90ca60dc8424411c71eecfcddfdb40e1fadc48e4ed287a282309b24f0cb2c5a2

Analysis

max time kernel
143s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57c0268e52994413ef4d40bf7dd7bd1b.exe
Size

608KB
MD5

57c0268e52994413ef4d40bf7dd7bd1b
SHA1

d4f3f08a29b9bf14f0df6a14a76199c320438117
SHA256

90ca60dc8424411c71eecfcddfdb40e1fadc48e4ed287a282309b24f0cb2c5a2
SHA512

ec37e31337ff83aade0c5fc25985c509ffd7f637e19fb4a368fd05b1d5894abb6a54f836bc30944b1cd6075a878073f212f9e1ecd077e1ce6cb7a8f4134d6462
SSDEEP

6144:VdeLGp2lkBWkXtYUqePDfL7PX6aMRAVUxworKMk5gIrW9EE:dT0k9Y4DfL7/6pRiUNKr7sEE

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

swiftfix.exe

pid process

624 swiftfix.exe
Loads dropped DLL 1 IoCs

Processes:

57c0268e52994413ef4d40bf7dd7bd1b.exe

pid process

1256 57c0268e52994413ef4d40bf7dd7bd1b.exe

pid	process
624	swiftfix.exe

pid	process
1256	57c0268e52994413ef4d40bf7dd7bd1b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

swiftfix.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe"	swiftfix.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

57c0268e52994413ef4d40bf7dd7bd1b.exeswiftfix.exe

description pid process

Token: SeDebugPrivilege 1256 57c0268e52994413ef4d40bf7dd7bd1b.exe
Token: SeDebugPrivilege 624 swiftfix.exe

description	pid	process
Token: SeDebugPrivilege	1256	57c0268e52994413ef4d40bf7dd7bd1b.exe
Token: SeDebugPrivilege	624	swiftfix.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

57c0268e52994413ef4d40bf7dd7bd1b.exe

description	pid	process	target process
PID 1256 wrote to memory of 624	1256	57c0268e52994413ef4d40bf7dd7bd1b.exe	swiftfix.exe
PID 1256 wrote to memory of 624	1256	57c0268e52994413ef4d40bf7dd7bd1b.exe	swiftfix.exe
PID 1256 wrote to memory of 624	1256	57c0268e52994413ef4d40bf7dd7bd1b.exe	swiftfix.exe
PID 1256 wrote to memory of 624	1256	57c0268e52994413ef4d40bf7dd7bd1b.exe	swiftfix.exe

C:\Users\Admin\AppData\Local\Temp\57c0268e52994413ef4d40bf7dd7bd1b.exe
"C:\Users\Admin\AppData\Local\Temp\57c0268e52994413ef4d40bf7dd7bd1b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\Temp\swiftfix.exe
"C:\Windows\Temp\swiftfix.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\swiftfix.exe

Filesize
17KB

MD5
c5d67a98b53d07c90b6bf8a54d87cca3

SHA1
4cf957464a178b219184308d9110bab3efc3fd78

SHA256
23b36cbe0d774877af73bce1eb468db5026f8b4b5b83650baa6fb13beba3e9ac

SHA512
7dc2223c4a196d70744617411b0202ab64bcb1dd53aea90d7a71cb3d353b0fa708fdf8acb289c93cc742f77cfdba5aaee069adfcce91368457b8443899c075c8

Download Submit
C:\Windows\Temp\swiftfix.exe

Filesize
17KB

MD5
c5d67a98b53d07c90b6bf8a54d87cca3

SHA1
4cf957464a178b219184308d9110bab3efc3fd78

SHA256
23b36cbe0d774877af73bce1eb468db5026f8b4b5b83650baa6fb13beba3e9ac

SHA512
7dc2223c4a196d70744617411b0202ab64bcb1dd53aea90d7a71cb3d353b0fa708fdf8acb289c93cc742f77cfdba5aaee069adfcce91368457b8443899c075c8

Download Submit
\Windows\Temp\swiftfix.exe

Filesize
17KB

MD5
c5d67a98b53d07c90b6bf8a54d87cca3

SHA1
4cf957464a178b219184308d9110bab3efc3fd78

SHA256
23b36cbe0d774877af73bce1eb468db5026f8b4b5b83650baa6fb13beba3e9ac

SHA512
7dc2223c4a196d70744617411b0202ab64bcb1dd53aea90d7a71cb3d353b0fa708fdf8acb289c93cc742f77cfdba5aaee069adfcce91368457b8443899c075c8

Download Submit
memory/624-58-0x0000000000000000-mapping.dmp

Download
memory/624-61-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/1256-54-0x00000000010E0000-0x000000000117E000-memory.dmp

Filesize
632KB

Download
memory/1256-55-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1256-56-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download