Overview

overview

10

Static

static

SWIFT REF.exe

windows7-x64

10

SWIFT REF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2022 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWIFT REF.exe

  • Size

    1.1MB

  • MD5

    cb9bc8e2f918725b9d28925aa42cba1e

  • SHA1

    fedbd5f39e13a4dffe8b4d1e36d3c50bdf9f433b

  • SHA256

    f3a184f74b8326b79d5f99aa2a412b18fa50f89b55017f852b4e74713342eae2

  • SHA512

    8dea90cc898a04cb50b0760281e160838e35fc9ca22734ea66f0b2308bdecea6891eb278b47c6bbf3a35f0896ae86dfcb6467a3247f48afe3d9fb828275479bd

  • SSDEEP

    24576:REAojIr4A11gcBQqcsrF6NCg0fJACQU4I6bB589j:KAoMr4A115S5u6NT0fJAC14I6bQ

Score
10/10
neshtapersistencespyware

Malware Config

Signatures

  • Detect Neshta payload 6 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SWIFT REF.exe
    "C:\Users\Admin\AppData\Local\Temp\SWIFT REF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\urrHTfW.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\urrHTfW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDD94.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1728
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Modifies system executable filetype association
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Change Default File Association

1
T1042

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpDD94.tmp
    Filesize

    1KB

    MD5

    03daad9d239327db0dcebdb7051174cd

    SHA1

    c78e7b3bb0963001d12642a1529d4bc0e6323d64

    SHA256

    8b3f83b6001f014cad603687c20187c2e31aab8b6a64c70a43739b8a5ce9b09e

    SHA512

    20ee2658d277a18367fb5e575fe928b482daaa7bac13a8bf3b289e3d74d1c74486039ca95271360852ebcb3751748eaf9d41e79a487afa6291734ce62fc1bf4d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\urrHTfW.exe
    Filesize

    1.1MB

    MD5

    cb9bc8e2f918725b9d28925aa42cba1e

    SHA1

    fedbd5f39e13a4dffe8b4d1e36d3c50bdf9f433b

    SHA256

    f3a184f74b8326b79d5f99aa2a412b18fa50f89b55017f852b4e74713342eae2

    SHA512

    8dea90cc898a04cb50b0760281e160838e35fc9ca22734ea66f0b2308bdecea6891eb278b47c6bbf3a35f0896ae86dfcb6467a3247f48afe3d9fb828275479bd

    Download Submit
  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit
  • \Users\Admin\AppData\Roaming\urrHTfW.exe
    Filesize

    1.1MB

    MD5

    cb9bc8e2f918725b9d28925aa42cba1e

    SHA1

    fedbd5f39e13a4dffe8b4d1e36d3c50bdf9f433b

    SHA256

    f3a184f74b8326b79d5f99aa2a412b18fa50f89b55017f852b4e74713342eae2

    SHA512

    8dea90cc898a04cb50b0760281e160838e35fc9ca22734ea66f0b2308bdecea6891eb278b47c6bbf3a35f0896ae86dfcb6467a3247f48afe3d9fb828275479bd

    Download Submit
  • memory/1520-79-0x00000000003E0000-0x00000000003EC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1520-69-0x0000000000400000-0x00000000004C4000-memory.dmp
    Filesize

    784KB

    Download
  • memory/1520-95-0x0000000004CE5000-0x0000000004CF6000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1520-80-0x00000000060A0000-0x0000000006120000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1520-81-0x0000000000C80000-0x0000000000CC8000-memory.dmp
    Filesize

    288KB

    Download
  • memory/1520-64-0x0000000000400000-0x00000000004C4000-memory.dmp
    Filesize

    784KB

    Download
  • memory/1520-65-0x0000000000400000-0x00000000004C4000-memory.dmp
    Filesize

    784KB

    Download
  • memory/1520-67-0x0000000000400000-0x00000000004C4000-memory.dmp
    Filesize

    784KB

    Download
  • memory/1520-68-0x0000000000400000-0x00000000004C4000-memory.dmp
    Filesize

    784KB

    Download
  • memory/1520-77-0x00000000004D0000-0x00000000004E8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1520-70-0x00000000004BE6FA-mapping.dmp
    Download
  • memory/1520-72-0x0000000000400000-0x00000000004C4000-memory.dmp
    Filesize

    784KB

    Download
  • memory/1520-74-0x0000000000400000-0x00000000004C4000-memory.dmp
    Filesize

    784KB

    Download
  • memory/1700-76-0x000000006E6D0000-0x000000006EC7B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1700-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1700-78-0x000000006E6D0000-0x000000006EC7B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1728-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1812-83-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1812-82-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1812-87-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1812-89-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1812-88-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1812-91-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1812-86-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1812-85-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1812-101-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1812-97-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1812-92-0x00000000004080E4-mapping.dmp
    Download
  • memory/1812-93-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1812-96-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2016-54-0x0000000000900000-0x0000000000A12000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2016-58-0x00000000058C0000-0x00000000059B4000-memory.dmp
    Filesize

    976KB

    Download
  • memory/2016-57-0x0000000000510000-0x000000000051E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2016-56-0x0000000000220000-0x0000000000236000-memory.dmp
    Filesize

    88KB

    Download
  • memory/2016-55-0x0000000075A71000-0x0000000075A73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2016-63-0x0000000007FD0000-0x0000000008094000-memory.dmp
    Filesize

    784KB

    Download