theprimone.top
lenzolab.com
cikmas.com
genyuei-no.space
hellofstyle.com
lamagall.com
hallmarktb.com
hifebou7.info
sex5a.finance
printrynner.com
powerrestorationllc.com
hirefiz.com
uninvitedempire.com
alpinemaintenance.online
ppcadshub.com
looking4.tours
dirtyhandsmedia.com
capishe.website
cachorrospitbull.com
mythic-authentication.online
nordingcave.online
gremep.online
tryufabetcasino.com
premiumciso.com
powerful70s.com
myminecraftrealm.com
bssurgery.com
steel-pcint.com
iokailyjewelry.com
barmanon5.pro
kcrsw.com
9393xx38.app
kochen-mit-induktion.com
indtradors.store
giaxevn.info
trungtambaohanhariston.com
fulili.com
crgabions.com
matomekoubou.com
duaidapduapjdp.site
invissiblefriends.com
cy3.space
idqoft.com
jamal53153.com
lemagnetix.com
anthroaction.com
uspcff.top
supplierdir.com
counterpoint.online
zarl.tech
cdlcapitolsolutions.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2020-64-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2016-70-0x0000000000100000-0x000000000012F000-memory.dmp formbook behavioral1/memory/2016-75-0x0000000000100000-0x000000000012F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
idxgunu.exeidxgunu.exepid process 1000 idxgunu.exe 2020 idxgunu.exe -
Loads dropped DLL 2 IoCs
Processes:
Swift.exeidxgunu.exepid process 916 Swift.exe 1000 idxgunu.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
idxgunu.exeidxgunu.exechkdsk.exedescription pid process target process PID 1000 set thread context of 2020 1000 idxgunu.exe idxgunu.exe PID 2020 set thread context of 1396 2020 idxgunu.exe Explorer.EXE PID 2016 set thread context of 1396 2016 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
idxgunu.exechkdsk.exepid process 2020 idxgunu.exe 2020 idxgunu.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe 2016 chkdsk.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
idxgunu.exeidxgunu.exechkdsk.exepid process 1000 idxgunu.exe 2020 idxgunu.exe 2020 idxgunu.exe 2020 idxgunu.exe 2016 chkdsk.exe 2016 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
idxgunu.exechkdsk.exedescription pid process Token: SeDebugPrivilege 2020 idxgunu.exe Token: SeDebugPrivilege 2016 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Swift.exeidxgunu.exeExplorer.EXEchkdsk.exedescription pid process target process PID 916 wrote to memory of 1000 916 Swift.exe idxgunu.exe PID 916 wrote to memory of 1000 916 Swift.exe idxgunu.exe PID 916 wrote to memory of 1000 916 Swift.exe idxgunu.exe PID 916 wrote to memory of 1000 916 Swift.exe idxgunu.exe PID 1000 wrote to memory of 2020 1000 idxgunu.exe idxgunu.exe PID 1000 wrote to memory of 2020 1000 idxgunu.exe idxgunu.exe PID 1000 wrote to memory of 2020 1000 idxgunu.exe idxgunu.exe PID 1000 wrote to memory of 2020 1000 idxgunu.exe idxgunu.exe PID 1000 wrote to memory of 2020 1000 idxgunu.exe idxgunu.exe PID 1396 wrote to memory of 2016 1396 Explorer.EXE chkdsk.exe PID 1396 wrote to memory of 2016 1396 Explorer.EXE chkdsk.exe PID 1396 wrote to memory of 2016 1396 Explorer.EXE chkdsk.exe PID 1396 wrote to memory of 2016 1396 Explorer.EXE chkdsk.exe PID 2016 wrote to memory of 1796 2016 chkdsk.exe cmd.exe PID 2016 wrote to memory of 1796 2016 chkdsk.exe cmd.exe PID 2016 wrote to memory of 1796 2016 chkdsk.exe cmd.exe PID 2016 wrote to memory of 1796 2016 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift.exe"C:\Users\Admin\AppData\Local\Temp\Swift.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\idxgunu.exe"C:\Users\Admin\AppData\Local\Temp\idxgunu.exe" C:\Users\Admin\AppData\Local\Temp\jdgedcev.bx3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\idxgunu.exe"C:\Users\Admin\AppData\Local\Temp\idxgunu.exe" C:\Users\Admin\AppData\Local\Temp\jdgedcev.bx4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\idxgunu.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aznhzp.mbaFilesize
185KB
MD5b3581defa6b04b02ec74081ebe1cdf25
SHA1f721fca7fb1c097f954db044ca05f39482f65c2d
SHA256fdaba24d7be4cacecfc6068d585d8135138d35d4513047beabd35ecdc567c106
SHA512f351cbb5818e4b9c171fe9ac9b4ee342f6a2d30e7e818a684c98668f3f356d2558d65ffcf97ab14da252dc830824ffeeb905c91962cc0e65d8236799e775fa4b
-
C:\Users\Admin\AppData\Local\Temp\idxgunu.exeFilesize
7KB
MD58748279bd1a60b520e0f062016b094e8
SHA178c8a552dd69b232715981c3eac3c1c2ec224f38
SHA2566875c3049ed37ad538dde61f99c49917bbbe21b74ba6896626ec62edf689d2fd
SHA5127f0a74986e2af5649554670b97fb87b8768a286c9e43795ba0a309185d4f2ba8f4080dc741aa9bb6741a6a3b5575cda39b5c4760ca246be678087ba4d6c035f7
-
C:\Users\Admin\AppData\Local\Temp\idxgunu.exeFilesize
7KB
MD58748279bd1a60b520e0f062016b094e8
SHA178c8a552dd69b232715981c3eac3c1c2ec224f38
SHA2566875c3049ed37ad538dde61f99c49917bbbe21b74ba6896626ec62edf689d2fd
SHA5127f0a74986e2af5649554670b97fb87b8768a286c9e43795ba0a309185d4f2ba8f4080dc741aa9bb6741a6a3b5575cda39b5c4760ca246be678087ba4d6c035f7
-
C:\Users\Admin\AppData\Local\Temp\idxgunu.exeFilesize
7KB
MD58748279bd1a60b520e0f062016b094e8
SHA178c8a552dd69b232715981c3eac3c1c2ec224f38
SHA2566875c3049ed37ad538dde61f99c49917bbbe21b74ba6896626ec62edf689d2fd
SHA5127f0a74986e2af5649554670b97fb87b8768a286c9e43795ba0a309185d4f2ba8f4080dc741aa9bb6741a6a3b5575cda39b5c4760ca246be678087ba4d6c035f7
-
C:\Users\Admin\AppData\Local\Temp\jdgedcev.bxFilesize
5KB
MD518e2b6cac2a0ea0a11fad297712721bc
SHA18c947c4d4a6e53f30eac64c7e830f325cee6775a
SHA2561d8d7c32217eed7730b45b61ed0f98586b38f09c2b5ff8aa6292e1a40ff71e4d
SHA51272d658d15e6b0a418cf41c3cafe050cd59e5036c91ce7c54bdcd7be3c9761a54d620688d60bd315fe4466b6051e329be9010e245628dfabb9c3cc89c43c2b7a8
-
\Users\Admin\AppData\Local\Temp\idxgunu.exeFilesize
7KB
MD58748279bd1a60b520e0f062016b094e8
SHA178c8a552dd69b232715981c3eac3c1c2ec224f38
SHA2566875c3049ed37ad538dde61f99c49917bbbe21b74ba6896626ec62edf689d2fd
SHA5127f0a74986e2af5649554670b97fb87b8768a286c9e43795ba0a309185d4f2ba8f4080dc741aa9bb6741a6a3b5575cda39b5c4760ca246be678087ba4d6c035f7
-
\Users\Admin\AppData\Local\Temp\idxgunu.exeFilesize
7KB
MD58748279bd1a60b520e0f062016b094e8
SHA178c8a552dd69b232715981c3eac3c1c2ec224f38
SHA2566875c3049ed37ad538dde61f99c49917bbbe21b74ba6896626ec62edf689d2fd
SHA5127f0a74986e2af5649554670b97fb87b8768a286c9e43795ba0a309185d4f2ba8f4080dc741aa9bb6741a6a3b5575cda39b5c4760ca246be678087ba4d6c035f7
-
memory/916-54-0x0000000076871000-0x0000000076873000-memory.dmpFilesize
8KB
-
memory/1000-56-0x0000000000000000-mapping.dmp
-
memory/1396-76-0x0000000007E20000-0x0000000007F71000-memory.dmpFilesize
1.3MB
-
memory/1396-67-0x0000000007000000-0x0000000007182000-memory.dmpFilesize
1.5MB
-
memory/1396-74-0x0000000007E20000-0x0000000007F71000-memory.dmpFilesize
1.3MB
-
memory/1796-71-0x0000000000000000-mapping.dmp
-
memory/2016-69-0x00000000007E0000-0x00000000007E7000-memory.dmpFilesize
28KB
-
memory/2016-68-0x0000000000000000-mapping.dmp
-
memory/2016-70-0x0000000000100000-0x000000000012F000-memory.dmpFilesize
188KB
-
memory/2016-72-0x0000000001FC0000-0x00000000022C3000-memory.dmpFilesize
3.0MB
-
memory/2016-73-0x0000000001D70000-0x0000000001E03000-memory.dmpFilesize
588KB
-
memory/2016-75-0x0000000000100000-0x000000000012F000-memory.dmpFilesize
188KB
-
memory/2020-66-0x0000000000430000-0x0000000000444000-memory.dmpFilesize
80KB
-
memory/2020-65-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/2020-64-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2020-62-0x000000000041F190-mapping.dmp